lO M oARcPSD| 18269317

Cybersecurity Internship Report Aicte

Computer science engineering (Kallam Haranadhareddy Institute of Technology)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

 lO M oARcPSD| 18269317

Introduction To Cybersecurity
Cybersecurity is all about reducing threats when people are in the process of dealing with
technology. It encompasses the full range of protection against any online risk or
vulnerability, which comprises information security assurance and cyber law enforcement. In
other words, cybersecurity is the protection of cyber-space (which includes hardware,
software, networks, and their servers, peripheral devices, data and information, and all other
components associated with technology) and internet-connected systems from both internal
as well as external threats and cybercriminals. It also comprises sub-branches that are
specific to different security measures. These are:

• Network Security.
• System Security.
• Application Security.
• Information Security.
• Web Security.
• Mobile Security.

Types Of Cyber Attacks

For securing any organization, system, application, network, or device, the first thing you
need to know is the different ways through which cyberattacks are possible are? Here is the
list of potential cyber-attacks:

• Phishing.
• Man in the Middle.
• Password attack.
• DoS and DDoS.
• Malware and Virus-based attacks.
• Drive-by download.
• Malvertising.
• Stealing digital privacy etc.

Growth Of Antivirus Industry

The security of computers and other technologies has gradually become a business and gave
rise to the industry of antivirus and gradually sub-categorized into anti-malware, anti-
rootkits, and anti-ransomware, and many more programs that can protect the systems from
malicious programs. It was the early 90s when many companies evolved in securing the
systems and networks where their products scan all the binaries of any given system against
the database of signatures provided by the antivirus developers. Gradually, these antiviruses
were designed smarter for scanning computed hashes in files and searching a list of strings
and codes that usually exist in malware.
 lO M oARcPSD| 18269317

Various Elements of Security

For fulfilling all the security-related constraints and requirements, researchers and security
analysts have come up with some unique concepts that, when preserved, can help in keeping
the system safe and secure. If anyone of the elements gets compromised, there is a potential
risk for the information and the system. These six elements are:

1. Availability: As the name suggests, availability specifies whether the data or resource
is available when required or requested by the client. The information that has been
requested will possess the actual value only when legitimate users can access those
resources at the right time. Cybercriminals seize those data so that the request to
access those resources gets denied (leads to downtime of a working server), which is a
conventional attack.

2. Integrity: This refers to the techniques to ensure that all the data or resources that can
be accessed in real-time are legitimate, correct, and protected from unlawful user
(hackers) modification. Data integrity has become a primary and essential component
or element of information security because users have to trust online information to
use them. Non-trusted data compromises the integrity and hence will violate one of the
six elements. Data integrity is verified through techniques like checksums, change in
hash values, and data comparison.

3. Authenticity: Authenticity is another essential element, and authentication can be

defined as the process of ensuring and confirming that the identity of the user is
genuine and legitimate. This authentication process takes place when the user tries to
gain access to any data or information (commonly done by login or biometric access).
However, cybercriminals use more sophisticated tools and techniques to gain such
access using social engineering, password guessing, brute force techniques, or
cracking ciphers.

4. Confidentiality: can be defined as permitting approved users for accessing all sensitive
as well as protected information. Confidentiality takes care of confidential
information, and other resources must be revealed to legitimate and authorized users
only. Confidentiality can be made certain by using role-based security techniques for
ensuring user or viewer's authorization and access controls on any particular data.

5. Non-repudiation: can be defined as the way of assurance that message transmitted

among two or more users via digital signature or through encryption is accurate, and
no one can deny the authentication of the digital signature on any document. Authentic
data and its origination can be acquired with the help of a data hash.
 lO M oARcPSD| 18269317

6. Utility: as the name suggests is used for any purpose or reason and is accessed and
then used by users. It is not entirely the type of element for security, but if any
resource's utility becomes vague or useless, then it is of no use. Cryptography is used
to preserve the efficiency of any resource sent over the internet. Various encryption
mechanisms are used for securing the message or data sent over the internet so that it
is not altered during the transmission; otherwise, the utility of that resource will not
prevail.

Terminology’s For Securing a System

Unauthorized Access
This is a case when an external agent tries to take legitimate access to any system, computer,
network, server, website, server-room, sensitive data, or someone else's account.
Cybercriminals gain unauthorized access by cracking passwords by different means, stealing
sensitive personal data, or by social engineering and other approaches.

Access Control

Access Control is a mechanism of controlling who has the proper access to any system or
computer or server or online services where the information is stored. It is a fundamental
concept that regulates and then minimizes the risk of any business or organization.

Threat

A threat can be defined as the possible danger that might cause the exploitation of any bug or
vulnerability for breaching security, which then causes possible harm to any institute,
organization, or firm. These threats are found by cybercriminals to steal, annoy, or harm the
resources.

Backdoor

Backdoor is used by cybercriminals to gain illegal access to the target system. It is used to
secretly bypass standard authentication or encryption in a system's security mechanism.
Hackers covertly embed these backdoor programs with legitimate files or keep these
backdoors after they came out of the system, which they have hacked for gaining access in
the future. Backdoors are also known as trapdoors.

Vulnerability

The vulnerability can be defined as the flaw or weakness in the design or development of any
system. It is an error in any component of cyberspace that can lead to an unexpected or
unwanted breach in security systems.

Zero-day Attacks
 lO M oARcPSD| 18269317

Zero-day Attack is a type that is not known to the creator, developer, or vendor of the
system, and cybercriminals exploit the vulnerability to gain illegitimate access to any
system, network, or server. There are no known security patches or fixes in such types of
attacks because the developers are unaware of this vulnerability.

Social Engineering

Social Engineering is a technique of stealing sensitive data from a target victim in different
ways, such as physical accessing of data or psychologically manipulate in combination with
social scenarios. Examples of social engineering are shoulder surfing, phishing, tailgating,
dumpster diving, etc.

Command and Control Servers

Command, and Control Servers are also termed as C&C servers, which are machines used by
attackers for communicating with a botnet where they can control and compromise systems
within the network.

Content Spoofing

Content Spoofing is another popular technique used by cybercriminals to perform attacks by

tricking the target victim(s) with interest to visit any fraudulent or malicious site which looks
like a legitimate one.

Identity Theft

Identity Theft is the scenario when the attacker gains every personal detail about the target
user and uses that personal information to impersonate the target user. Data attackers take
credit card information, bank account details, transaction details, ID and passwords, victim's
address, and phone number.

Fundamentals Of Network Security

Today, hacks, data breaches, and cyberattacks are more common than ever before. In fact,
the number of data breaches that exposed private records more than doubled between 2015
and 2017 alone. The increasing number and severity of these attacks make network security
a topic of utmost importance, especially for current and prospective certified IT
professionals.

CompTIA has done extensive research on cybersecurity, and one recent study on building
security teams, shows that the primary driver for a new security approach is a change in IT
operations. Migrating to a cloud provider, adding new mobile devices or focusing on data
analytics are all common IT strategies that require new security tactics. It’s no coincidence
that these strategies also drive changes or improvements to the corporate network. Success in
these areas requires a solid understanding of best practices in network security.
 lO M oARcPSD| 18269317

Network security is a smaller subset that falls under the larger umbrella of cybersecurity, and
it refers to the practice of preventing unauthorized users from accessing computer networks
and their associated devices. It involves physically protecting network servers and devices
from external threats, as well as taking steps to secure the digital network. In an age of
increasingly sophisticated and frequent cyberattacks, network security matters more now
than ever before

The Importance of Network Security

Network security is vital to maintaining the integrity of your data and the privacy of your
organization and employees. It encompasses everything from the most basic practices,
such creating strong passwords and fully logging out of community computers, to the most
complex, high-level processes that keep networks, devices and their users safe. More and
more sensitive information is stored online and in these various devices, and if an
unauthorized user gains access to that data, it could lead to disastrous results.

Network security is the key to keeping that sensitive information safe, and as more private
data is stored and shared on vulnerable devices, network security will only grow in
importance and necessity. Experts expect that more than 2,314 exabytes (or over 2 trillion
gigabytes) of data will exist by 2020; managing that amount of data is difficult enough, and
protecting it will be another issue entirely.

While each and every member of your organization can take strides to help keep things
secure, network security has become more complex in recent years. Adequately protecting
networks and their connected devices requires comprehensive network training, a thorough
understanding of how networks actually work and the skills to put that knowledge into
practice. It’s crucial for networks to be thoroughly and properly set up, secured and
monitored to fully preserve privacy.

Common Network Security Vulnerabilities

In order to effectively implement and maintain secure networks, it’s important to understand
the common vulnerabilities, threats and issues facing IT professionals today. While some can
be fixed fairly easily, others require more involved solutions.

Virtually all computer networks have vulnerabilities that leave them open to outside attacks;
further, devices and networks are still vulnerable even if no one is actively threatening or
targeting them. A vulnerability is a condition of the network or its hardware, not the result of
external action.

These are some of the most common network vulnerabilities:

• Improperly installed hardware or software

• Operating systems or firmware that have not been updated
 lO M oARcPSD| 18269317

• Misused hardware or software

• Poor or a complete lack of physical security
• Insecure passwords
• Design flaws in a device’s operating system or in the network

While a vulnerability does not guarantee that an attacker or hacker will target your network,
it does make it much easier — and possible — for them to gain access to it.

Physical Security Considerations

You must also consider the physical security of the various devices, servers and systems that
are used to power and maintain your network. If a network is physically vulnerable, it
doesn’t matter how strong or extensive its security is, because if someone can gain physical
access to any of these items, the entire network could then be compromised.

Important physical safety considerations include the following:

• Storing network servers and devices in a secure location

• Denying open access to this location to members of your organization
• Using video surveillance to deter and detect anyone who attempts to access this
location

Taking precautions to maintain the physical safety of your network will ensure that it’s able
to run as smoothly and safely as possible.

Types of Network Security Attacks

Over the last several years, cyberattacks have become more sophisticated, extensive,
frequent and more difficult to defend against. Many cybersecurity experts believe that these
attacks will only continue to grow more complex and aggressive.

Some of the most prevalent types of network security attacks any IT professional should be
aware of include the following:

• Data Theft: Also called data exfiltration, data theft occurs when an attacker uses
their unauthorized access to obtain private information from the network.
Attackers frequently use stolen login credentials to read protected files or steal
the data while it is in transit between two network devices.
• Insider Threat: As its name implies, insider threats come from employees
within an organization. These employees use their own access to infiltrate the
network and obtain sensitive or private company information.
• Malware Attacks: A malware attack occurs when a malicious code (malware)
inserts undesired, unauthorized software onto a network device. Malware can
easily spread from one device to another, making it very difficult to get rid of
entirely.
 lO M oARcPSD| 18269317

• Password Attacks: Any type of attack that involves someone attempting to use a
password illegitimately is considered to be a password attack. The hacker may
obtain access either by guessing, stealing or cracking a password.
• Social Engineering: These attacks use deception and falsehoods to convince
others to give up private information, such as an account password, or to violate
security protocols. Social engineering attacks often target people who are not
tech-savvy, but they may also target technical support staff with false requests
for help.

Of course, these are only a few of the many ways that hackers may try to infiltrate network
systems, and they will continue to develop new, creative ways to do so. Always pay attention
to any unusual activity you happen to notice, and don’t hesitate to investigate the matter
further.

Types of Network Security Solutions

Just as there are many ways to infiltrate a network, there are many different techniques and
strategies that IT professionals can use to secure one. Some of the most common types of
network security solutions include:

• Antivirus Software: Antivirus software can be installed on all network devices

to scan them for malicious programs. It should be updated regularly to fix any
issues or vulnerabilities.
• Encryption: Encryption is the process of scrambling data to the point of
unintelligibility and providing only authorized parties the key (usually a
decryption key or password) to decode it. This way, even if data is intercepted or
seen by an unauthorized user, they are unable to read it.
• Firewalls: Firewalls are a software program, hardware device or combination of
both that blocks unsolicited traffic from entering a network. They can be
configured to only block suspicious or unauthorized traffic, while still allowing
access to legitimate requests.
• Multi-Factor Authentication: Multi-factor authentication is simple: users must
provide two separate methods of identification to log into an account (for
instance, typing in a password and then typing in a numeric code that was sent to
another device). Users should present unique credentials from two out of three
categories — something you know, something you have and something you are
— for multi-factor authentication to be fully effective.
• Network Segmentation: Network segmentation involves breaking down a larger
network into various subnetworks or segments. If any of the subnetworks are
infiltrated or compromised, the others are left untouched because they exist
independently of each other.

One security strategy won’t be enough to fully and effectively protect a network. A
combination of different techniques will ensure that your network is as secure as possible
and will help to meet the unique needs of your organization.
 lO M oARcPSD| 18269317

Network Protection Tips

Regardless of your organization’s needs, there are a few general network protection tips and
best practices that you should be sure to follow. Below is a very basic overview of some of
the most important, but perhaps underestimated, steps IT professionals should take to ensure
network security. A more in-depth guide of all relevant steps and information can be found
in the CompTIA Network+ Certification study guide.

Grant Access Sparingly

Always be aware of who has access to your network or servers. After all, not everyone in
your organization needs to be able to physically or electronically access everything on your
network. Don’t give blanket access to every employee in your organization; only give out
what information is necessary to help reduce the chance of unauthorized access, purposeful
or unintentional tampering, or security breaches.

Follow Password Best Practices

It’s a basic principle, but following password best practices is a simple and highly effective
way to maintain network security. Many people create passwords that aren’t strong, reuse
previous passwords and don’t use unique passwords for each of their accounts. Encourage all
employees to follow password best practices, especially for their work accounts, as it can
help keep everyone’s data safe.

Secure Servers and Devices

Physically protect your servers and your devices. Keep them in a safe location, and do not
grant general access to this room or area. Be sure the room is locked when it’s not in use and
keep an eye on the area when it is unsecured or in use.

Test Your Security

You should never assume that your network is completely secure. Continually test
and troubleshoot your network to see what is substandard or to identify any vulnerabilities.
Be sure to make fixes and updates as needed.

In addition, if you do not already have a data recovery plan in place, now is the time to create
one. Even the best-secured networks are compromised and infiltrated, and though no one
wants or necessarily expects that to happen, being prepared for the worst will make solving
the problem significantly easier.

Computer networking is constantly evolving, and what was once considered a network
security best practice may soon be a thing of the past. IT professionals need continual
education and training to keep up on the latest security issues and threats, so they can more
effectively implement promising network security solutions.
 lO M oARcPSD| 18269317

To get started in a computer networking career, check out CompTIA Network+ and the
related training materials.

Network Troubleshooting Applications

In addition to command-line tools, there are also a number of standalone applications that
can be used to determine the status of a network and to troubleshoot issues. Some of these
applications may be included in the system that you are working with, while others may need
to be installed separately.

• Packet Sniffer: Provides a comprehensive view of a given network. You can use
this application to analyze traffic on the network, figure out which ports are open
and identify network vulnerabilities.
• Port Scanner: Looks for open ports on the target device and gathers
information, including whether the port is open or closed, what services are
running on a given port and information about the operating system on that
machine. This application can be used to figure out which ports are in use and
identify points in a network that could be vulnerable to outside attacks.
• Protocol Analyzer: Integrates diagnostic and reporting capabilities to provide a
comprehensive view of an organization's network. You can use analyzers to
troubleshoot network problems and detect intrusions into your network.
• Wi-Fi Analyzer: Detects devices and points of interference in a Wi-Fi signal.
This tool can help you to troubleshoot issues in network connectivity over a
wireless network.
• Bandwidth Speed Tester: Tests the bandwidth and latency of a user’s internet
connection. This application is typically accessed through a third-party website
and can be used to confirm user reports about slow connections or download
speeds.

Hardware Tools
Command-line tools and applications are software tools for troubleshooting, but some
network problems have hardware causes and solutions.

Here are some hardware tools that can help you diagnose and solve network issues:

• Wire Crimpers: A wire crimper (sometimes called a cable crimper) is a tool that
attaches media connectors to the ends of cables. You can use it to make or
modify network cables.
• Cable Testers: A cable tester (sometimes called a line tester) is a tool that
verifies if a signal is transmitted by a given cable. You can use one to find out
whether the cables in your network are functioning properly when diagnosing
connectivity issues.
• Punch Down Tool: A punch down tool is used in a wiring closet to connect
cable wires directly to a patch panel or punch-down block. This tool makes it
easier to connect wires than it would be to do it by hand.
 lO M oARcPSD| 18269317

• TDR: A time-domain reflectometer (TDR) is a measuring tool that transmits an

electrical pulse on a cable and measures the reflected signal. In a functioning
cable, the signal does not reflect and is absorbed in the other end. An optical
time-domain reflectometer (OTDR) is a similar tool, but used for measuring fiber
optic cables, which are becoming more common in modern networks.
• Light Meter: Light meters, also known as optical power meters, are devices
used to measure the power in an optical signal.
• Tone Generator: A tone generator is a device that sends an electrical signal
through one pair of UTP wires. On the other end, a tone locator or tone probe is a
device that emits an audible tone when it detects a signal in a pair of wires. You
can use these tools to verify that signals are passing through the wires in your
network. They are often used to confirm phone connectivity.
• Loopback Adapter: A loopback adapter is a virtual or physical tool that can be
used for troubleshooting network transmission issues. It can be used by utilizing
a special connector that redirects the electrical signal back to the transmitting
system.
• Multimeter: A multimeter (sometimes called a volt/ohm meter) is an electronic
measuring instrument that takes electrical measurements such as voltage, current
and resistance. There are hand-held multimeters for fieldwork as well as bench-
top models for in-house troubleshooting.
• Spectrum Analyzer: A spectrum analyzer is an instrument that displays the
variation of a signal strength against the frequency.

How to Develop Your Network Troubleshooting Skills

These are just a few of the steps you can follow and tools that you can use to troubleshoot an
issue in your network. For home networks, many issues can be solved relatively simply, by
checking connections, making sure that everything is plugged in and using built-in
diagnostic tools.

However, if you want a job working on computer networks, you’ll need to develop your
troubleshooting skills to match. Network troubleshooting is an essential skill to have when
looking for a job as a network engineer or network administrator, since companies are
primarily concerned with minimizing their network downtime.

If you’re looking for a job, an IT certification related to computer networking is essential as

proof of your abilities. Keep in mind that certification exams test your skills very closely, so
make sure to seek out appropriate network training to properly prepare for your exam and
test with confidence.

In order to really develop your skills that will land you the job, it’s important to combine
training and certifications with real-world network troubleshooting experience. This
experience doesn’t have to come from a job – you can practice your IT skills by tinkering
with your own equipment or volunteering with local nonprofits to improve their networks
and resolve any issues they’re having.
 lO M oARcPSD| 18269317

Fundamentals of Cloud Security

Cloud security refers to protecting data stored online via cloud computing
environments (instead of data centers) from theft, deletion, and leakage. There are many
protective methods that help secure the cloud; these measures include access control,
firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and
not using public internet connections.

How Secure is the Cloud?

When it comes to network security concerns, the cloud itself is not the issue – rather,
the challenge lies within the policies and technologies for security and control of that
technology. Put simply? Human error is one of the top reasons for data breaches in the cloud.
In fact, Gartner estimates that by 2022, at least 95 percent of cloud security failures will be
the customer’s fault due to misconfigurations and mismanagement.

Therefore, it is not an issue of whether or not the cloud is secure but if the customer is using
the cloud securely.

Examples of Cloud Security Compromised by Misconfiguration

Too often, misconfigured cloud-based systems lead to data breaches. For instance, in
2019, Capital One was hacked by a malicious actor who stole the sensitive data of more than
100 million people while not following traditional hacker patterns.

The breach was the result of a misconfigured open-source web application firewall (WAF),
which Capital One used in its operations hosted on Amazon Web Services. The
 lO M oARcPSD| 18269317

misconfigured WAF was permitted to list all the files in any AWS data buckets and read the
contents of each file. The misconfiguration allowed the intruder to trick the firewall into
relaying requests to a key back-end resource on AWS.

Once the breach happened, 100 million U.S. citizens were impacted and 140,000 Social
Security numbers and 80,000 bank account numbers were compromised. In total, the breach
cost Capital One roughly $150 million.

Anticipated Cloud Security Challenges in 2021

From April to May 2020, the Cloud Security Alliance (CSA) conducted a survey of
experienced cloud security architects, designers, and operators from large organizations to, in
part, determine the challenges of public cloud workloads in 2020. After surveying 200
respondents, they found that anticipated security challenges included:

• Visibility
• Data Privacy
• IAM Procedures
• Configuration Management
• Compliance Requirements
At the same time, the diversity of production workloads in the public cloud were also
expected to increase in 2021, including the use of container platforms, function-as-a-
service/serverless approach, and cloud provider services. Use of virtual machines is also
expected to increase.

7 Fundamentals of Cloud Security

Don’t just migrate to the cloud – prevent security threats by following these tips:

1. Understand what you’re responsible for – different cloud services require varying
levels of responsibility. For instance, while software-as-a-service (SaaS) providers ensure
 lO M oARcPSD| 18269317

that applications are protected and that data security is guaranteed, IaaS environments may
not have the same controls. To ensure security, cloud customers need to double check with
their IaaS providers to understand who’s in charge of each security control.

2. Control user access – a huge challenge for enterprises has been controlling who has
access to their cloud services. Too often, organizations accidently publically expose their
cloud storage service despite warnings from cloud providers to avoid allowing storage drive
contents to be accessible to anyone with an internet connection. CSO advises that only load
balancers and bastion hosts should be exposed to the internet. Further, do not allow Secure
Shell (SSH) connections directly from the internet as this will allow anyone who finds the
server location to bypass the firewall and directly access the data. Instead, use your cloud
provider’s identity and access control tools while also knowing who has access to what data
and when. Identity and access control policies should grant the minimum set of privileges
needed and only grant other permissions as needed. Configure security groups to have the
narrowest focus possible and where possible, use reference security group IDs. Finally,
consider tools that let you set access controls based on user activity data.

3. Data protection – data stored on cloud infrastructures should never be unencrypted.

Therefore, maintain control of encryption keys where possible. Even though you can hand
the keys over to cloud service providers, it is still your responsibility to protect your data. By
encrypting your data, you ensure that if a security configuration fails and exposes your data
to an unauthorized party, it cannot be used.

4. Secure credentials – AWS access keys can be exposed on public websites, source code
repositories, unprotected Kubernetes dashboards, and other such platforms. Therefore, you
should create and regularly rotate keys for each external service while also restricting access
on the basis of IAM roles. Never use root user accounts – these accounts should only be used
for specific account and service management tasks. Further, disable any user accounts that
aren’t being used to further limit potential paths that hackers can compromise.

5. Implement MFA – your security controls should be so rigorous that if one control fails,
other features keep the application, network, and data in the cloud safe. By tying MFA
(multi-factor authentication) to usernames and passwords, attackers have an even harder time
breaking in. Use MFA to limit access to management consoles, dashboards, and privileged
accounts.

6. Increase visibility – to see issues like unauthorized access attempts, turn on security
logging and monitoring once your cloud has been set up. Major cloud providers supply some
level of logging tools that can be used for change tracking, resource management, security
analysis, and compliance audits.

7. Adopt a shift–left approach – with a shift-left approach, security considerations are

incorporated early into the development process rather than at the final stage. Before an IaaS
platform goes live, enterprises need to check all the code going into the platform while also
auditing and catching potential misconfigurations before they happen. One tip – automate the
 lO M oARcPSD| 18269317

auditing and correction process by choosing security solutions that integrate with Jenkins,
Kubernetes, and others. Just remember to check that workloads are compliant

Fundamentals Of A Security Operations Center

Information and data are the most important assets for an organization. It is no surprise
that information security is becoming increasingly important for businesses of all sizes.
There are several security solutions available depending on the industry and size of business.
In today’s digital world it is not only important to implement solutions but to implement a
strategy that will keep businesses ahead of the growing security threats. In this article, we
discuss the fundamentals of a Security Operations Center (SOC) and what options are
available for businesses to explore.

What Is A Security Operations Centre (SOC)?

Simply put, a SOC is an environment or physical facility where various security experts
monitor and control enterprise systems and networks, prevent security breaches and identify
and mitigate security threats proactively. A SOC facilitates a clear vision of the threat
landscape to an organization. In larger organizations that already have mature security
infrastructures, a SOC is equipped with avant-garde and costly information security
technologies. Clearly, these facilities are manned 24/7 with cutting edge physical security for
an added protection layer to a company’s valuable assets.

Types Of SOC Models

Depending on its security requirements, there are several types of SOCs that an organization
can consider. We discuss some below.

In-house SOC: As the term suggests, these SOCs are within an organization. They typically
comprise of diverse security and IT experts that are committed to the security needs of the
organization and work together in a designated facility.
In-house Virtual SOC: Unlike an In-house SOC, In-house Virtual SOC does not have a
dedicated team of security personnel. Rather, it is comprised of employees that are
geographically distributed and respond to security alerts and events.
Co-Managed SOC: Co-Managed SOC is made up of In-house SOC personnel that work
with an external Managed Security Service Provider (MSSP). Each share responsibilities and
coordinate the management and maintenance of the organization’s security operations.
Outsourced Virtual SOC: With the shift to cloud computing, MSSPs are providing SOC-
as-a-Service. Security operations are completely outsourced to a third-party service provider
eliminating the need to have an in-house security facility.
SOC Positions
There are many roles in a Security Operations Center depending on the objectives an
organization wants to accomplish. Most positions shoulder numerous responsibilities and
work in collaboration to achieve security objectives. Depending on their accountability and
expertise, following are some SOC team roles with a generic description of how they
contribute to the SOC.
 lO M oARcPSD| 18269317

SOC Manager: A SOC Manager shoulders managerial responsibilities such as budgeting,

strategizing, personnel management and coordinating the operations of the facility. All team
members report to the SOC Manager who in turn reports to the Chief Information Security
Officer (CISO) or another C-level executive.
Incident Responder: An incident responder is the first line responder in threat detection.
This role performs the initial evaluation of security breaches and escalates appropriately.
Security Analyst: After the initial identification, a security analyst categorizes the alert,
looks for cause and advises on remediation measures.
Security Engineer: Security Engineers maintain the security infrastructure including
implementation and recommendation of new tools such as SIEM solutions and other
technologies. This role serves as a liaison between the SOC and the development team in
their respective organizations.
Besides the above roles, SOCs can also comprise of Forensic Investigators and Compliance
Auditors.

Recommendations For Building A SOC Capability

Building an effective SOC requires careful planning and strategy and could vary
considerably between organizations. Gartner provides the following recommendations when
planning to build a SOC.

Conclusion
The increasing threat landscape has made organizations take information security more
seriously. However, a crucial question that most businesses face is whether to build an in-
house Security Operations Center or outsource to an MSSP. Additionally, some
organizations may want to go the hybrid way with both an in-house and outsource approach.
Cost, time, effort and talent availability are factors to keep in mind when developing an
effective SOC strategy.

SOC is evolving and Cyber Chasse security consultants can help you achieve the right
balance in executing your security strategies. To learn more about how we can provide you
with the best solution customized to your unique needs, contact us today.

Cyber Security Security Operations

Security Operations is often contained within a SOC ("Security Operations Center"). Terms
are used interchangeably.

Typically the SOC's responsibility is to detect threats in the environment and stop them from
developing into expensive problems.
 lO M oARcPSD| 18269317

SIEM ("Security Information Event Management")

Most systems produces logs often containing important security information.

An event is simply observations we can determine from logs and information from the
network, for example:

• Users logging in
• Attacks observed in the network
• Transactions within applications

An incident is something negative we believe will impact our organization. It might be a

definitive threat or the potential of such a threat happening. The SOC should do their best to
determine which events can be concluded to actual incidents, which should be responded to.

The SIEM processes alerts based on logs from different sensors and monitors in the network,
each which might produce alerts that are important for the SOC to respond to. The SIEM can
also try to correlate multiple events to determine an alerts.

SIEM's typically allow events from the following areas to be analyzed:

• Network
• Host
• Applications

Events from the network is the most typical, but least valuable as they don't hold the entire
context of what has happened. The network typically reveals who is communicating where,
over which protocols, and when, but not the intricate details about what happened, to whom
and why.

Host events give more information in regards to what actually happened and to whom.
Challenges such as encryption is no longer blurred and more visibility is gained into what is
taking place. Many SIEM's are enriched with great details about what happens on the hosts
themselves, instead of only from the network.

Events from application is where the SOC typically can best understand what is going on.
These events give information about the Triple A, AAA ("Authentication, Authorization and
Account"), including detailed information about how the application is performing and what
the users are doing.

For a SIEM to understand events from applications it typically requires work from the SOC
Team to make the SIEM understand these events, as support is often not included "out-of-
the-box". Many applications are proprietary to an organization and the SIEM does not
already have an understanding of the data the applications forward.
 lO M oARcPSD| 18269317

SOC Staffing

How a SOC is staffed greatly varies based on the requirements and structure of an
organization. In this section we take a quick look at typical roles involved in operating a
SOC. An overview of potential roles:

As in most organized teams, a role is appointed to lead the department. The SOC Chief
determines the strategy and tactics involved to counter threats against the organization.

The SOC Architect is responsible for ensuring the systems, platforms and overall
architecture is capable of delivering what the team members require to perform their duties.
A SOC Architect will help build correlation rules across multiple points of data and ensures
incoming data conforms to the platform requirements.

Analyst Lead is responsible that processes, or playbooks, are developed and maintained to
ensure analysts are capable to find the information necessary to conclude alerts and potential
incidents.

Level 1 Analysts serve as the first responders to alerts. Their duty is, within their
capabilities, to conclude alerts and forward any troubles to a higher level analyst.

Level 2 Analysts are distinguished by having more experience and technical knowledge.
They should also ensure any troubles in resolving alerts are forwarded to the Analyst Lead to
aid the continuous improvement of the SOC. The Level 2, together with the Analyst Lead,
escalates incidents to the Incident Response Team.

The IRT ("Incident Response Team") is a natural extension to the SOC Team. The IRT team
is deployed to remediate and solve the issues impacting the organization.

Penetration Testers ideally also support the defense. Penetration Testers have intricate
knowledge of how attackers operate and can help in root cause analysis and understanding
how break-ins occur. Merging attack and defense teams is often referred to as Purple
Teaming and is considered a best-practice operation.

Escalation Chains

Some alerts require immediate actions. It is important for the SOC to have defined a process
of whom to contact when different incidents occur. Incidents can occur across many different
business units, the SOC should know who to contact, when and on which communication
mediums.

Example of an escalation chain for incidents impacting one part of a organization:

 lO M oARcPSD| 18269317

1. Create an Incident in the appointed Incident Tracking System, assigning it to correct

department or person(s)
2. If no direct action happens from department/person(s): send SMS and Email to
primary contact
3. If still no direct action: phone call primary contact
4. If still no direct action: call secondary contact

Classification of Incidents

Incidents should be classified according to their:

• Category
• Criticality
• Sensitivity

Depending on the incidents classification and how it is attributed, the SOC might take
different measures to solve the issue at hand.

The category of incident will determine how to respond. There exists many kinds of incident
and it is important for the SOC to understand what each incident type means for the
organization. Example incidents are listed below:

• Inside Hacking
• Malware on Client workstation
• Worm spreading across the network
• Distributed Denial of Service Attack
• Leaked Credentials

The criticality of an incident is determined based on how many systems is impacted, the
potential impact of not stopping the incident, the systems involved and many other things. It
is important for the SOC to be able to accurately determine the criticality so the incident can
be closed accordingly. Criticality is what determines how fast an incident should be
responded to.
Should the incident be responded to immediately or can the team wait until tomorrow?

Sensitivity determines who should be notified about the incident. Some incidents require
extreme discretion.

SOAR ("Security Orchestration, Automation and Response")

To counter the advancements of threat actors, automation is key for a modern SOC to
respond fast enough. To facilitate fast response to incidents, the SOC should have tools
available to automatically orchestrate solutions to respond to threats in the environment.
 lO M oARcPSD| 18269317

The SOAR strategy means ensuring the SOC can use actionable data to help mitigate and
stop threats which are developing more real-time than before. In traditional environments it
takes attackers very short time from the time of compromise until they have spread to
neighboring systems. Contrary to this it takes organizations typically a very long time to
detect threats that have entered their environment. SOAR tries to help solve this.

SOAR includes concepts such as IAC "Infrastructure as Code" to help rebuild and remediate
threats. SDN ("Software Defined Networking") to control accesses more fluently and easily,
and much more.

What to monitor?

Events can be collected across many different devices, but how do we determine what to
collect and monitor? We want the logs to have the highest quality. High fidelity logs that are
relevant and identifying to quickly stop the threat actors in our networks. We also want to
make it hard for attackers to circumvent the alerts we configure.

If we look at different ways to catch attackers, it becomes evident where we should focus.
Here is a list of possible indicators we can use to detect attackers, and how hard it is
considered for attackers to change.

Indicator Difficulty to change

File checksums and hashes Very Easy

IP Addresses Easy

Domain Names Simple

Network and Host Artifacts Annoying

Tools Challenging
 lO M oARcPSD| 18269317

Tactics, Techniques and Procedures Hard

File checksums and hashes can be used to identify known pieces of malware or tools used by
attackers. Changing these signatures are considered to be trivial for attackers as their code
can be encoded and changed in multiple different ways, making the checksums and hashes
change.

IP Addresses are also easy to change. Attackers can use IP addresses from other
compromised hosts or simply use IP addresses within the jungle of different cloud and VPS
("Virtual Private Server") providers.

Domain Names can also be reconfigured quite easily by attackers. An attacker can configure
a compromised system to use a DGA ("Domain Generation Algorithm") to continuously use
a new DNS name as time passes. One week the compromised system uses one name, but the
next week the name has changed automatically.

Network and Host Artifacts are more annoying to change, as this involves more changes for
the attackers. Their utilities will have signatures, like a user-agent or the lack of thereof, that
can be picked up by the SOC.

Tools become increasingly harder to change for attackers. Not the hashes of the tools, but
how the tools behave and operate when attacking. Tools will be leaving traces in logs,
loading libraries and other things which we can monitor to detect these anomalies.

If the defenders are capable of identifying Tactics, Techniques and Procedures threat actors
use, it becomes even harder for attackers to get to their objectives. For example, if we know
the threat actor likes to use Spear-Phishing and then Pivoting peer-to-peer via to other victim
systems, defenders can use this to their advantage. Defenders can focus training to staff at
risk for spear-phishing and start implementing barriers to deny peer-to-peer networking.