BLUE TEAM

Vulnerability Management: FARADAY

by
This entry is part 2 of 4 in the series Governance Risk Compliance

Views: 18Faraday: Open Source Vulnerability Manager Faraday is a powerful open-source vulnerability management platform designed to help cybersecurity teams streamline their pentesting, vulnerability assessment, and remediation processes. Built with a collaborative and automation-driven approach, Faraday enables security professionals to efficiently collect, analyze, and manage security findings from various tools in a centralized environment. With support … Read more

Data Manipulation in Splunk: PART II

by
This entry is part 10 of 4 in the series Splunk 101

Views: 8Event Boundaries Event breaking in Splunk refers to breaking raw data into individual events based on specified boundaries. Splunk uses event-breaking rules to identify where one event ends, and the next begins. In the PART I of this series, we have created a TestApp which is placed at /opt/splunk/etc/apps/TestApp/. Please follow this link to read the PART I article. … Read more

Data Manipulation in Splunk: PART I

by
This entry is part 9 of 4 in the series Splunk 101

Views: 10Splunk Log Parsing and Transformation Configuration Splunk needs to be properly configured to parse and transform the logs appropriately. Some of the issues being highlighted are: Splunk Data Parsing Guide Data parsing in Splunk involves extracting relevant fields and transforming the data into a structured format for efficient analysis. Step 1: Understand the Data … Read more

Regular Expressions

by
This entry is part 8 of 4 in the series Splunk 101

Views: 5Regular Expressions: Charsets Searching for Specific Strings Charsets in Regex Using Ranges Matching and Excluding Patterns Important Notes Regular Expressions: Wildcards and Optional Characters Wildcard Matching (. Dot) Optional Characters (? Question Mark) Matching a Literal Dot (\.) Regular Expressions: Line Anchors and Grouping Line Anchors Important Note: Grouping and Either/Or (|) Repeating Groups

Wireshark 101 | Traffic Analysis and Investigation (PART 04)

by
This entry is part 17 of 17 in the series Incident Response and Forensics

Views: 19Encrypted Protocol Analysis: Decrypting HTTPS When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 03)

by
This entry is part 16 of 17 in the series Incident Response and Forensics

Views: 20Investigate Tunnelling Traffic: ICMP and DNS Traffic tunnelling is (also known as “port forwarding”) transferring the data/resources in a secure method to network segments and zones. It can be used for “internet to private networks” and “private networks to internet” flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 02)

by
This entry is part 14 of 17 in the series Incident Response and Forensics

Views: 5Identifying Hosts When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts … Read more

Endpoint Detection and Response (EDR) : Lima Charlie (Part 01)

by
This entry is part 1 of 1 in the series Endpoint Detection and Response (EDR)

Views: 18Introduction to Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a cybersecurity solution designed to detect, investigate, and respond to threats at the endpoint level. Endpoints include devices like laptops, desktops, servers, and mobile devices that connect to an organization’s network. These are often the primary targets for attackers, making them … Read more

SNORT 101 (Part 03)

by
This entry is part 13 of 4 in the series Instrusion Detection and Prevention

Views: 19Snort Rules Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember, Snort is in passive mode by default. So most of the time, we will use Snort as an IDS. We will need to start “inline mode” to turn on IPS mode.  The Snort rule structure … Read more

SNORT 101 (Part 02)

by
This entry is part 14 of 4 in the series Instrusion Detection and Prevention

Views: 1SNORT in IDS/IPS mode IDS/IPS mode with parameter “-A” There are several alert modes available in snort; Only the “console” and “cmg” parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs.  IDS/IPS mode with parameter “-A console” … Read more