# SOC Notes from Industry for quick Shutdown shutdown /r /t 05 get-adcomputer dd-brava -server [dd-dc1.dardubai.co.ae](http://dd-dc1.dardubai.co.ae/) this is command used to find the computer that is group to all AD policies applied on specific server * SOC Quick tools Josh Stroscheins Malware collection: ... Malware Bazaar: Oledump: ... Any.Run: VirusTotal: Pdf-Parser: Analyzing Malicious Documents Cheat Sheet: ... URLHaus: * Suspicious Email Checklist * \[ ] Generate a document for email phishing Command Line Audit [Security Analyst Toolset – Sushil's.pdf](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/db88ac65-9466-4371-87a4-e2dac4b6cf70/Security_Analyst_Toolset__Sushils.pdf) [Email Phishing](https://www.notion.so/Email-Phishing-2565a263643845bead40c15ba9eff5c9) * Command Line Auditing Inner view of powershell/cmd command —> logs what being done while using sysinternals exe(s) [live.sysinternals.com - /](https://live.sysinternals.com/) [Sysinternals Utilities - Windows Sysinternals](https://docs.microsoft.com/en-us/sysinternals/downloads/) [Command-Line-Auditing.docx](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3c0d8da2-423c-4fe8-9fb6-97ec99cb9555/Command-Line-Auditing.docx) [Blue Team Tips](https://www.sneakymonkey.net/2018/06/25/blue-team-tips/) [THREAT HUNTING WITH WINDOWS SECURITY EVENT LOGS - Blue Team Blog](https://blueteamblog.com/threat-hunting-with-windows-security-event-logs) * Learn Powershell 7 [Powershell Automation](https://www.notion.so/Powershell-Automation-7227dd9732e84ad5acae610bae538a41) Download -> [PowerShell/PowerShell](https://github.com/PowerShell/PowerShell/blob/master/docs/learning-powershell/powershell-beginners-guide.md) [Powershell](https://devblogs.microsoft.com/powershell/) [Sample scripts for system administration - PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/samples/sample-scripts-for-administration?view=powershell-7) Create POwershellscript for Documenting * Solarwinds [solarwindsinc](https://www.youtube.com/user/solarwindsinc) [SolarWinds Introduction and Strategy](https://www.youtube.com/watch?v=JFtY-XRN9U8) [Introduction to SolarWinds](https://www.youtube.com/watch?v=xJ66WWsEDIc) [Monitoring 101 - SolarWinds Lab #37](https://www.youtube.com/watch?v=-8xPLCIuQzE) [Network Performance Monitor Product Training (Current Version)](https://www.youtube.com/playlist?list=PLSAG2TJPvS5YAcTbGG8Edc-QQmv6GAiJH) * Fortigate Free : [IT Cybersecurity Professionals Training | Fortinet](https://www.fortinet.com/training/cybersecurity-professionals) Advance training : [IT Cybersecurity Professionals Training | Fortinet](https://www.fortinet.com/training/cybersecurity-professionals#advanced-training) [FortiGate Essentials](https://training.fortinet.com/local/staticpage/view.php?page=library_fortigate-essentials&_ga=2.220718044.554218823.1586787254-2028206572.1582302102) [IT Cybersecurity Professionals Training | Fortinet](https://www.fortinet.com/training/cybersecurity-professionals#awareness-training) * Visualing Data : ELK Stack [Free Elastic training](https://www.elastic.co/training/free?elektra=home\&storm=sub2) * Logrhythm monitor + Sysmon + CMD Auditing login to rdp to session to Device with Adm account 1. Installing Logrhytm System Monitor for log collection on WS: [Logrhytm SIEM](https://www.notion.so/Logrhytm-SIEM-1d87a6535ef749c69b2df13298a6ef87) 2. Make sysmon folder in the rdp machine: sysmon copypaste the contents in new folder from dp-puneksc2\c$\sysmon 1. Go to \\\dp-puneksc2\c$\sysmon —>C:\ProgramData\KLShare\Packages\sysmon **copy the folder to device c drive and Copy the Sysmon64.exe to Windows folder** 1. Go to cmd admin : ```jsx cdInstall Run with administrator rights sysmon64.exe -accepteula -i C:/sysmon/sysmonconfig.xml sc qc sysmon64 ``` You can check sysmon Logs in 1. Got to even viewer → "Action" select Connect to remote Computer →Put the device name 2. Go to Application and Service Logs drop it down → Microsoft →Windows → Sysmon 3. Command Line Auditing: 4. open gpedit.msc with adminstrator ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/222e3318-8428-4446-8957-b525047e5aea/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/222e3318-8428-4446-8957-b525047e5aea/Untitled.png) 2. ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/80c39a4e-e4c3-451a-ba50-75e93ee269de/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/80c39a4e-e4c3-451a-ba50-75e93ee269de/Untitled.png) You can check Event viewer for logs. * Logrhythm in DMZ Forwarding logs to * Enabling Syslog in Linux and Viewing logs #### What is Syslog in Linux? A Step-by-Step Guide to Set up Remote System Logging ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/20200911\_165926\_0000-1024x512.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/20200911_165926_0000-1024x512.png.webp) In this tutorial, we will look at Syslog in Linux and how to send logs to a remote machine using it. Syslog is a standard for message logging. It has been the standard logging mechanism on Linux/Unix systems for a very long time. Although most of the distros now ship with `journald` – a `systemd` based logger – Syslog still exists and is generally used in conjunction with `journald`. Table of Contents • [What is Syslog?](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#What-is-Syslog) • [Viewing local Syslogs](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#Viewing-local-Syslogs) ◦ [1. Display syslogs with the ls command](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#1-Display-syslogs-with-the-ls-command) ◦ [2. View system logs in Linux using the tail command](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#2-View-system-logs-in-Linux-using-the-tail-command) ◦ [3. View and Edit syslogs in Linux with a text editor](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#3-View-and-Edit-syslogs-in-Linux-with-a-text-editor) • [Server Configuration for Remote System Logging](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#Server-Configuration-for-Remote-System-Logging) ◦ [1. Check if rsyslog is installed](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#1-Check-if-rsyslog-is-installed) ◦ [2. Edit rsyslog’s configuration file](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#2-Edit-rsyslogs-configuration-file) ◦ [3. Configure the firewall to open the port used by rsyslog](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#3-Configure-the-firewall-to-open-the-port-used-by-rsyslog) ◦ [4. Restart rsyslog](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#4-Restart-rsyslog) ◦ [5. Check if rsyslog is listening on the port opened](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#5-Check-if-rsyslog-is-listening-on-the-port-opened) • [Client Configuration for Viewing Remote Syslogs](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#Client-Configuration-for-Viewing-Remote-Syslogs) ◦ [1. Check if rsyslog is installed](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#1-Check-if-rsyslog-is-installed-2) ◦ [2. Edit rsyslog’s configuration file](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#2-Edit-rsyslogs-configuration-file-2) ◦ [3. Restart rsyslog](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#3-Restart-rsyslog) • [Test the logging operation](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#Test-the-logging-operation) • [Conclusion](https://www.linuxfordevices.com/tutorials/remote-syslog-in-linux#Conclusion) ### What is Syslog? Syslog is a vague concept, generally referring to the following 3 things: * **Syslog Daemon**: It is a daemon that listens for logs and writes them to a specific location. The location(s) is defined in the configuration file for the daemon. `rsyslog` is the Syslog daemon shipped with most of the distros. * **Syslog Message Format**: It refers to the syntax of Syslog messages. The syntax is usually defined by a standard (for eg [RFC5424](https://tools.ietf.org/html/rfc5424)). * **Syslog Protocol**: It refers to the protocol used for remote logging. Modern Syslog daemons can use TCP and TLS in addition to UDP which is the legacy protocol for remote logging. The advantage of Syslog over `journald` is that logs are written in files that can be read using basic text manipulation commands like [cat](https://www.linuxfordevices.com/tutorials/linux/cat-more-command-in-linux), [grep](https://www.linuxfordevices.com/tutorials/linux/grep-command-in-linux), tail, etc. `journald` logs are written in binary and you need to use the `journalctl` command to view them. ### Viewing local Syslogs Logs are a great source of information on what’s happening in the system. They’re also the first place one should look for any kind of troubleshooting. Generally, logs are written under the `/var/log` directory. How this directory is structured depends on your distro. **Note:** This method only works for logs written by a Syslog daemon and not for logs written by `journald`. #### 1. Display syslogs with the ls command Listing the contents of `/var/log` for an Ubuntu 20.04 machine using the [ls command](https://www.linuxfordevices.com/tutorials/linux/ls-command-linux-unix): `$ sudo` `ls` `/var/log` Listing /var/log ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/listing-directory.png](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/listing-directory.png) #### 2. View system logs in Linux using the tail command Using the [tail command](https://www.linuxfordevices.com/tutorials/linux/the-tail-command-in-linux) you can view the last few logs. Adding the -f option lets you watch them in real time. For RedHat based systems: `$ sudo` `tail` `-f /var/log/messages` For Ubuntu/Debian based systems: `$ sudo` `tail` `-f /var/log/syslog` Similarly, the `tail` command can be used to view kernel logs (`kern.log`), boot logs (`boot.log`), etc . The rules for which logs go where are defined in the Syslog daemon’s configuration file. For `rsyslog`, it is `/etc/rsyslog.conf` #### 3. View and Edit syslogs in Linux with a text editor Let’s look at `rsyslog`‘s configuration file using the [nano editor](https://www.journaldev.com/41292/top-best-text-editors-linux#nbsp7-nano-8211-best-editor-for-the-command-line-beginner): `$ sudo` `nano /etc/rsyslog.conf` rsylog Configuration ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/rsylog-configuration.png](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/rsylog-configuration.png) As can be seen in the screenshot, it uses `imjournal` module to read the messages from the journal. Scrolling through the file, the rules for the location of logs can be seen: rsylog Configuration ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/rsylog-configuration2.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/rsylog-configuration2.png.webp) **Note:** For some distros the location rules are defined separately in `/etc/rsyslog.d/50-default.conf` The ‘kern’, ‘info’, etc at the start of some lines are ‘facility codes’ as defined by the Syslog standard. More information about the facility codes and other parts of the Syslog standard can be found on [this Wikipedia page](https://en.wikipedia.org/wiki/Syslog#Facility). Syslog also supports remote logging over the network in addition to local logging. It follows a server/client architecture for remote logging. Next we’ll look at how to configure this server/client architecture so that messages can be logged remotely. ### Server Configuration for Remote System Logging We will be configuring a **CentOS 8** machine as the remote server that receives Syslog messages from hosts through TCP. You’ll need **superuser privileges** for every step. So, either change to the root user or prefix sudo before every command. #### 1. Check if rsyslog is installed `rsyslog` is the Syslog daemon that will listen for logs from host. To check if it’s installed, type: `$ rsyslogd -v` It will print some information if it’s installed Check For Rsyslog 1 ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/check-for-rsyslog-1.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/check-for-rsyslog-1.png.webp) If it is not already installed, you can install it using the `dnf` command: `$ sudo` `dnf install` `rsyslog` Install rsyslog ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/install-rsyslog.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/install-rsyslog.png.webp) #### 2. Edit rsyslog’s configuration file The file we need to modify is `/etc/rsyslog.conf`. You can use the editor of your choice. I’ll be using the [nano editor](https://www.journaldev.com/41292/top-best-text-editors-linux#nbsp7-nano-8211-best-editor-for-the-command-line-beginner). `$ sudo` `nano /etc/rsyslog.conf` You can also group the logs by creating separate directories for separate client systems using what `rsyslog` calls ‘templates’. These templates are directives for `rsyslog`. To enable grouping of logs by systems add lines 7 and 8. To enable TCP, uncomment lines 4 and 5 by deleting the ‘#’ character at the start of the line. 1 2 3 4 5 6 7 8 9 `...` `# Provides TCP syslog reception` `# for parameters see `module(load="imtcp") # needs to be done just once` `input(type="imtcp" port="514")` `$template FILENAME,"/var/log/%HOSTNAME%/syslog.log"` * `.* ?FILENAME` `...` Edit Configuration ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/edit-configuration-2.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/edit-configuration-2.png.webp) #### 3. Configure the firewall to open the port used by rsyslog By default `rsyslog` listens on port 514. We need to open this port using the [firewall-cmd command](https://www.linuxfordevices.com/tutorials/centos/centos-firewall-tutorial): `$ sudo` `firewall-cmd --add-port=514/tcp` `--zone=public --permanent` `$ sudo` `firewall-cmd --reload` Open TCP Port 514 ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/open-tcp-port-514.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/open-tcp-port-514.png.webp) #### 4. Restart rsyslog Now that we’ve made changes to the configuration file and opened the port, we need to restart `rsyslog` so that it can pick up the new configuration. We can restart `rsyslog` using the `systemctl` command: `$ sudo` `systemctl restart rsyslog` If you want rsylog to automatically start every time you boot up, type: `$ sudo` `systemctl enable` `rsyslog` #### 5. Check if rsyslog is listening on the port opened We can use the [netstat command](https://www.linuxfordevices.com/tutorials/linux/netstat-and-nslookup-commands) to list all the open ports: `$ sudo` `netstat` `-pnlt` Using Netstat To Check Open Ports ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/using-netstat-to-check-open-ports.png](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/using-netstat-to-check-open-ports.png) As is highlighted in the screenshot above, `rsyslog` is listening on port 514. ### Client Configuration for Viewing Remote Syslogs Each client will have to be configured separately. To configure the client: #### 1. Check if rsyslog is installed On client systems too `rsyslog` needs to be installed. If it is not already installed, you can install it using the same steps as for the server. #### 2. Edit rsyslog’s configuration file Only 1 line needs to be added for the client’s `/etc/rsyslog.conf` file. Open it with the editor of your choice: `$ sudo` `nano /etc/rsyslog.conf` And add the following line: 1 2 3 `...` * `.* @@:514` `...` Client Side Cofiguration ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/client-side-cofiguration-1.png](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/client-side-cofiguration-1.png) * `.*` tells `rsyslog` to forward all logs. The `@@` means a TCP connection and 514 is the port number. You might need to configure the firewall to open the port no. 514 on client systems as well if the client has a firewall set up. In that case, follow the same steps as for the server. #### 3. Restart rsyslog We need to restart `rsyslog` on client systems as well using the `systemctl` command: `$ sudo` `systemctl restart rsyslog` `$ sudo` `systemctl enable` `rsyslog` ### Test the logging operation **On your client system**, type: `$ logger "I just logged a message"` Logger ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/logger.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/logger.png.webp) **On the server system**, you will find a separate directory created for every client( and 1 directory for the server system itself). Server Directories ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/server-directories-1.png.webp](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/server-directories-1.png.webp) Viewing the contents of `/var/log/earth66`/`syslog.log` using the tail command on **the server system**: `$ sudo` `tail` `-f /var/log/earth66/syslog.log` Remote Logging ![https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/remote-logging.png](https://cdn.linuxfordevices.com/wp-content/uploads/2020/09/remote-logging.png) ### Conclusion In this tutorial, we learned about Syslog and set up remote logging using `rsyslog`. Checking logs is one of the first and most important parts of troubleshooting. Knowing how to view and understand logs can help save both time and effort. To know more about the features of `rsyslog` and it’s configuration, look at its [man page](https://man7.org/linux/man-pages/man8/rsyslogd.8.html) and [documentation.](https://www.rsyslog.com/doc/v8-stable/) * Find Installed Microsoft .NET Framework Version To determine the version of .NET Framework installed follow these steps. 1. Open the Registry Editor. (Run > “regedit” ) 2. Navigate to the following location HKLM:SOFTWARE\Microsoft\Net Framework Setup\NDP 3. Now if the following path exists, it means that the installed Microsoft .NET Framework Version is greater than v4.5 (which means install LR Agent v7.2.6.8002). HKLM:SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/851f7439-eb64-4566-be3b-82c66696c7f1/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/851f7439-eb64-4566-be3b-82c66696c7f1/Untitled.png) 4. If in the previous step you didn’t find the Path shown, you don’t have a version of Microsoft .NET Framework that is greater than version 4.5. This can either mean two things:  Install latest version of .NET possible (Refer to Table on Pg. 5)  Install LR Agent version v7.1.3.8000 5. If you find that Microsoft .NET Framework version is less than v4.5. You can find the actual version installed by expanding all the folders in the “NDP” (from Step 2) and checking if the key “Version” exists in the Client Path. This is shown in picture below. ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/275228e2-0311-4500-b423-fd55e511d9d2/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/275228e2-0311-4500-b423-fd55e511d9d2/Untitled.png) [Determine which .NET Framework versions are installed](https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed) * Symantec Data Center Security [Understanding Symantec Data Center Security](https://www.youtube.com/watch?v=GZa8SI3seEs) * Open ports Allocation [Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=5) [1](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=1) [2](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=2) [3](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=3) [4](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=4) 5 [6](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=6) [7](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=7) [8](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=8) [9](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned\&page=9) [Untitled](https://www.notion.so/92ba8f2bcc60496eaf20589039d6f122) [Vulnerability Remediation Dashboard](https://www.notion.so/Vulnerability-Remediation-Dashboard-ec1779b7d9dd47828522625e8ef6861e) * Kaspersky Cloud Deployment + KEDR Deployment [REMIND!](https://www.notion.so/REMIND-937c842fa04a4c039b0e5a22762bab9b) [Kaspersky Security Center Cloud Console](https://help.kaspersky.com/KSC/CloudConsole/en-US/166361.htm) 1. Fix/Install the Web Console. : 2. Install KES 11.4 Plugin : Done 3. Install KES 11.4 only on IT workstations for testing purposes for a month or so 4. figure out what Cloud Console is : this when Kaspersky is managing the KSC ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/36fc7fa1-acd4-4606-89a5-bb7a2b20c4db/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/36fc7fa1-acd4-4606-89a5-bb7a2b20c4db/Untitled.png) * Event log triaging * Domain Typosquatting Playbook for typosquatting ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f4b128c0-8722-4856-97b2-9414faf5d4ff/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f4b128c0-8722-4856-97b2-9414faf5d4ff/Untitled.png) * EDR Optimum [Untitled](https://www.notion.so/ba8815dca49d43389056770bed3688fa) * Domain Health 1. For ssl certificate : [SSL Certificate Check - Check Website SSL Validity](https://dnschecker.org/ssl-certificate-examination.php) [2 MX](http://2.MX) Lookup : Mail box lookup [MX Lookup - Check MX Records of Domain](https://dnschecker.org/mx-lookup.php?query=dar.bar) 3. Domain Health : [www.dar.bar Domain Health](https://mxtoolbox.com/domain/www.dar.bar/) 4. URL browser screenshot : [urlscan.io](https://urlscan.io/) 5. Url Health Report [Free Domain Health Check Report](https://www.ultratools.com/domainHealthReport) 6. Inside Subdomains or External Redirects [Analyze Internal & External Links of a Webpage - DNSChecker.org](https://dnschecker.org/website-link-analyzer.php) 7. Sandbox URL [Automated Malware Analysis - Joe Sandbox Cloud Basic](https://www.joesandbox.com/#windows) * SOC Operations Portal ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/06609f8b-d0ed-4f1d-b8d7-7e9a248ee879/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/06609f8b-d0ed-4f1d-b8d7-7e9a248ee879/Untitled.png) * Purple Teaming [Purple Teaming](https://www.notion.so/Purple-Teaming-05f45dc5e80c4390ae790c2336160a6c) [Raising Your Own APT: Purple Team Exercises to Drive Security Program Maturity](https://www.recordedfuture.com/security-program-maturity/?utm_content=140991373\&utm_medium=social\&utm_source=twitter\&hss_channel=tw-95292874) ## **Raising Your Own APT: Purple Team Exercises to Drive Security Program Maturity** **MARCH 19, 2020 • ANDREW SCOTT** As President George Washington [wrote](https://founders.archives.gov/documents/Washington/06-04-02-0120) in 1799, “…offensive operations, oftentimes, is the surest, if not the only … Means of defence.” This could not be more true in today’s cyber battleground as organizations work to defend themselves from attackers they cannot see, with tactics they may not be aware of, and with motives that are not favorable. [Security intelligence](https://www.recordedfuture.com/security-intelligence/) and defensive measures seek to narrow the playing field and prepare defenders for a real attack. However, without testing your capabilities, responding when it actually hits the fan is cumbersome. Enter purple team exercises. #### **About Purple Teaming** Purple teaming allows your organization to run scenarios pitting your blue team (defenders) against a red team (penetration testers or pen test software) to identify breakdowns in detective and preventive controls, processes during incidents, and procedures. Pen testing, of course, is nothing new to information security teams, but the potential for conducting pen tests in conjunction with a smart, focused intelligence-driven defense will yield far more information about how ready your organization is. [MITRE ATT\&CK](https://www.recordedfuture.com/mitre-attack-framework/) has become a buzzword of sorts, but positioning intelligence at the heart of asset- and organization-focused risk management approaches can help drive a proactive security program — and center its mission and results. Pairing MITRE with [streamlined security intelligence workflows](https://www.recordedfuture.com/integrations/) can push the needle forward or provide a blueprint for organizations to drive toward. Being able to focus not on just threat actors and their TTPs, but also trends, relevance, and the context intelligence provides can dramatically increase value from these exercises. Organizations that understand their assets, know which threat actors are relevant to their business and industry, and have identified which TTPs are mitigated by their controls, are in a unique position to test their skills and technology in a fire-drill environment. Recorded Future makes it much easier for you to identify attack vectors and exposure points by providing [the data you need to support your controls and mitigate risk](https://go.recordedfuture.com/security-intelligence-graph). ![https://www.recordedfuture.com/assets/security-program-maturity-1-1.png](https://www.recordedfuture.com/assets/security-program-maturity-1-1.png) Build out your program and test their connections, both for data and people. #### **Being the Bad Guy: Designing Your Exercise** In order to conduct a purple team exercise, you must push to identify what you are ultimately trying to assess. A strong starting point is to review your [priority intelligence requirements](https://www.recordedfuture.com/effective-intelligence-requirements/) (PIRs) and determine how you validate those currently. Additionally, keep the scope straightforward. Start by answering these questions: * Is there a gap or something critical you missed in a previous audit, assessment, or model? * What are the goals for the exercise? (Are you trying to validate that controls actually work? Are you testing your IR team’s response capabilities and time? Are your assumptions of understood risks true?) * Finally, the major question: What are you testing (people, process, technology, or everything at once)? Once you identify the scope of the exercise, you can determine the type of assessment and attributes to test and evaluate. The next question should be, “What type of assessment will support your hypothesis?” For those familiar with secure development and testing, the following concepts will seem familiar. You could try one of the following or a mix: * **Black Box Testing**: Pen testers have no knowledge of the application being evaluated * **White Box Testing**: Pen testers have full knowledge of the application being evaluated * **Targeted Testing**: Third-party or internal pen testers have knowledge about the organization and scope to simulate certain attack types or scenarios * **Double Blind Testing**: Neither the red nor the blue team have knowledge about the organization to test event identification and response times. Each of the above can be coordinated to review organizational readiness, controls validation, and application or system hardening. #### **Identifying Relevant Threats With Security Intelligence** A key part of the exercise design process is to review your threat models and identify who might attack your organization or industry. Again, these are typically defined by your models and validated through your PIRs. Make sure to include not just external threats, but also internal threats to get a full view of defensive capabilities. Recorded Future can help you identify relevant threats through research in the UI and by utilizing your “methods” and “attackers” watch lists. You can also use [Recorded Future Intelligence Cards](https://www.recordedfuture.com/billion-intelligence-cards/) to identify and research the context of relevant MITRE tags and TTPs that your organization has identified as threats to operations. ![https://www.recordedfuture.com/assets/security-program-maturity-2-1.png](https://www.recordedfuture.com/assets/security-program-maturity-2-1.png) Focusing on remote code execution on Windows Machines vulnerable to BlueKeep could help detect gaps in controls coverage. (Source: Recorded Future) #### **Reviewing Available Security Controls: What’s in the Rack?** Once the threats and TTPs to evaluate are identified, the next step is to determine what controls are available to you internally. Another way of asking this is, “Which people, processes, and/or technology (PPT) have been put in place for us to defend with?” Identifying your gaps and control maturity ahead of time will go a long way to refine hypotheses or test and follow up tasks after the actual exercise. #### **‘Threats Are Great, But What Are We Actually Testing It On?’** Once you have an understanding of your scope, the controls in place, and you have identified what they cover, you can conduct your exercise. The purpose is to [search for vulnerabilities](https://www.recordedfuture.com/solutions/vulnerability-management/) or flaws in PPT that can be attributed to the threat actors, TTPs, and motivations you have modeled in the design and risk management processes. It’s very important to document and report on the outcomes of the test to continue tracking maturity growth over time. Were you successful? If so, how do you grade that? If not, what new exposure areas did you identify? #### **Prioritizing and Measuring New Risks** No successful test is complete without a follow up of refining priorities (both business and security), as it relates to your organization’s ability to defend itself. Well-defined threat models rely on prioritization to keep the focus of security teams and prevent a frantic “threat du jour” approach. For each threat and risk, revisit your risk assessment methodologies and evaluations to better define your critical areas of exposure and operation. Such an approach provides the opportunity to craft metrics around [controls improvement, process improvement, and maturity growth](https://www.recordedfuture.com/risk-reduction/). A few examples could be: * Mean time to respond * Mean time to escalate * Control efficacy (blocks or allows) * Downtime allowed versus downtime experienced * IAM and access control efficacy evaluations #### **Reaffirm Investment in Your Controls** Ultimately, your organization will not have achieved anything out of scheduled purple team exercises and intelligence driven pen tests if countermeasures to reduce the risks observed during these exercises are not refined. There are several examples of countermeasures and adjustments, including: * Better logging of endpoint and network data * Applying threat data via API to relevant security controls * Improving correlation detections * Supplying block-grade data to host and network security controls or applications to stop threats before they become incidents * Workflow improvement to reduce response times Whatever the outcome, always think about how you will use the results of the exercise to improve your detective and preventive controls. #### **Building Upwards: Adding Another Pillar to the Foundation of Security Teams** Monitoring alerts and vulnerabilities for the sake of monitoring doesn’t do anyone any good — neither does conducting CTI research for tracking threat actor appetites and TTP trends if you dont review controls to battle them. However, neither are valuable if you do not test and validate your organization’s security and risk mitigation controls. By combining reactive and proactive investigation and intelligence techniques with strategic risk management frameworks, you can evaluate program efficacy and improvement across strategic and operational lines. Being able to evaluate those results in a qualitative and/or quantitative way further allows you to respond in an agile and adaptive fashion — improving consistency while being able to respond to changes in threat landscape quickly and efficiently. When a new year begins, many people set resolutions and claim the ever-cliche “new year, new me.” Whether your objective is to start [developing an intelligence-led security program](https://www.recordedfuture.com/security-intelligence/) from scratch or you are trying to take that next step to improve yours, using security intelligence in conjunction with broader risk management and controls validation efforts can bring everything together. Using Recorded Future to support your intelligence and security program development can help you actually move toward achieving your resolutions, which is more than can be said for the expensive gym membership your coworker across the aisle bought. Are you ready to make the shift to a risk-based approach to cybersecurity? Download your free copy of “[The Risk Business: What CISOs Need to Know About Risk-Based Cybersecurity](https://go.recordedfuture.com/the-risk-business)” to get started. * RF Alerts [RF Email Alerts](https://www.notion.so/36eb7b075a8e4531927f72c63a34c5a2) Accunetix vulnerability assessment scanner {% embed url="" %} ### ### Blue Teaming Field Manual {% file src="/files/GecvgXHq3OKaEMN27FD5" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://irepository.gitbook.io/defensive-security/soc-notes-from-industry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.