Based on "Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide" by Omar Santos
By Will Posted on September 24, 2024
3.1 Describe the functionality of these endpoint technologies in regard to security monitoring
a. Host-based intrusion detection
monitors individual devices for behavior/states that indicate intrusion
b. Antimalware and antivirus
antimalware: uses heuristics to identify threats by proactively detecting source codes
antivirus: identifies known threats using signature based detection
c. Host-based firewall
allows for more detailed and specific prevention like, URL filtering, intrusion prevention, malware protection, etc.
d. Application-level whitelisting/blacklisting
blacklist: less secure, you have to specify what is blocked
whitelist: more secure, you have to specify what is allowed
e. Systems-based sandboxing (such as Chrome, Java, Adobe Reader)
code that makes calls to the OS gets automatically sandboxed
adds another layer for the attacker to need to exploit
3.2 Identify components of an operating system (such as Windows and Linux) in a given scenario
Windows:
Process:
program system is running
starts with one thread (primary thread) and spins up more as necessary
Windows: processes need permission to run
CreateProcessWithTokenW: you can use a windows token to specify current security context for process
Windows Token: windows stores data in a token, describes security context of all processes associated with particular user role
fun fact: many process/thread ids are in multiples of 4 because kernel handles are and often the same code used to allocate kernel handles allocates other ids
Threads:
smaller units that an OS allocates time to
make up processes
Thread Pool:
group of worker threads that efficiently executes asynchronous callbacks for the app
Job:
group of processes
Volatile Memory (VRAM):
loses contents when hardware loses power
Non-Volatile Memory (NVRAM):
content stays regardless of power
Static Memory Allocation:
allocates memory at compile time
Dynamic Memory Allocation:
allocates memory at runtime
Heap:
memory set aside for dynamic allocation
Stack:
memory set aside as spare space for a thread of execution
Windows Registry:
hierarchical database, stores config data for the users, apps, and hardware
some functions include: loading device drivers, run startup programs, set env vars, user settings and operating system params
hives: contain values pertaining to OS or apps within key
five main folders in reg are hives
Windows Management Instrumentation Key Concepts
Windows Management Instrumentation (WMI):
sys management infra that is scalable, extensible, standards-based, and object oriented
data must be pulled in with scripting or tools, WMI doesn’t show data itself
System handle concepts:
abstract reference value to resource
hides real memory address from API user, allows system to reorg memory more safely
handle can both identify and associate access rights
handle leak occurs if handle is not released
Event logs:
contains many system and application logs for windows
many logs that can be turned on/off as needed
three main ones are Application, Security, and System
five main event types: error, warning, information, success audit, failure audit
typically in c:\windows\system32\config
Linux:
Process:
program system is running
starts with one thread (primary thread) and spins up more as necessary
Linux: different types of processes:
child: all processes are child processes to a parent process. Except for the init process (PID 1)
init: short for initialization, kernel starts init process to create/take down the user space. If kernel can’t find init process, this is called kernel panic
source: https://linuxtldr.com/init-linux/
orphan: when parent process is terminated and child process continues
zombie: process that releases its associated memory/resources, stays in entry table
threads:
smaller units that an OS allocates time to
make up processes
Thread Pool:
group of worker threads that efficiently executes asynchronous callbacks for the app
Job:
group of processes
Volatile Memory (VRAM):
loses contents when hardware loses power
Non-Volatile Memory (NVRAM):
content stays regardless of power
Static Memory Allocation:
allocates memory at compile time
Dynamic Memory Allocation:
allocates memory at runtime
Heap:
memory set aside for dynamic allocation
Stack:
memory set aside as spare space for a thread of execution
Forks:
when a parent creates child process
fork command returns PID
entire virtual space of parent is replicated in child process, including all mem space
Linux File Permissions:
Read (r): reading, opening, viewing, and copying file
Write (w): writing, changing, deleting, and saving file
Execute (x): executing and invoking file are permitted, also search access
Key Permissions Concepts:
chmod: changes permission for file/directory
read (r) = 4
write(w)= 2
execute (x) = 1
group: changes group ownership of file using chgrp command
chown: changes owner of file
note: permissions in Linux are top down, denying access for directory will include all files/subdirectories
Super User (sudo): highest permissions, only used for admin tasks, NO PROCESS SHOULD RECEIVE SUDO UNLESS ABSOLUTELY NECESSARY
Symlinks:
any file that contains reference to other file/directory
symlink is only a reference
removal of symlink doesn’t impact file it references
orphan symlink is just a reference to something that no longer exists
Linux Daemons:
background programs
typically created by the init process
just run by the system with only necessary permissions, away from the active user
some are started automatically, some are not
init children processes can be terminated/restarted
Linux Syslog:
default log location in linux is /var/log
facility describes app or process creating the logs
priority indicates importance of message
Transaction Logs: record all transactions
session logs: track changes made on managed hosts
alert logs: collect errors for startup, shutdown, space, etc.
threat logs: trigger when action matches a security profile attached to security rule
selectors: monitor for combinations of facility and levels and perform an action when combo is found
actions: result of selector triggering on match
config file (/etc/syslog.conf): controls what syslogd does with log entries
Newsyslog: mitigates management issues by rotating and compressing files
Apache Access Log Concepts:
ErrorLog: records any errors and any diagnostic info associated with that error to the ErrorLog
Access Log: apache servers record all incoming requests and all requests to access log
combined log format lists access, agent, and referrer fields
3.3 Describe the role of attribution in an investigation
a. Assets
anything of value to an org
personnel, software, proprietary knowledge, equipment, hardware, data
b. Threat actor
the person or group that carries out an attack
c. Indicators of compromise
a piece of evidence that has a high probability of indicating a compromise
Anomalous network activities: IOAs include unusual patterns in data flow or unexpected external communications that deviate from the norm. For example, a sudden spike in data transferred to an unknown IP address could be a red flag. Network administrators need to be vigilant about such anomalies, as they often precede more overt forms of cyberattacks, such as data breaches or system infiltrations.
Suspicious user behavior: Security teams also need to be on the lookout for activities such as logins at odd hours, repeated attempts to access restricted areas, or an unusual surge in data access requests. These activities might indicate that a user’s account has been compromised or that an insider threat exists.
Continuous monitoring of user behavior is essential in identifying these IOAs early. It helps prevent potential insider threats or mitigate the damage caused by compromised user credentials.
System-level indicators: These IOAs include unexpected changes in file integrity, unauthorized modifications to system configurations, or the installation of unknown software. These indicators often suggest that an attacker is attempting to gain a foothold in the system. Early detection of these system-level changes can prevent further exploitation, stopping an attacker in their tracks.
Regular system audits and real-time monitoring are effective strategies for identifying these types of IOAs.