CYBERWARFARE LABS

Blue Team
Fundamentals
Module : 02 | INTRODUCTION TO CYBER OPERATIONS
INTRODUCTION TO
CYBER OPERATIONS
INTRODUCTION TO CYBER OPERATIONS
● Cyber operation is technically termed as Security
● General overview of SOC
Operations in an IT enterprise. whose act as a first
● Working behavior of SOC
line defenders of any cyber attacks. .
● Dedicated vs Virtual SOC
● Tool & Technology
● Cyber operations play a crucial role in collecting
● Incident Management & handling
intelligence through cyber espionage, monitoring
● First line of investigation
adversary activities, and analyzing digital
information.
General overview of
Security Operations
General overview of Security
Operations
Security operations is a critical aspect of an
organization's overall cybersecurity strategy. It helps
the organization to monitor, detect, response and
mitigating cyber threats effectively and efficiently.

The primary goal of Security Operations is to

proactively defend against cyber threats and
minimize the impact of security incidents.
General overview of Security
Operations
SOC Manager
The general hierarchy of security operation will be
followed by a Tier 1, Tier 2 & Tier 3 Security analyst, under Security Analyst (Tier 3)
the guidance of SOC Manager.
Security Analyst (Tier 2)

The L1, L2 & L3 Analyst are been assigned with various

Security Analyst (Tier 1)
Alerts and incident which need to be investigated and
determined the legitimacy of its.
General overview of Security Operations

Security Operations teams generally operate 24 hours a ● Security operations often collaborate with several
day, seven days a week. to ensures the continuous security teams, such as Threat Intelligence, Incident
monitoring and rapid response to security incidents. Response, and Forensics, to limit the threat, eliminate
the underlying cause, and restore affected systems
● Continuous monitoring, and data.
● Alert Investigation
● Determining and categorizing the nature of alert
Log Vs Event VS Incidents

Log Event Incidents

A log is a detailed record of an An event is a specific occurrence or

An incident refers to an adverse event
activities that occur within an system, significant within the context of system
or a series of events that pose a threat.
network, or an application. operation or security. Events can be
Incidents include security breaches,
Generally Logs capture information generated by various components,
unauthorized access, malware
such as system events, user activities, such as applications, operating
infections, data breaches, and other
network traffic, and application systems, security devices, and network
security-related events.z
activities. devices.
 Working of
Security Operations
Working of Security Operations
Working of Security Operations

" OR 1 = 1 -- - Apache2/access.log

Detect the pattern" OR 1 = 1 -- -

SOC Working : Phase 01
SOC Working : Phase 02
SOC Working : Phase 3
True Positive VS False Positive
● True Positive: which is been considered when
the security tool correctly identifies a positive
malicious instance. this means the system ● True Negative: which is been considered when
correctly identifies a security threat or an actual the security tool correctly identifies a false
security incident. incidens.

● False positive occurs when a security tool ● False Negative: occurs when a security tool fails
incorrectly identifies a legit activit. this means to identifies a positive malicious instance.
the tool generates an false alarm for a legal
and legit process.
SOC Working : Phase 04
Dedicated vs SOCaaS
Security Operations
Dedicated Security Operation
Dedicated Security Operations
commonly referred to an
on-premise and dedicated
Security Operations Center (SOC)
setup. This typically involves a
centralized physical location
where security analysts and
professionals work together as a
cohesive team.
Common Challenges in Dedicated Security Operation

Dedicated Security Operations Centers (SOCs) face ● High Initial Setup Costs

various challenges in their efforts to safeguard ● Ongoing Operational Costs

organizations from cybersecurity threats. Here are some ● Alert Fatigue

common challenges associated with Dedicated Security ● Evolving Compliance Requirements

Operations:
SOCaaS : SOC As A Service
Virtual Security Operations
model, also termed as SOC as a
Service the security team
generally operates remotely and
may not share a common
physical location. Many
organizations are providing these
service where they will be
responsible for monitoring
common logs and events.
Common Challenges in Virtual Security Operation

SOCaaS provides several benefits, it also

comes with its own set of challenges.

● Data Privacy and Compliance Despite these challenges, SOCaaS can be a viable solution for

● Communication and Collaboration many organizations, particularly those with resource constraints

● Resource Distribution and Access or evolving security needs. Organizations should carefully

● Integration with Existing Systems evaluate SOCaaS providers, establish clear expectations, and

● Limited Visibility and Control maintain a strong partnership

Tool & Technology
Tool & Technology
Tools and technology plays a crucial part in security operations & the cyber defence, In-general tools and
technology are been classified into two major categorization software or a hardware applications, these tools and
technology are been used by the organizations to protect their systems, networks, and data from cyber adversaries.

Web Application
Firewall Proxy & VPN
Firewall

IDS/IPS SIEM EDR SOAR

Firewall
Firewall

Firewall are the baseline security for an organisation

infrastructure, They establishing a barrier between a trusted
internal network and untrusted external networks,

Firewalls are only precise to an network traffic, it's been

generally considered as layer 3 or 4 security in OSI model, it
can able to monitors, filters, and controls incoming and
outgoing network traffic based on predetermined security rules

Firewalls are existed in both hardware and software state

Working of Firewall
Firewalls often use a combination of
URL filtering, IP filtering, Port Filtering,
Application layer based filtering to
enforce security policies and
protect networks from various
threats.

The specific configuration of the

firewall and the rules defined by the
administrator determine which
requests are allowed or blocked.
Stateless Vs Stateful Firewall

Stateless Firewall Stateful Firewall

● Allow or deny individual packets of data without considering the ● Allow or deny by examining the individual packets, keep track of the

context of the entire communication session. state of active connections by maintaining a state table.

● Rule are been defined based on the source,destination,port and ● Rules are been defined based on the context based filtering decisions.

protocol

● No session state will be maintained ● Session will be maintained to track the state of connections,

distinguishing between established connections, new connections,

and related connections

● Stateless firewalls are generally faster because they don't maintain ● Stateful firewalls are compared to be slower that the stateless firewall

information about the state of connections but it will provide a higher level of security.
Stateful Firewall
Stateful firewall are been considered as a
bit more secure that the stateless firewall,
it generally examining the individual
packets and keep track of the state of
active connections by maintaining a state
table. by default the external to internal
communication are been denied by the
stateful firewall, in-addition Some stateful
firewalls can perform deep packet
inspection at the application layer, offering
more granular control over traffic
Web Application
Firewall | WAF
Web Application Firewall
Web Application Firewall based attacks are been more precise to
protect an enterprise web applications from various web based
attacks.

Generally web applications are been the most common target for
many adversaire to get and initial access to an organization
infrastructure. WAF is been one of the most recommended solution
to to prevent such activities.

WAF is been considered as an application layer based security

Web Application Firewall
WAF generally work similar as a
proxy server, it act as intermediary
between client and web server to
filtering, monitoring, and blocking
any suspicious HTTP/S traffic
traveling to the web application

WAF are existed in the form of

software, an appliance, or delivered
as-a-service
Next Generation Firewall | NGFW
The ultimate technological evolution
firewall is been considered as NGFW.

It been more smarter and secure that

the tradition stateful and stateless
firewall it include addition features such
as malicious content based filtering,
Intrusion prevention system and the
integration with the Threat intel feeds,
the key highlight of the NGFW is been
the DPI technology.
Proxy & VPN
Proxy
Proxies provide a additional layer of security for your
enterprise . They can be set up as web filters or
firewalls, protecting your network from internet
threats like malware.
Key benefits of proxy including:
1. Security
2. Privacy
3. Load Balancing
4. Reduce the impact of direct attacks
5. Better control over Network Traffic
Working of Proxy
A proxy server acts as an
intermediary between a user's
device (client) and the internet. Its
primary function is to forward
requests and responses between
the client and the target server,
providing several benefits such as
increased security, anonymity,
content filtering, and caching.
Types of Proxy

Proxy are been generally categorised based on the characteristic and its behaviors

● Forward Proxy : When the client send an request to the internet

● Reverse Proxy : When the internet request is been forwarded to
the client
● SSL/TLS Proxy : SSL/TLS proxy handles encrypted traffic, decrypting
and inspecting it before re-encrypting it for the client or the
destination server.
● Transparent Proxy: Works without any configurations from the
client side
VPN
VPN stands for Virtual Private Network
Is a technology that allows legit users to establish a
secure and encrypted connection over an untrusted
network, typically the internet.
The primary purpose of a VPN is to create a private
and secure communication channel between a
user's device and a remote server, allowing the user
to access the internet or a private network as if they
were directly connected to that network
Working of VPN
VPNs use encryption protocols to secure the data transmitted between the user's device and the VPN server.
This encryption ensures the confidentiality and integrity of the data, making it difficult for unauthorized
parties to intercept or tamper with the information.
IDS/IPS
IDS & IPS
IDS Stands for Intrusion Detection System
IDS monitors network or system activities for malicious
or suspicious behavior. It analyzes traffic patterns,
signatures, and anomalies to detect potential security
incidents.

IPS Stands for Intrusion Prevention System

IPS not only detects but also actively blocks or
prevents unauthorized access, attacks, or other
security threats.
Working of IDS & IPS
 Security Information
Event Management : SIEM
SIEM
SIEM Generally termed as centralized log
management tool which typically provides the
defence engineers with high visibility over log’s across
the enterprise.

SIEM are designed to provide real-time monitoring

and analysis of security alerts generated by various
hardware and software infrastructure components
within an organization.
SIEM Architecture
The architecture of a SIEM system typically involves
several components working together to collect,
analyze, and respond to security events.
1. Data Source
2. Normalization
3. Indexing
4. Data Storage
5. Anomaly detection and identification
6. Virtualization
Working of SIEM : Phase 01
Working of SIEM : Phase 02
Demo : SIEM
EDR
EDR
EDR, which stands for Endpoint Detection and Response, is a
cybersecurity solution focused on detecting, investigating,
and responding to security incidents at the endpoint/Host
level.

Endpoints typically include devices like desktops, laptops,

servers, and other devices connected to a network.
Working of EDR
SOAR
SOAR : Security Orchestration & Automation Response
Security orchestration is generally a process of coordination
and managing multiple security tools which include IDS/IPS,
Firewall, IM, SIEM, etc and processes which typically works
together seamlessly to reduce the manual effort

Automation & Response: The ultimate ideology of SOAR is to

the repetitive and routine tasks without human intervention. This
includes automating incident detection, validation, and
response actions based on predefined playbooks and
workflows
Working of SOAR
Incident Management &
Handling
Incident Management & Handling
Incident Management is a systematic approach to,
managing, and handling security incidents within an
organization.

Implementing and managing Incident Management

will helps us to achieve Prioritization and Classification
of security incident which result in effective handling of
security incident.
Working of IM
 First line of
Investigation
SQL Injection Activity Investigation
Sql Injection is a web targeted attack, where an attacker
manipulates a web application's SQL query by injecting malicious
SQL code

This exploit can often lead to unauthorized access to a database,

extraction of sensitive information, manipulation of data, and in
some cases, full control over the affected system.
Working of SQLI
Sql Injection can be exploit either manually or using various automated sql injection tools
Working of SQLI
The above payload will be reflect in the
following way
SELECT sno,username FROM user WHERE
username= admin' AND 1=1 # AND
password='$password'
In such case the user name will be defined
as admin and the 1=1 will be considered as
password after the symbol # its will be
considered as comments
Investigation overview
 Practical
Demonstration
 Thank You
For Professional Red Team / Blue Team / Purple Team / Cloud Cyber Range labs / Trainings, please contact

support@cyberwarfare.live
To know more about our offerings, please visit: https://cyberwarfare.live