The article provides an introduction to defensive security, emphasizing the role of blue teams in protecting systems against threats. Key topics include tasks like user awareness, system patching, and monitoring. It explains the function of a Security Operations Center (SOC), threat intelligence, and Digital Forensics and Incident Response (DFIR). Malware analysis and types, such as ransomware, are covered alongside incident response phases. The article concludes with an overview of certifications for defensive security professionals and the answers for the room TryHackMe Intro to Defensive Security.

Blue Team Cyber Security & SOC Analyst Study Notes

OSCP Study Notes

Introduction of Defensive Security

Offensive security is primarily focused on breaching systems, which can be done by exploiting vulnerabilities, misconfigurations, or weaknesses in access control policies. Red teams and penetration testers are experts in this area of offensive security.

On the other hand, defensive security works in contrast to offensive security, with two main objectives:

  1. Preventing intrusions from happening.
  2. Detecting intrusions when they occur and responding effectively.

Blue teams play a key role in the defensive security field.

Defensive Security Tasks & Roles

Some key tasks related to defensive security include:

  1. User cybersecurity awareness: Educating users about cybersecurity is crucial for defending against attacks that target their systems, as informed users can better recognize and avoid threats.
  2. Documenting and managing assets: It’s essential to have a clear inventory of the systems and devices being used, so they can be properly managed and protected.
  3. Updating and patching systems: Keeping computers, servers, and network devices up to date and patched against known vulnerabilities helps prevent exploitation of weaknesses.
  4. Setting up preventative security devices: Tools like firewalls and intrusion prevention systems (IPS) are vital for preventing attacks. Firewalls control inbound and outbound network traffic, while IPS blocks network traffic that matches defined attack signatures or rules.
  5. Setting up logging and monitoring devices: Proper logging and network monitoring are necessary to detect malicious activities and intrusions. For example, detecting an unauthorized device on the network requires robust monitoring systems in place.

SOC Explained

A Security Operations Center (SOC) consists of cybersecurity experts who continuously monitor the network and its systems to detect and respond to malicious events. Key areas of focus for a SOC include:

  1. Vulnerabilities: When a system vulnerability is discovered, it’s crucial to address it through updates or patches. If no fix is available, other preventive measures should be implemented to stop attackers from exploiting the weakness. While fixing vulnerabilities is important, it may not always fall directly under the SOC’s responsibilities.
  2. Policy violations: Security policies are a set of rules designed to protect the network and systems. A policy violation occurs when these rules are broken, such as when users upload confidential company data to an unauthorized online storage service.
  3. Unauthorized activity: If an attacker steals a user’s login credentials and uses them to access the network, the SOC must quickly detect and block this unauthorized activity to prevent further damage.
  4. Network intrusions: Despite strong security measures, intrusions can still happen, such as through phishing links or the exploitation of vulnerable public servers. When an intrusion occurs, the SOC must identify and respond to it as quickly as possible to mitigate damage.

In addition to these tasks, security operations encompass a range of activities to ensure protection, one of which is threat intelligence, which involves gathering information about potential threats to better defend against them.

Threat Intelligence Explained

In this context, intelligence refers to information gathered about actual and potential adversaries. A threat is any action that could disrupt or negatively impact a system. The goal of threat intelligence is to collect and analyze information to help the company better prepare against these adversaries, leading to a threat-informed defense. Different companies face different adversaries; for example, one adversary may aim to steal customer data from a mobile operator, while another might target disrupting operations at a petroleum refinery. Adversaries can range from nation-state cyber armies motivated by political goals to ransomware groups focused on financial gain. The type of adversary depends on the target company.

To create effective intelligence, data is crucial. This data must be collected, processed, and analyzed. Data collection comes from both local sources (like network logs) and public sources (such as forums). The processing stage organizes this data into a format ready for analysis. During the analysis phase, the data is examined to uncover information about the attackers, their motives, and behavior, which then leads to actionable recommendations.

By understanding your adversaries, you can learn about their tactics, techniques, and procedures (TTPs). This allows you to identify the threat actors, anticipate their actions, and develop strategies to mitigate their attacks while preparing an appropriate response plan.

Digital Forensics and Incident Response (DFIR) Explained

Digital Forensics

Digital Forensics is the application of scientific methods to investigate crimes and establish facts. With the rise of digital systems like computers and smartphones, a new field emerged: computer forensics, which has since evolved into digital forensics.

In defensive security, digital forensics focuses on analyzing evidence of attacks, identifying the perpetrators, and investigating related issues such as intellectual property theft, cyber espionage, and possession of unauthorized content. Digital forensics covers several key areas, including:

  1. File System: Analyzing a forensic image (a low-level copy) of a system’s storage can reveal a wealth of information. This includes installed programs, created or deleted files, and even partially overwritten data that can provide insights into the attacker’s actions.
  2. System Memory: If the attacker runs malicious programs directly in memory without saving them to disk, capturing a forensic image of the system’s memory is essential for analyzing the attack and uncovering critical details.
  3. System Logs: Every computer, whether a client or server, keeps logs that track various system activities. These log files provide valuable information about system events, and even if an attacker attempts to cover their tracks, traces are often left behind.
  4. Network Logs: Logs that record network traffic are crucial for determining if an attack has occurred and what it involved. Analyzing network packets can help to piece together how an attack unfolded and what data may have been compromised.

Incident Response

An incident generally refers to a data breach or cyberattack, though it can also encompass less critical issues like a misconfiguration, intrusion attempt, or policy violation. Examples of cyberattacks include making a network or system inaccessible, defacing a public website, or stealing company data through a data breach. Responding to such incidents requires a structured approach known as incident response, which aims to minimize damage and ensure swift recovery. Ideally, having an incident response plan in place helps ensure readiness.

The incident response process consists of four key phases:

  1. Preparation: This phase involves training a team to be equipped to handle incidents effectively. Preventative measures, such as robust security policies and tools, should also be implemented to minimize the likelihood of incidents occurring.
  2. Detection and Analysis: The team must have the necessary tools and resources to detect incidents. Once an incident is identified, it is crucial to analyze it further to assess its severity and potential impact.
  3. Containment, Eradication, and Recovery: After detecting an incident, the primary objective is to contain it to prevent further spread, eradicate the cause (e.g., malware), and recover affected systems. For example, if a system is infected with a virus, the goal is to contain the infection, eliminate the virus, and restore normal system operations.
  4. Post-Incident Activity: Following recovery, a detailed report is created, and lessons learned from the incident are shared to prevent similar incidents in the future. This phase helps to improve future responses and overall security posture.

Malware Analysis

Malware stands for malicious software, which includes programs, documents, and files that can be stored on a disk or transmitted over a network. Malware comes in various forms, including:

  1. Virus: A virus is a piece of code that attaches itself to a program. It spreads from one computer to another and can alter, overwrite, or delete files once it infects a system. This can result in anything from a slow computer to one that becomes completely unusable.
  2. Trojan Horse: A Trojan Horse is a program that appears to perform a legitimate or desirable function but hides a malicious purpose. For example, a victim might download what seems like a harmless video player from an untrustworthy source, only to have their system compromised by the attacker.
  3. Ransomware: Ransomware is a type of malware that encrypts a user’s files, rendering them unreadable without the decryption password. The attacker demands a ransom in exchange for providing the password.

Malware analysis helps security professionals understand these malicious programs through two main techniques:

  • Static analysis: This involves inspecting the malware without executing it. Typically, this requires a deep understanding of assembly language and the processor’s instruction set to analyze the code.
  • Dynamic analysis: This method involves running the malware in a controlled, isolated environment and observing its behavior. It allows analysts to see how the malware interacts with the system while running.

Defensive Security Certifications

CompTIA Security+ and Cisco CyberOps for entry-level certifications.

CISSP and CISM for management-level certifications.

SSCP as an alternative to CompTIA Security+ for deeper coverage.

Room Answers | TryHackMe Intro to Offensive Security

Which team focuses on defensive security?
Blue Team

What would you call a team of cyber security professionals that monitors a network and its systems for malicious events?
Security Operations Center

What does DFIR stand for?

Digital Forensics and Incident Response

Which kind of malware requires the user to pay money to regain access to their files?

ransomware

What is the flag that you obtained by following along?

THM{THREAT-BLOCKED}

Video Walkthrough | TryHackMe Intro to Defensive Security

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles