Interacting With The Demo
Reach out to firstname.lastname@example.org if you currently do not have demo credentials.
So many security portals so little time.
As more security tools are brought into your environment, they can each come with their own Web Interface. This leaves the security team with having to monitor multiple consoles all at once. This can become overwhelming and increase the chance of an alert going unnoticed. At OpenSecure, we implement a central console, where all alerts are pumped into, with branches of supporting consoles to observe the fine details of an alert. This post details three scenarios:
Detecting Vulnerable OS and Software
Oh no! The latest vulnerability assessment on our Windows User Laptop is reporting a series of CRITICAL CVEs. But before we take further action, how did we come to this conclusion? The Wazuh Endpoint Agent, that was previously installed onto our Windows machine gathered a list of software of operating system packages currently deployed onto the laptop. This alert is automagically sent to the SOC platform that our security analyst monitor.
Select the Image Below To Open The Web Page
Opening the alert, details that DESKTOP-7LK0SCQ is affected by CVE-2021-34498:
Let's get more details, lets follow the link within the description of the alert to load more details.
Further analysis shows we need to apply the KB5004238 patch to remediate this vulnerability. Let us go back to our SOC console so that I can assign the task of applying the KB5004238 patch to one of my SOC team members.
We can see that the Demo user has started the task. Task assignment helps ensures that other analysts are not working on the same task and unnecessarily duplicating work.
Great! The patch has been applied. Now let us ensure the patch was correctly applied by running an adhoc vulnerability scan with our scanner tool, OpenVas.
Good news is that our Windows Laptop is in a much healthier state. Bad news is that we still have two other severely vulnerable hosts :/. Do these vulns ever stop?!
Those pesky malicious network actors seem to never stop. Our Network Intrusion Prevention System is alerting on an NMAP scan taking place.
Let us take a deeper look and see what details have been extracted:
Holy cow, that is one bad IP address!
If you have been able to follow along, you should see that this reported malicious IP was the one associated with this very alert. We have also automated the IP reputation process so now our analyst do not have to spend time assessing IP reputation databases. We can immediately see that this is not a customer, but someone trying to attack! Looking at the meta details reveals even more. Look at that nasty User Agent associated with the attack!
We can now safely blacklist this IP address on the firewall, or if you are running Suricata (our IPS of choice) we can block all network packets that match this signature.
Host Intrusion Alerts
Below we have a brute force ssh attack occurring on our honeypot server:
The user name "user", has attempted to ssh onto our honeypot server with a password of "12" and from IP address 184.108.40.206.
Who would have guessed, another known bad actor. Because this is a honeypot server, let us allow the user to log into the box and observe the commands they ran. Well look at this, looks like somebody was trying to reach out to a command and control server:
All of this and so much more is capable with FREE Open Source tools. But what if I want to proactively block these attacks as they happen? You can, that is just out of scope for this POC and is something we implement as part of our service and highly encourage. Robust and Free security tools are out there, let OpenSecure help you and your team face your security and budget constraints head on!