Balraj Dahiya’s Post

How to Start a Carrer in a Security Operation Center (#SOCAnalyst) Threat Intelligence:- Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments. There are different classifications of Threat Intelligence, and the primary types of it are: Strategic Intel: High-level intel that looks into the organisation's threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions. Technical Intel: Examines evidence and artefacts of attacks an adversary uses. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms. Tactical Intel: Assesses adversaries' tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations. Operational Intel: Assesses an adversary's specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that threat actors may target. More Information =>Amarjit Gajare #forensicscience #forensicinvestigation #defensivesecurity #forensicanalysis #cyberattacks #CEHV12 #offensivesecurity #SOCAnalyst

Junior Security Analyst Intro #localsearch #cybereducation #tryhackme #informationsecurity #securityawareness #securityawareness #securityawareness #cyberdefense #cyberdefense #ethicalhacking #ethicalhacking #cyber #computersecurity #security

SOC Fundamentals Cyber Kill Chain MITRE ATT&CK Framework Phishing Email Analysis Detecting Web Attacks Investigate Web Attack How to Investigate a SIEM Alert? Malware Analysis Fundamentals Dynamic Malware Analysis MSHTML Malicious Document Analysis Security Solutions Network Log Analysis SIEM 101 Incident Management 101 Splunk Cyber Threat Intelligence VirusTotal for SOC Analysts IT Security Basis for Corporates Detecting Brute Force Attacks Building a Malware Analysis Lab Building a SOC Lab at Home

Try Hack Me Junior Security Analyst Intro course teaches foundational skills in cybersecurity, including threat analysis and defensive strategies.

Revisiting a career in Cyber Security

I am happy to announce that I have received the "SOC Analyst" Certification from LetsDefend !🥳 I have gained detailed knowledge on many topics such as: • Cyber Kill Chain • MITRE ATT&CK Framework • Phishing Email Analysis • Detecting Web Attacks • Malware Analysis • Malicious Document Analysis • Security Solutions • Network Log Analysis • SIEM • Incident Management • Splunk • Cyber Threat Intelligence • Detecting Brute Force Attacks

🚀 Day 26 of the 30-Day SOC Analyst Challenge with MyDFiR! 🚀 Today, we took a deep dive into investigating SSH brute force attacks using Elastic Stack. The focus was on identifying potential attackers and their activities by analyzing alerts, and timelines, and further examining IP addresses. Let’s break down the process step by step! Step 1: Investigating SSH Brute Force Alerts -Navigate to Alerts: Under the Security tab in the Elastic Web GUI, select Alerts. -Timeline Analysis: Click on Timelines and select the "All alerts involving a single user" timeline for an in-depth view of activity related to a particular user. Step 2: Detailed Alert Investigation Investigating IP Address: Clicked on a specific alert to view its details. Things to investigate included: IP Address: Checked whether the IP is known for brute force activity. Affected Users: Investigated if any other users were targeted by the same IP. Post-Login Activity: Analyzed if there was any activity after successful login attempts. Step 3: Checking IP Reputation -IP Reputation Services: Copied the suspicious source IP and checked its history on AbuseIPDB.com and viz.greynoise.io. The IP was flagged as known for brute force attempts. -Search in Elastic: Pasted the IP address into Discover and used the query to check for affected users. Found that 6 users were targeted (root, user, admin, Debian, Ubuntu, FTP). Step 4: Analyzing the Success of Brute Force Attempts -Search for "Accepted" Logins: Queried with "Accepted" in Elastic to find successful login attempts by the IP. In this case, none of the brute force attempts were successful. -Post-Login Activity: Since there were no successful logins, no further suspicious activity occurred. Step 5: Automating Ticket Creation for Alerts Webhook Automation: -Headed over to Security > Actions and selected Webhook. Set the alert to trigger "For each alert" and customise the alert content. -Created a payload similar to the osTicket example, ensuring details like IP and user info were included in the alert. -Customized the subject using dynamic variables like Rule. name. Saved changes and verified that tickets were successfully generated in osTicket for further incident tracking. Conclusion: Today’s task gave me hands-on experience investigating SSH brute force attacks, checking IP reputation, and automating ticket creation for incidents in Elastic Stack. This workflow streamlines the process of identifying threats and ensuring they’re tracked and managed efficiently. Stay tuned for more insights as we continue building our SOC skills! #SOCAnalyst #Cybersecurity #ElasticStack #BruteForce #SSH #30DayChallenge #MyDFIR #SecurityOperations #IncidentResponse #LogManagement #osTicket MyDFIR.com

🚀 Day 27 of the 30-Day SOC Analyst Challenge with MyDFiR! 🚀 Today, we focused on investigating RDP brute force attacks using Elastic Stack and automating the alert process with osTicket. This task followed a similar approach to our SSH brute force investigations. Step 1: Investigate RDP Brute Force Attack Filtered for RDP brute force alerts in the Elastic Web GUI under the Security tab. Viewed alert details for key info like source IP and affected users. Step 2: Automate Ticket Creation in osTicket Copied the SSH webhook configuration and pasted it into the RDP alert rule. This allowed us to automatically generate tickets in osTicket for RDP brute force alerts. Step 3: Investigative Process for RDP Brute Force We followed the same steps as the SSH brute force investigation: Is the IP known for brute force activity? - Yes. Any other users affected? - Yes, multiple. Successful logins? - No. Post-login activity? - None due to no successful logins. Step 4: Investigating a Successful Brute Force IP known for brute force activity? - Yes. Other users affected? - No. Successful logins? - Yes. Step 5: Follow the Chain of Events Tracked actions after a successful login by filtering for event.code: 4624, user, and logon ID. This helped identify actions taken post-login. Conclusion: Today’s focus on RDP brute force detection helped solidify our incident response workflow with Elastic Stack and osTicket. Next, we’ll continue investigating security alerts and refining detection workflows. #SOCAnalyst #Cybersecurity #ElasticStack #BruteForce #IncidentResponse #Automation #30DayChallenge #MyDFIR #osTicket MyDFIR.com