20TD02X_BTL1_ Comprehensive_Guide_v2 - itnett/FTD02H-N GitHub Wiki

SelvfΓΈlgelig! Her er en detaljert og utvidet versjon av hvert kapittel, med samme formatering:

πŸ“˜ Blue Team Level 1 (BTL1) - Comprehensive Guide

Welcome to the Blue Team Level 1 (BTL1) comprehensive guide! This document is optimized for GitHub Markdown and is designed to help you prepare for the BTL1 certification. Below you will find a detailed table of contents and index for easy navigation.

πŸ“‘ Table of Contents

  1. Introduction
  2. Security Fundamentals
  3. Phishing Analysis
  4. Threat Intelligence
  5. Digital Forensics
  6. SIEM
  7. Incident Response

πŸ“˜ Introduction

Welcome to the BTL1 comprehensive guide. This document will provide you with the essential knowledge and skills required to become proficient in defending networks and responding to cyber incidents. The guide covers the following six main domains: Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM, and Incident Response.

πŸ”’ Security Fundamentals

Introduction to Security Fundamentals

Security fundamentals provide the foundation for understanding cybersecurity concepts, including threats, vulnerabilities, and risk management.

  • Threats: Potential harm-causing events or circumstances.
  • Vulnerabilities: Weaknesses that can be exploited by threats.
  • Risk Management: Identifying, assessing, and prioritizing risks to mitigate their impact.

Soft Skills

Soft skills are essential for effective security operations, including communication, collaboration, problem-solving, and decision-making.

  • Communication: Clearly and effectively conveying information.
  • Collaboration: Working well within teams to solve security issues.
  • Problem-Solving: Identifying problems and finding effective solutions.
  • Decision-Making: Evaluating situations and making informed decisions.

Security Controls

Security controls are measures implemented to protect information systems and data.

  • Preventive Controls: Measures to prevent security incidents (e.g., firewalls, antivirus).
  • Detective Controls: Measures to detect security incidents (e.g., IDS/IPS).
  • Corrective Controls: Measures to restore systems after incidents (e.g., backups, recovery).

Networking 101

Basic networking knowledge is crucial for understanding how data moves through networks and where security threats may arise.

  • OSI Model: Conceptual model with seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.
    • Layer 1: Physical – Physical connections of network devices.
    • Layer 2: Data Link – Data transfer between adjacent network nodes.
    • Layer 3: Network – Data transfer between network nodes.
    • Layer 4: Transport – End-to-end data transfer.
    • Layer 5: Session – Managing sessions between applications.
    • Layer 6: Presentation – Data translation, encryption, and compression.
    • Layer 7: Application – Network services to applications.
  • TCP/IP Model: Simplified model with four layers: Network Access, Internet, Transport, and Application.
    • Layer 1: Network Access – Physical and data link layer functions.
    • Layer 2: Internet – Routing of data packets.
    • Layer 3: Transport – Reliable data transfer.
    • Layer 4: Application – Network services to applications.
  • Protocols: Rules for data transmission. Common protocols include HTTP, HTTPS, FTP, TCP, UDP, IP.

Management Principles

Management principles help ensure effective governance of security measures.

  • Policies: Guidelines defining how security management should be conducted.
  • Processes: Standardized procedures for executing security tasks.
  • Controls: Measures to monitor and ensure compliance with security policies and processes.

🐟 Phishing Analysis

Introduction to Emails and Phishing

Phishing is a method where attackers send fraudulent emails to trick recipients into divulging sensitive information or infecting their systems with malware.

  • Phishing: Fraudulent attempt to obtain sensitive information.
  • Spear Phishing: Targeted attacks on specific individuals or organizations.
  • Whaling: Targeted attacks on high-profile targets.
  • Clone Phishing: Duplication of legitimate emails with malicious links or attachments.

Types of Phishing Emails

Various types of phishing emails are used to deceive recipients.

  • Generic Phishing: Mass emails sent to many recipients.
  • Spear Phishing: Targeted attacks on specific individuals.
  • Whaling: High-profile targets such as executives.
  • Clone Phishing: Replicates legitimate emails with malicious content.

Tactics and Techniques Used

Common techniques include social engineering, spoofing, malicious attachments, and fake links.

  • Social Engineering: Manipulating individuals to divulge confidential information.
  • Spoofing: Forging email headers to appear as if they come from a trusted source.
  • Malicious Attachments: Including harmful files that execute malware.
  • Fake Links: Directing users to fraudulent websites designed to steal information.

Analyzing URLs, Attachments, and Artifacts

Tools and methods for analyzing phishing emails include URL2PNG for screenshots and VirusTotal for scanning attachments.

  • URL Analysis: Examining URLs to detect malicious links.
  • Attachment Analysis: Scanning email attachments for malware.
  • Artifact Analysis: Investigating email headers, metadata, and other artifacts for signs of phishing.

Taking Defensive Measures

Protective measures include user training, email filtering, multi-factor authentication (MFA), and security protocols like DMARC, DKIM, and SPF.

  • User Training: Educating users on how to recognize and respond to phishing emails.
  • Email Filtering: Implementing filters to block malicious emails.
  • Multi-Factor Authentication (MFA): Adding an extra layer of security to account logins.
  • Security Protocols: DMARC, DKIM, and SPF to authenticate emails and prevent spoofing.

Report Writing

Documenting and reporting findings from phishing email analysis is essential for informing stakeholders and improving defenses.

  • Incident Reports: Detailed documentation of phishing incidents.
  • Lessons Learned: Analyzing incidents to identify areas for improvement.
  • Recommendations: Providing actionable steps to enhance security posture.

Lessons Learned

Organizations should review incidents to identify weaknesses and improve defenses against future phishing attacks.

  • Post-Incident Analysis: Reviewing incidents to understand what went wrong.
  • Process Improvements: Implementing changes to prevent future incidents.
  • Continuous Monitoring: Regularly assessing and updating phishing defenses.

πŸ•΅οΈ Threat Intelligence

Introduction to Threat Intelligence

Threat Intelligence involves gathering, analyzing, and using information about threats to protect organizations from cyber attacks.

Threat Actors and APTs

Understanding different types of threat actors and Advanced Persistent Threats (APTs) is crucial.

  • Script Kiddies: Inexperienced attackers using existing tools.
  • Hacktivists: Attackers with political or social motives.
  • Cybercriminals: Attackers motivated by financial gain.
  • Insider Threats: Employees or associates misusing access.
  • APTs: State-sponsored or highly sophisticated groups targeting specific organizations.

Operational Threat Intelligence

Focused on detailed information about threats and campaigns.

  • **Tactics, Techniques, and Procedures

(TTPs):** Specific methods used by threat actors.

  • Indicators of Compromise (IoCs): Evidence of potential breaches.

Tactical Threat Intelligence

Includes specific techniques, tactics, and procedures (TTPs) used by attackers.

  • Pyramid of Pain: Conceptual model showing the difficulty of changing different indicators.
  • MITRE ATT&CK Framework: Comprehensive matrix of TTPs used by threat actors.

Strategic Threat Intelligence

Long-term trends and motivations behind threat actor activities.

  • Threat Landscape: Overview of current and emerging threats.
  • Geopolitical Factors: Influence of global events on cyber threats.

Malware and Global Campaigns

Analyzing malware and coordinated global campaigns to understand and defend against large-scale attacks.

  • Malware Analysis: Investigating malicious software to understand its behavior and impact.
  • Global Campaigns: Coordinated attacks targeting multiple organizations or sectors.

πŸ” Digital Forensics

Introduction to Digital Forensics

Digital forensics involves collecting, analyzing, and preserving digital evidence to understand incidents, uncover criminal activity, and recover data.

Forensics Fundamentals

Key principles include integrity, traceability, and transparency.

  • Integrity: Ensuring evidence is not altered during analysis.
  • Traceability: Maintaining a clear chain of custody for evidence.
  • Transparency: Conducting investigations in a manner that can be independently verified.

Digital Evidence Collection

Collecting evidence carefully to avoid contamination using tools like FTK Imager and KAPE.

  • FTK Imager: Tool for creating forensic images of digital media.
  • KAPE: Rapid collection of forensic artifacts from endpoints.
  • Chain of Custody: Documenting the handling of evidence from collection to presentation in court.

Windows Investigations

Analyzing Windows systems for evidence, including the registry, log files, prefetch files, and Recycle Bin.

  • Windows Registry: Contains configuration settings and user activity logs.
  • Log Files: Record system and application events.
  • Prefetch Files: Help identify recently executed programs.
  • Recycle Bin: Stores deleted files that can be recovered for analysis.

Linux Investigations

Investigating Linux systems, focusing on log files, configuration files, and user directories.

  • /var/log Directory: Stores system logs and application logs.
  • /etc Directory: Contains configuration files for the system and applications.
  • User Home Directories: Store user files and activity logs.

Volatility

A powerful tool for memory analysis to uncover malicious activity and recover information from RAM.

  • Memory Dump: Capturing the contents of RAM for analysis.
  • Volatility Plugins: Various plugins for analyzing different aspects of memory.

Autopsy

A user-friendly platform for analyzing hard drives and other storage devices to recover deleted files and investigate user behavior.

  • File System Analysis: Investigating file systems to recover and analyze files.
  • Timeline Analysis: Creating timelines of user activity based on file metadata.
  • Keyword Search: Searching for specific keywords in the data to find relevant evidence.

πŸ–₯️ SIEM

Introduction to SIEM

SIEM (Security Information and Event Management) solutions provide organizations with insights into their IT environment by collecting and analyzing logs and events from various sources.

Logging

Recording events such as user activities and system changes in log files.

  • System Logs: Record operating system events.
  • Application Logs: Record events from software applications.
  • Security Logs: Record security-related events, such as failed login attempts.

Aggregation

Collecting log data from different sources and centralizing it in the SIEM system.

  • Log Aggregators: Tools that collect and forward logs to a SIEM system.
  • Centralized Logging: Storing all logs in a single location for analysis.

Correlation

Analyzing log data to identify patterns and relationships that indicate security incidents.

  • Correlation Rules: Define patterns to detect suspicious activity.
  • Event Correlation: Linking related events from different sources to identify incidents.

Using Splunk SIEM

Splunk is a popular SIEM tool used for searching, monitoring, and analyzing machine data.

  • Data Input: Adding data sources like system, application, and network logs.
  • Search: Using SPL (Search Processing Language) to filter and analyze data.
    • Example SPL Query: index=main sourcetype=access_combined status=200 | stats count by clientip
  • Dashboards: Creating visual representations of data for real-time monitoring.
  • Alerts: Configuring alerts for suspicious events.

🚨 Incident Response

Introduction to Incident Response

Incident Response (IR) is the process of handling and responding to security incidents to minimize damage and restore normal operations.

Preparation Phase

Developing and maintaining IR policies, procedures, tools, and training.

  • Incident Response Plan: Document outlining the steps to take during an incident.
  • Training: Regularly training staff on IR procedures and tools.
  • Tools: Ensuring the necessary tools are available and functional.

Detection and Analysis Phase

Continuous monitoring and alerting using SIEM and other tools to identify and investigate incidents.

  • Monitoring: Regularly monitoring systems and networks for signs of incidents.
  • Alerts: Configuring alerts to notify staff of potential incidents.
  • Incident Analysis: Investigating alerts to determine if an incident has occurred.

Case Management

Managing incident cases from detection to resolution, documenting all actions taken.

  • Case Tracking: Using a system to track and manage incidents.
  • Documentation: Keeping detailed records of all actions taken during the incident response process.

Containment, Eradication, and Recovery Phase

Containing the incident to prevent further damage, removing threats, and restoring systems.

  • Containment: Isolating affected systems to prevent the incident from spreading.
  • Eradication: Removing the cause of the incident, such as malware or compromised accounts.
  • Recovery: Restoring systems to normal operation and verifying they are secure.

Lessons Learned

Reviewing incidents to identify weaknesses and improve future responses.

  • Post-Incident Review: Analyzing the incident to understand what happened and why.
  • Process Improvement: Identifying areas for improvement in the incident response process.
  • Continuous Learning: Regularly updating the incident response plan based on lessons learned.

πŸ” Index

  • Security Fundamentals: Threats, Vulnerabilities, Risk Management, CIA Triad, OSI Model, TCP/IP Model.
  • Phishing Analysis: Phishing, Spear Phishing, Whaling, Social Engineering, Spoofing, URL Analysis, Email Filtering.
  • Threat Intelligence: Threat Actors, APTs, TTPs, Pyramid of Pain, MITRE ATT&CK, Malware Analysis, Intelligence Sharing.
  • Digital Forensics: Evidence Collection, FTK Imager, Volatility, Autopsy, Windows Registry, Linux Logs.
  • SIEM: Logging, Aggregation, Correlation, Splunk, Dashboards, Alerts.
  • Incident Response: IR Lifecycle, Preparation, Detection, Analysis, Containment, Recovery, Post-Incident Review.

This comprehensive guide provides a structured approach to mastering the key concepts and skills required for the Blue Team Level 1 certification. By following the detailed content and utilizing the listed resources, you will be well-prepared to defend networks and respond to cyber incidents effectively. Good luck with your studies! πŸš€