Contents
1.Security Information and Event Management (SIEM)--------------------------- 2-3
WAZUH
Installation
Scaning
2.Threat Modeling using Attack Graph ----------------------------------- 3-4
Description
Working Process
3. Threat Modeling using STRID ---------------------------------------- 4-7
Description
Working Process
1|Page
� Basics of Security Operations and Threat Modeling
Security Information and Event Management (SIEM)
WAZUH
Wazuh is a free, open source and enterprise-ready security monitoring solution for threat
detection, integrity monitoring, incident response and compliance.
We will be requiring three VMs in total to install and test Wazuh.
Installing Wazuh Server
Go to https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-
machine.html and download Wazuh prebuilt virtual machine.
Then simply import the ova file in VMware or Oracle Virtual Machine to run Wazuh.
To open Wazuh Server Web UI, copy the IP address of the Wazuh VM and paste it in the browser.
The default login credentials are admin and admin
Installing Wazuh Agent on Windows VM
Go to https://wazuh.com/install/ and download the Agent for Windows.
After installation, this UI will be shown
2|Page
�We have to add it to the Wazuh Server to detect the threats and alerts. So we need to put the
Manager (Server) IP and the Authentication key that can be generated in the Server.
To generate the Activation Key follow these steps:
1. Log in to Wazuh Server VM with root username and wazuh as password
2. Do /var/ossec/bin/manage_agents
3. Enter A and press Enter
4. Add the name for the agent
5. Add the IP of the agent VM
6. Enter Q and press Enter
7. For the next part we will be needing putty to SSH to the server to retrieve the Activation Key
8. Login with putty with the same username and password used to log in to the VM and do
/var/ossec/bin/manage_agents
9. Enter E and press Enter
10. Enter the ID of the agent (most probably 001)
11. A long string will be generated which we need to copy and paste in the Activation Key field.
12. Press Save and Refresh
Now both the agent and the server are connected. We are now ready to test the SIEM.
Testing the SIEM
The added agent can be seen in the web UI.
To test the SIEM, we will be running a Nmap scan on the agent machine using kali linux and see if
we can get any alert or message in the SIEM.
________________________________________________________________________________
Threat Modeling using Attack Graphs Practical
Performing threat modeling using attack graphs practically involves several steps. Let's walk
through the process:
Identify the System and Assets: Define the system or network that you want to model and identify
the critical assets within it. This could be an application, a network infrastructure, or any other
system you want to assess.
Understand the System's Architecture: Gain a thorough understanding of the system's architecture,
including its components, connections, and dependencies. This knowledge is crucial for identifying
potential vulnerabilities and attack vectors.
Enumerate Vulnerabilities: Identify potential vulnerabilities within the system. This can be done
through various methods such as code analysis, vulnerability scanning, penetration testing, or
security assessments. Document each vulnerability and its associated severity.
3|Page
�Define Attack Paths: Map the identified vulnerabilities to potential attack paths. Determine how an
attacker could exploit these vulnerabilities to move through the system and achieve their
objectives. Consider the sequence of steps an attacker would take and the dependencies between
vulnerabilities.
Construct the Attack Graph: Use an attack graph modeling tool or software to construct the attack
graph. There are several commercial and open-source tools available for this purpose. These tools
allow you to create nodes representing system components and vulnerabilities and define
connections or attack paths between them.
Analyze Attack Paths: Analyze the attack graph to identify critical attack paths that could lead to
the compromise of critical assets or the achievement of attacker objectives. Assess the likelihood
and impact of each attack path to prioritize mitigation efforts.
Mitigation Strategies: Develop and implement mitigation strategies to address the identified
vulnerabilities and disrupt critical attack paths. This may involve applying security controls,
patching vulnerabilities, enhancing configurations, or improving secure coding practices.
Validate and Update: Validate the effectiveness of the mitigation strategies through security testing,
vulnerability assessments, or penetration testing. Regularly update the attack graph as new
vulnerabilities are discovered or as changes are made to the system's architecture.
Document and Communicate: Document the attack graph, including the identified vulnerabilities,
attack paths, and corresponding mitigation strategies. Communicate the findings and
recommendations to relevant stakeholders, such as developers, architects, and security teams.
It's important to note that creating attack graphs manually can be time-consuming and complex,
especially for large and intricate systems. Therefore, leveraging dedicated attack graph modeling
tools can greatly simplify the process and provide more accurate representations of the system's
attack surface.
________________________________________________________________________________
Technologies for Security Operations
Technologies for Security Operations refer to the various tools and solutions used by organizations
to detect, prevent, and respond to security threats. These technologies include software and
hardware solutions designed to protect an organization's information systems, networks, and data
from cyber attacks, unauthorized access, and other security risks.
The goal of Security Operations technologies is to provide visibility into an organization's security
posture and to detect and respond to security incidents in a timely and effective manner. These
technologies can include Security Information and Event Management (SIEM), Endpoint Detection
and Response (EDR), Network Traffic Analysis (NTA), Identity and Access Management (IAM),
Threat Intelligence, and Security Orchestration, Automation, and Response (SOAR) tools, among
others.
By leveraging these technologies, organizations can proactively manage their security risks and
respond to threats in a timely and effective manner, reducing the risk of data breaches, theft, and
other security incidents.
Asset Inventory
Asset inventory is a critical component of Security Operations. It involves creating and maintaining
an up-to-date list of all assets, including hardware, software, applications, and data, within an
organization's network. The asset inventory helps security teams to identify and track all assets,
including those that are unauthorized, unmanaged, or obsolete.
4|Page
�Asset inventory can be performed manually or through automated tools that continuously scan the
network for new and existing assets. The inventory should include details such as device type, IP
addresses, operating system, installed software, and location, as well as any other relevant
information that can help security teams to identify and manage assets.
Asset inventory plays an important role in Security Operations in several ways. It helps
organizations to:
Understand their attack surface: By having a comprehensive inventory of all assets, security teams
can understand the scope of their attack surface and assess the level of risk associated with each
asset.
Identify vulnerabilities: By tracking all assets, security teams can identify vulnerabilities and
prioritize patching and other security measures based on the risk level associated with each asset.
Monitor for unauthorized activity: An up-to-date asset inventory can help security teams to
monitor for any unauthorized activity, such as new devices or software installations, and take
appropriate action to prevent security incidents.
Improve incident response: By having a complete view of all assets, security teams can respond
quickly and effectively to security incidents and minimize the impact on the organization.
Network Mapping
Network mapping is an important aspect of Security Operations that involves creating a visual
representation of an organization's network topology. It involves identifying all network devices,
such as routers, switches, firewalls, servers, and endpoints, and mapping their interconnections.
Network mapping is typically performed using automated tools that scan the network and identify
devices and their configurations. The resulting map provides a comprehensive view of the network,
including all devices, their IP addresses, and their connections. This information can be used to
identify potential vulnerabilities, assess the risk of a security incident, and plan for incident
response.
In Security Operations, network mapping serves several purposes, including:
Understanding network topology: By creating a visual representation of the network, security
teams can better understand the organization's network topology, including how devices are
connected and the flow of data.
Identifying potential vulnerabilities: Network mapping can help identify potential vulnerabilities in
the network, such as unsecured devices or open ports that could be exploited by attackers.
Planning for incident response: By understanding the network topology and potential
vulnerabilities, security teams can develop incident response plans that take into account the
specific characteristics of the network.
Improving overall security posture: Network mapping can help organizations identify areas where
security measures may need to be improved, such as strengthening access controls or
implementing more robust network segmentation.
Vulnerability Scanning
Vulnerability scanning is a critical component of Security Operations that involves using automated
tools to scan an organization's network and identify vulnerabilities in its systems, applications, and
devices. The scanning tools perform a comprehensive analysis of the network and identify
potential vulnerabilities, such as unpatched software, misconfigured systems, weak passwords,
and other security weaknesses.
Once the vulnerabilities are identified, security teams can prioritize remediation efforts based on
the severity of the vulnerabilities and their potential impact on the organization's security posture.
Vulnerability scanning can be performed regularly to ensure that the organization's systems remain
secure and to identify new vulnerabilities as they emerge.
Vulnerability scanning is important in Security Operations for several reasons, including:
5|Page
�Identifying vulnerabilities: Vulnerability scanning tools can help identify vulnerabilities in an
organization's systems and applications that could be exploited by attackers to gain unauthorized
access or steal sensitive data.
Prioritizing remediation efforts: Once vulnerabilities are identified, security teams can prioritize
remediation efforts based on the potential impact on the organization's security posture.
Ensuring compliance: Vulnerability scanning can help organizations comply with industry
regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and
the Health Insurance Portability and Accountability Act (HIPAA).
Preventing security incidents: By identifying vulnerabilities and addressing them before they are
exploited, vulnerability scanning can help prevent security incidents and minimize the impact of
any incidents that do occur.
Overall, vulnerability scanning is an important tool in Security Operations that helps organizations
maintain a strong security posture and protect against cyber threats.
Network Monitoring
Network monitoring is a critical component of Security Operations that involves using tools and
techniques to monitor an organization's network for unusual or suspicious activity. This includes
monitoring network traffic, system logs, and other sources of data to identify potential security
incidents and threats.
The goal of network monitoring is to detect security incidents in real-time or near real-time and
respond quickly to mitigate the impact of any potential attack. Network monitoring can be
performed using a variety of tools, including intrusion detection systems (IDS), security information
and event management (SIEM) systems, and network traffic analysis (NTA) tools.
In Security Operations, network monitoring serves several purposes, including:
Identifying potential threats
Responding quickly to security incidents
Preventing data loss
Improving overall security posture
Network monitoring is an important tool in Security Operations that helps organizations maintain a
strong security posture and protect against cyber threats. By detecting and responding to security
incidents in real-time or near real-time, organizations can minimize the impact of attacks and
prevent further damage.
Host Monitoring and Defence
Host monitoring and defence is a critical aspect of Security Operations that involves monitoring
individual systems or hosts for suspicious activity and taking action to defend against potential
attacks. This includes monitoring system logs, configuration settings, and user activity to identify
potential security incidents and threats.
The goal of host monitoring and defence is to detect security incidents at the host level and
respond quickly to mitigate the impact of any potential attack. Host monitoring and defence can be
performed using a variety of tools, including endpoint detection and response (EDR) systems,
antivirus software, and host-based intrusion detection systems (HIDS).
In Security Operations, host monitoring and defence serves several purposes, including:
Detecting potential threats
Responding quickly to security incidents
Preventing data loss
Improving overall security posture
Overall, host monitoring and defence is an important tool in Security Operations that helps
organizations maintain a strong security posture and protect against cyber threats. By detecting
6|Page
�and responding to security incidents at the host level, organizations can minimize the impact of
attacks and prevent further damage.
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM) is a technology solution that enables
organizations to collect, analyse, and manage security-related data from various sources in real-
time. SIEM is used to identify and respond to security threats and incidents by providing a
comprehensive view of an organization's security posture.
SIEM solutions typically collect data from multiple sources, such as network devices, servers,
endpoints, and applications, and correlate this data to identify potential security incidents. This
data is then analysed using various techniques, such as anomaly detection, machine learning, and
behavioural analysis, to identify patterns and anomalies that could indicate a security threat.
SIEM solutions provide several key benefits, including:
Centralized security monitoring: SIEM solutions provide a centralized view of an organization's
security posture, allowing security teams to monitor and manage security events from a single
location.
Real-time threat detection: SIEM solutions can detect security incidents in real-time or near real-
time, allowing security teams to respond quickly and effectively to mitigate the impact of an attack.
Compliance management: SIEM solutions can help organizations comply with industry regulations
and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the
General Data Protection Regulation (GDPR).
Forensic investigation: SIEM solutions can provide detailed logs and reports that can be used for
forensic investigation and post-incident analysis.
SIEM is an important tool in Security Operations that helps organizations maintain a strong security
posture and protect against cyber threats. By providing a centralized view of an organization's
security posture and detecting potential security incidents in real-time, SIEM solutions enable
security teams to respond quickly and effectively to mitigate the impact of an attack.
Incident Response (IR)
Incident Response (IR) is a structured process for responding to and managing security incidents,
such as cyberattacks or data breaches. IR involves a coordinated approach to detecting, containing,
and mitigating the impact of security incidents to minimize damage to an organization.
The goal of Incident Response is to minimize the impact of security incidents by quickly detecting
and responding to them, containing the damage caused, and restoring normal operations as soon
as possible. IR typically involves the following phases:
Preparation: This phase involves establishing incident response plans and procedures, identifying
key stakeholders and team members, and establishing communication channels and protocols.
Detection and analysis: This phase involves detecting security incidents and analyzing their scope
and impact. This may involve monitoring network traffic, reviewing system logs, and performing
forensic analysis.
Containment, eradication, and recovery: This phase involves containing the spread of the security
incident, eradicating the threat, and restoring normal operations as soon as possible.
Post-incident analysis: This phase involves reviewing the incident response process and identifying
areas for improvement. This may involve conducting a post-incident review, updating incident
response plans and procedures, and providing training to team members.
Incident Response is a critical aspect of Security Operations and is essential for protecting an
organization's assets and data. By establishing incident response plans and procedures, and
conducting regular training and exercises, organizations can prepare for potential security incidents
and respond quickly and effectively to minimize the impact of any attacks.
7|Page
