Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Hands-on Lab: Using Security Onion 2.3, CyberChef, and OSINT Whitman and Mattord, Principles of Incident Response and Disaster Recovery, Third Edition, 2022, 978-0-357-508329; Module 5:

Hands-on Lab: Using Security Onion 2.3, CyberChef, and OSINT Whitman and Mattord, Principles of Incident Response and Disaster Recovery, Third Edition, 2022, 978-0-357-508329; Module 5: Incident Response: Organizing and Preparing the CSIRT Table of Contents Objective. 2 Estimated Completion Time. 2 Materials Required.. 2 Introduction.. 2 Using the Security Onion Console. 3 Using CyberChef. 8 Data Enrichment with Open-Source Intelligence (OSINT). 10 Common Vulnerabilities and Exposure (CVE) List. 10 National Vulnerability Database (NVD). 11 VirusTotal 11 RiskIQ Community. 11 Objective Upon completion of this activity, you will be able to use and understand the Security Onion console, the CyberChef utility, and some popular open-source intelligence tools. Estimated Completion Time If you are prepared, you should be able to complete this lab in 35 to 45 minutes. Materials Required Completion of this lab requires the following software to be installed and configured on your workstation:
  • Microsoft Windows 10, or another operating system version as specified by the lab instructor
  • VMware Workstation 16 Player (or newer version) from www.vmware.com/products/workstation-player.html
  • An installed virtual machine with Security Onion Analyst Workstation (Security Onion 2.3+); if you performed the lab in the Module 4 lab, this software has already been installed
  • The supporting file PIRDR3_LAB 05_CyberChef.txt, which is provided with this lab
Introduction Security Onion comes with several tools that analysts might find useful during incident response. In the first part of this lab, you will tour the Security Onion console, learn about tools and information that can assist analysts, and learn about some tools that are not installed in the Analyst Workstation version of Security Onion. In later sections of this lab, you will learn about the CyberChef utility and several open-source intelligence tools. [return to top] Using the Security Onion Console
  1. Log in to the Security Onion console on a local desktop. Locate the primary tools in Security Onion by clicking the Applications menu and highlighting Internet. You see options for accessing the Chromium Web browser, Network Miner, and Wireshark, as shown in Figure 5-1.
Figure 5-1 Location of Security Onion tools in the GUI
  1. Click Chromium Web Browser in the menu. In the browser address bar, enter https://your-IP-address>, where your-IP-address> is the address assigned during installation. You should see a warning that the connection is not private.
  2. Click the Advanced button and then click Proceed to unsafe.
  3. When the login page appears, enter the e-mail address and password you used in the Module 4 lab. After you enter the required information, the Security Onion console appears, as shown in Figure 5-2.
Figure 5-2 Security Onion console overview
  1. Examine the console interface.
  • The menu on the left side of the console includes several options for system administration and a list of available tools.
  • The upper-right corner of the console includes a user icon, which you can click to change a password, customize the interface, and access documentation for help, among other things.
  1. Click the user icon and then click Cheat Sheet, as shown in Figure 5-3. A PDF is downloaded to the local system to provide a reference. Another menu option allows you to access the Security Onion blog. The menu options under the user icon are go-to resources if you have issues or questions.
Figure 5-3 Security Onion user menu
  1. Because you installed the Analyst Workstation version of Security Onion 2.3 in the Module 4 lab, several of the tools available in a full installation are absent in order to minimize space and load. This step provides a brief overview of some of the missing tools to give you a more comprehensive view of Security Onions capabilities.
Note: If you click any of the tools mentioned in this step, you will get a 404 Not Found error because the tools were not installed with your version. If you want to skip this overview of Security Onions additional capabilities, go to the next section, Using CyberChef.
  • Grafana provides an overview of Security Onions system health. In a distributed deployment, Grafana opens to the Manager dashboard, but there are dashboards for all components. If an organization suspects a problem with some area of the Security Onion deployment, Grafana is the place to check, as shown in Figure 5-4.
Figure 5-4 Grafana management console
  • The Playbook is a Web application that allows creation of a detection strategy from a detection playbook made up of individual plays. These predefined plays can be updated and customized for an organizations environment. Plays consist of objectives, context for what an organization is trying to detect (and why), and follow-up actions required for validation and remediation.
  • Fleet is a Web-based console tool that uses the osquery operating system framework to survey an entire environment from a single machine (see Figure 5-5). Fleet also provides custom osquery packages that are generated during setup. Fleet gives security analysts greater visibility into an endpoint system.
Figure 5-5 Fleet console showing initial Security Onion system installed Figure 5-6 shows an example of the Fleet queries generated during Security Onion setup. Figure 5-6 Example queries created in Fleet
  • The Hive is a free, scalable, open-source platform for security incident response that is tightly integrated with MISP (Malware Information Sharing Platform). The Hive is designed to make life easier for security practitioners who need to investigate incidents and act on them swiftly. As a security analyst is working in the Alerts, Hunt, or Kibana area of Security Onion, anything notable can be escalated to the Hive for documentation and tracking to resolution. In Figure 5-7, an analyst has escalated an alert and sent it to the Hive by clicking the blue exclamation point.
Figure 5-7 Alerts console showing the escalation bell for an alert The Hive presents indicators of compromise (IoCs) associated with a security event. Associated file hashes, domains, and filenames are available for reference and hunting. This information can also be added to the Playbook for detection. The need for documentation is critical in the field of information security. The Hive can be very useful for setting up and tracking threat hunts as well as standard digital forensics and incident response. The preceding steps provided a quick tour of the Security Onion console and showed you a few of the tools that are missing from the Analyst Workstation configuration. The next portion of this lab discusses the CyberChef utility. Using CyberChef
  1. On the left side of the Security Onion console, click CyberChef under Tools. CyberChef opens in a new Chromium tab, as shown in Figure 5-8.
Figure 5-8 CyberChef console As you can read at the CyberChef GitHub site (https://github.com/gchq/CyberChef), CyberChef is a simple, intuitive Web app for carrying out all manner of cyber operations within a Web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hex dumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
  1. Take a look at the CyberChef interface.
  • The Operations menu on the left includes various data transforms available to try to de-obfuscate different types of information.
  • The center of the window contains a Recipe pane where analysts can drag an operation from the left menu to build a recipe. You will see how this works in the following steps.
  • Anything of interest to the analyst goes into the Input pane.
  • The recipe that you build performs the operation on the input data and gives the result in the Output pane.
  1. Open the text document PIRDR3_LAB 05_CyberChef.txt using a text editor of your choice, such as Notepad. You should see several variations of encoding for use in CyberChef.
  2. Copy and paste line 1 of the text from the text file into the Input pane. This line includes everything from the beginning of the file to the double equal signs (==). Under Favourites in the left menu, drag the From Base64 operation into the Recipe pane. Examine the resulting text.
  3. Click the clear recipe button (which looks like a trash can) at the top of the Recipe pane to remove the From Base64 operation.
  4. Copy and paste the second line of text from the text file into the Input pane. Next, drag the From Hex operation from the left menu into the Recipe pane. Examine the resulting text.
  5. Click the clear recipe button to remove the From Hex operation from the Recipe pane.
  6. Copy and paste the third line of text from the text file into the Input pane. Scroll down the Operations menu to the Encryption/Encoding submenu, find the ROT13 operation, and drag it into the Recipe pane. Examine the resulting text.
  7. Click the clear recipe button to remove the ROT13 operation from the Recipe pane.
  8. Copy and paste the fourth line of text from the text file into the Input pane. Under the Encryption/Encoding submenu, find the XOR Brute Force operation and drag it into the Recipe pane.
This operation attempts a brute force attack on XOR data until it finds a key that generates human-readable content. In Figure 5-9, a key value of 13 generates readable text, but the actual key value is 33. Clear the recipe when you finish. Figure 5-9 CyberChef output from brute force XOR attack
  1. Copy and paste the fifth line of text into the Input pane. Under Favourites in the left menu, drag the From Morse Code operation into the Recipe pane. What is the resulting output? Clear the recipe when you finish.
_____________________________________________
  1. Copy and paste the sixth line of text into the Input pane. What did you use to decode it and what was the output? Clear the recipe when you finish.
_____________________________________________
  1. Copy and paste the seventh line of text into the Input pane. Under Favourites in the left menu, drag the XOR Brute Force operation into the Recipe pane. What is the key and resulting plaintext output?
_____________________________________________ The preceding steps showed you how to use the Security Onion console and the CyberChef utility. The last portion of this lab discusses some basic open-source intelligence (OSINT) tools that will help you with future labs. Data Enrichment with Open-Source Intelligence (OSINT) Data enrichment is the process of enhancing an organizations collected data with additional relevant information, usually from external open or closed sources. This section briefly covers a few of the basic OSINT Web sites used in the security analyst community.

Common Vulnerabilities and Exposure (CVE) List

The CVE is a searchable list of publicly known cybersecurity vulnerabilities. When a new vulnerability is released and has a CVE number, an analyst can obtain more information about that vulnerability. In some cases, little information is released until a patch is available.
  1. Open a Web browser on the local desktop or the analyst workstation and navigate to https://cve.mitre.org/.
  2. Click Search CVE list, enter CVE number CVE-2020-3693, and then click Submit. Click the link on the left side of the window that appears. With which company is this CVE entry registered? When was the listing created?
______________________________________________
  1. Next to the CVE number in the heading is a link to the National Vulnerability Database (NVD). Right-click the link and select Open link in new tab. Your results should look similar to those in Figure 5-10.
Figure 5-10 CVE Web site showing NVD link

National Vulnerability Database (NVD)

The NVD is an excellent source of information for security analysts. As you can read at the NVD Web site (https://nvd.nist.gov), The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

VirusTotal

Another valuable OSINT tool is VirusTotal at https://virustotal.com. It is a go-to research source for file hashes, domains, and IP addresses associated with malicious actions. The large amount of content submitted to VirusTotal and its available open services makes it a standard in the security community. As you can read at the Web site, VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public Web interface, desktop uploaders, browser extensions, and a programmatic API.

RiskIQ Community

RiskIQ Community is an excellent portal for data enrichment. It provides historical Passive DNS (PDNS) as well as other OSINT data from several known sources, including VirusTotal. RiskIQ Community (https://community.riskiq.com) brings petabytes of Internet intelligence directly to your fingertips. Investigate threats by pivoting through attacker infrastructure data. Understand your digital assets that are Internet-exposed, and map and monitor your external attack surface.
  1. Follow the procedures at the site to establish an individual account with RiskIQ Community. For example, you can do so using a Gmail e-mail account address. You will use RiskIQ Community in several of the upcoming labs.
  2. Log off and shut down your system when you are finished.

 



Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Mobile Communications

Authors: Jochen Schiller

2nd edition

978-0321123817, 321123816, 978-8131724262

More Books

Students also viewed these Programming questions