Hey guys,
If you haven’t read the previous articles here they are:-
Apologies for the delay since the last post to this as have had to do some mandatory MITRE ATT&CK training at work which has been a bit of a break but now back to the EC-Council Certified Incident Handler course.
Since finishing the labs in module one I have worked though the book AND the six labs that are entailed in it ?
Module two cover eight subsections we went over the complete IH&R process that organizations must implement to face, fight, and prevent different types of attacks.
The module offers brief details about the process of determining the need for an IH&R process and the future course of action for establishing, managing, and strengthening IR capabilities.
This module also sheds light on the process of preparation by explaining the methods necessary for implementing an effective IR plan, using a ticketing system, and classifying and prioritizing incidents with a structured approach.
It also clarifies the processes involved in analysing incident indicators, containing, and eradicating incidents, gathering evidence, and conducting forensics investigations into incidents, and the post-incident activities that can help organizations to improve their defences against and responses to future attacks.
The module was good, not as dry as I had expected it to be which was nice.
Module 2 Labs:-
Lab 1:-
Implementing Policies Using Group Policy Management Console
The Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.
This was a good refresher for me, I worked as a server engineer so didn’t learn anything new but was still enjoyable in the context of the course.
Lab 2:-
Detecting Missing Security Patches Using MBSA on Windows.
MBSA is used to identify missing security updates and common security misconfigurations.
Microsoft Baseline Security Analyzer (MBSA) is a software tool that helps determine the security of your Windows computer based on Microsoft’s security recommendations. MBSA can be used to improve your security management process by analysing a computer or a group of computers and detecting missing patches/updates and common security misconfigurations. After you run a MBSA scan, the tool will provide you with specific suggestions for remediating security vulnerabilities.
I had never used it before so was good to give it a go.
Lab 3:-
Conducting Security Checks Using buck-security on Linux buck-security is a collection of security checks for Linux.
Buck-security is a collection of security checks for Linux.
Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux system. This enables you to quickly overview the security status of your Linux system.
As a system administrator you often get into situations where you must take care of a server, that has been maintained by other people before. In this situation it is useful to get an idea of the security status of the system immediately. Buck Security was designed exactly for this. It runs a few important checks and returns the results. It was designed to be extremely easy to install, use and configure.
Lab 4:-
Configuring Syslog Server for Log Review and Audit
Syslog is a data logging service that enables network devices such as routers, switches, firewalls, printers, and web servers to send and store events and information on a logging server.
Lab 5:-
Remote Log Capture Using Splunk Universal Forwarder
Splunk Light is a tool for collecting, monitoring, and analysing log files from servers, applications, or other sources.
I use Splunk at work and have only just been getting my head around it after doing some rooms on TryHackMe so anything to do with Splunk from an Incident Response point of view is great to learn.
Lab 6:-
Working with Incident Tickets in OSSIM
OSSIM (Open-Source Security Information Management) is an open source security information and event management system.
As a SIEM system, OSSIM is intended to give security analysts and administrators a more complete view of all the security-related aspects of their system, by combining log management which can be extended with plugins and asset management and discovery with information from dedicated information security controls and detection systems. This information is then correlated together to create contexts to the information not visible from one piece alone. Alarm and availability views along with reporting capabilities are provided to enhance the capabilities of the tool and its utility to the security and systems engineers.
OSSIM performs these functions using other well-known open-source software security components, unifying them under a single browser-based user interface. The interface provides graphical analysis tools for information collected from the underlying open-source software component (many of which are command line only tools that otherwise log only to a plain text file) and allows centralized management of configuration options.
The software is distributed freely under the GNU General Public License. Unlike the individual components which may be installed onto an existing system, OSSIM is distributed as an installable ISO image designed to be deployed to a physical or virtual host as the core operating system of the host. OSSIM is built using Debian as its underlying operating system. Due to this core platform being open additional components abilities may be added and extend by the security administrators using standard packages and scripting as needed.
So, very enjoyable and am looking forward to getting into module three that cover Forensic Readiness and First Response so sound interesting.
Regards
Alex/Muldwych