Example: An unexpected process with odd name (cjkvy-bc.exe) is observed on a workstation. Soon after the process launch, communication is observed to a known botnet C&C IP address registered in Germany. The MD5 hash of the process identifies it as ransomware; the signature matches TeslaCrypt. Closer examination shows that the EXE has been added to […]
Here’s a Browser Hijacking Scenario: Employee workstations are secured with brand-name, up–to-date antivirus (AV). The browser was hijacked by MapsGalaxy. This program is capable of modifying your browser homepages to its own. It was unknowingly installed through product bundling with a third party application. Unfortunately, once installed it also added the MapsGalaxy toolbar, changed the […]
Example: Unexpected activity after business hours. Unbeknownst to the IT department, a remote access program had been installed to permit the user to login to his desktop at work, from a remote location. The user was accessing personal information that had been stored at work. This remote access is obviously an unauthorized “hole” deliberately left […]
Example of a Brute Force SSH Attack: The firewall detects an attempt to probe vulnerabilities against an external facing webserver using myphpadmin. The scanner, known as ZmEu, has been around since 2012. That is typical of attacks, not particularly zero-day. Brute force SSH attack attempt to guess password and thereby gain access to the underlying […]
Example: While inspecting browser traffic from a workstation indicating a phishing attack, a title page says “Dropbox Login Page” but it’s not via https. The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page. Quarantine the workstation and run a deep scan. For maximum safety, […]
logstash, Loggly, Loglogic, sumo logic etc.
What are components of Splunk/Splunk architecture? Below are components of Splunk: Search head – provides GUI for searching Indexer – indexes machine data Forwarder – Forwards logs to Indexer Deployment server – Manages Splunk components in distributed environment
What are common port numbers used by Splunk? Service Port number Used Splunk Web Port: 8000 Splunk Management Port: 8089 Splunk Indexing Port: 9997 Splunk Index Replication Port 8080 Splunk network port: […]
Passive and Active. In the passive mode the tester tries to understand the application’s logic and plays with the application. Tools can be used for information gathering. For example, an HTTP proxy can be used to observe all the HTTP requests and responses. At the end of this phase, the tester should understand all the […]
A threat is anything (a malicious external attacker, an internal user, a system instability, etc) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability.