Ransomware

Example: An unexpected process with odd name (cjkvy-bc.exe) is observed on a workstation. Soon after the process launch, communication is observed to a known botnet C&C IP address registered in Germany. The MD5 hash of the process identifies it as ransomware; the signature matches TeslaCrypt. Closer examination shows that the EXE has been added to […]

Read More

Browser Hijacking Scenario

Here’s a Browser Hijacking Scenario: Employee workstations are secured with brand-name, up–to-date antivirus (AV).  The browser was hijacked by MapsGalaxy. This program is capable of modifying your browser homepages to its own. It was unknowingly installed through product bundling with a third party application. Unfortunately, once installed it also added the MapsGalaxy toolbar, changed the […]

Read More

Threat Detection and Analysis Example: After-hours Activity

Example: Unexpected activity after business hours. Unbeknownst to the IT department, a remote access program had been installed to permit the user to login to his desktop at work, from a remote location. The user was accessing personal information that had been stored at work. This remote access is obviously an unauthorized “hole” deliberately left […]

Read More

Brute Force SSH Attack Scenario

Example of a Brute Force SSH Attack: The firewall detects an attempt to probe vulnerabilities against an external facing webserver using myphpadmin. The scanner, known as ZmEu, has been around since 2012. That is typical of attacks, not particularly zero-day. Brute force SSH attack attempt to guess password and thereby gain access to the underlying […]

Read More

Threat Detection and Analysis Example: A phishing attack

Example: While inspecting browser traffic from a workstation indicating a phishing attack, a title page says “Dropbox Login Page” but it’s not via https.  The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page. Quarantine the workstation and run a deep scan. For maximum safety, […]

Read More

What are components of Splunk/Splunk architecture?

What are components of Splunk/Splunk architecture? Below are components of Splunk: Search head – provides GUI for searching Indexer – indexes machine data Forwarder – Forwards logs to Indexer Deployment server – Manages Splunk components in distributed environment

Read More

Splunk interview questions and answers

What are common port numbers used by Splunk? Service                                                  Port number Used Splunk Web Port:                               8000 Splunk Management Port:               8089 Splunk Indexing Port:                       9997 Splunk Index Replication Port        8080 Splunk network port:               […]

Read More

What are the two phases of Web Application Security testing ?

Passive and Active. In the passive mode the tester tries to understand the application’s logic and plays with the application. Tools can be used for information gathering. For example, an HTTP proxy can be used to observe all the HTTP requests and responses. At the end of this phase, the tester should understand all the […]

Read More

What is a Threat?

A threat is anything (a malicious external attacker, an internal user, a system instability, etc) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability.

Read More