Three key roles in Defensive Security: Safeguarding Systems and Mitigating Threats

Photo by Shamin Haky on Unsplash

“If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you.”
― Stephane Nappo

As the cybersecurity landscape changes constantly, businesses must constantly guard against threats to their systems and data. The techniques applied by malicious actors seeking to exploit vulnerabilities evolve as technology advances. Defensive roles have become crucial protection pillars in response to these challenges, and these professionals work tirelessly to detect, respond to, and prevent security breaches, ensuring the safety and integrity of critical information.

It is essential to have a solid understanding of network architecture, routing, switching, protocols, services, the OSI layer, Operating system, and applications for effective network and infrastructure security. It is similar to making a cake: it would be difficult to get a good result without thoroughly understanding the ingredients, the right temperature, and the required baking time.

This article examines the security analyst, incident responder, and security architect as three crucial defensive positions in cybersecurity, describes the key responsibility according to the job role, and helps understand the aspect to get ready for the role with real-world use cases.

Security Analyst/Engineer: Shielding Networks from Intrusion

a. Network Monitoring:

• Monitor network activity using specialized tools and software.
• Analyze security logs to detect suspicious or unauthorized activities.
• Identify potential vulnerabilities and areas of weakness.
• Play with Threat Intelligence to correlate events and perform analytics.

b. Risk Assessment and Preventive Measures:

• Conduct risk assessments to evaluate potential security threats.
• Recommend and implement preventive measures like firewalls, intrusion detection systems, and access controls.
• Stay updated with the latest security trends and best practices.

Required Skills:

Networking Basic, Systems Fundamental, Service and Application basics, Analytical ability, Network Security, OSINT, Threat Modeling, Risk Assessment.

Projects to taste the responsibility:

• Event-based monitoring: Implement Nagios or Zabbix for comprehensive monitoring of processes, services, uptime, and application response time. Gain insights from a case study:

Zabbix Network Discovery For Dynamic Deployments - Zabbix Blog

• Network traffic analysis: Capture and analyze NetFlow data using ELK, Graylog, or Wazuh. Gain visibility into bandwidth consumption, traffic trends, application behavior, and anomalies. Check out this informative blog:

Network Traffic Analysis using ElastiFlow

&

Use cases - Getting started with Wazuh · Wazuh documentation

• Real-time packet analysis: Utilize WireShark or Zeek to capture and analyze network traffic. Enhance your understanding with this focused write-up on Zeek:

Using Zeek for network analysis and detections | Infosec Resources

• Intrusion Detection and Prevention: Set up Suricata or Snort IDS/IPS in a home lab to monitor and protect your network. Explore this comprehensive guide featuring a Suricata home project:

Home Network Security - How to Use Suricata, RaspberryPI4, and Python to Make Your Network Safe

• Threat Intelligence Analytics: TI gathers data from various sources, including internal and external security logs, open-source intelligence, and collaboration with industry peers, to gain insights into emerging threats and attack patterns. An incredible 101 brief can be found here

What is Cyber Threat Intelligence? [Beginner's Guide]

• System Security Hardening: Assess your network components against the benchmark’s guidelines, make necessary configurations, and document the compliance status with the CIS benchmark. A good summary of CIS benchmark to start with —

What Are CIS Benchmarks? 7 Things You Need For Security and Compliance

• Network Security Monitoring: Once the above-mentioned project is completed, start working with Security Onion, an integrated platform for network security monitoring. Discover its capabilities here:

Entry-Level Network Traffic Analysis with Security Onion -

Incident Responder: Swift Action to Mitigate Breaches

a. Incident Identification and Response:

• Develop incident response plans to outline procedures for handling security incidents.
• Monitor systems and network traffic for signs of a breach.
• Promptly respond to security incidents, minimizing their impact.

b. Breach Investigation and Containment:

• Investigate breaches to determine the cause and extent of the damage.
• Contain the incident by isolating affected systems and preventing further spread.
• Preserve evidence for further analysis and potential legal action.

c. Mitigation and Recovery:

• Implement measures to mitigate the effects of the breach and prevent future incidents.
• Restore affected systems and data from backups.
• Analyze the incident to identify lessons learned and improve incident response procedures.

Required Skills:

Subject matter expertise, Problem-solving and persistence, Collaborative mind, Good communication skill, Documentation and reporting,

Projects to taste the responsibility -

• Build a lab environment: Set up a virtual lab environment using tools like VirtualBox or VMware. Simulate incidents such as web-app attacks on one machine and practice containment, analysis, and recovery procedures. A step-by-step lab setup can be found here -

Proof of Concept guide · Wazuh documentation

Wazuh and TheHive: Protection and incident response | Wazuh

• Threat-hunting exercises: Perform a threat-hunting exercise focused on detecting lateral movement within your network. Use network traffic analysis tools like Wireshark or Zeek to identify suspicious communication patterns and potential signs of credential theft or privilege escalation. Investigate these indicators and determine if any systems have been compromised. And have a read to understand the related technology eco-system —

Threat Hunting with TheHive, Cortex and MISP: A Comprehensive Guide

• Forensic analysis: Analyze a compromised system that was part of a botnet. Perform disk forensics on the infected machine, examine system logs, memory dumps, and network traffic captures to determine the extent of the compromise, and identify the command and control (C2) infrastructure. Document your findings and present a comprehensive report detailing the incident timeline and key artifacts discovered.

1. A hands-on tutorial on this topic —

2. For network forensics from SANS institute

3. And an excellent Github repo —

GitHub - frankwxu/digital-forensics-lab: Free hands-on digital forensics labs for students and…

• Develop incident response playbooks: Create an incident response playbook for a data breach incident. Document step-by-step procedures for containing the breach, investigating the source of the breach, notifying affected parties, and initiating recovery and remediation efforts. Include guidelines for preserving evidence and legal considerations. A great documented platform to learn more about the documentation —

IncidentResponse.org | Incident Response Playbooks Gallery

Security Architect: Building Resilient Defenses

a. Needs Assessment and Risk Analysis:

• Assess the organization’s security needs and objectives.
• Identify potential risks and vulnerabilities in existing systems and infrastructure.
• Evaluate compliance requirements and industry standards.

b. Design and Implementation of Secure Systems:

• Develop security architectures and frameworks tailored to the organization’s needs.
• Implement secure infrastructure, protocols, and best practices.
• Collaborate with stakeholders to ensure security considerations are integrated into system design and development.

c. Strategic Guidance and Continuous Improvement:

• Guide emerging security technologies, trends, and industry regulations.
• Conduct regular security audits and assessments to identify areas for improvement.
• Stay updated with the latest threats and vulnerabilities to adapt security measures accordingly.

Required Skills:

Strong understanding of security principles, Network and system architecture, Threat modeling and risk assessment, Security technologies and tools, Security protocols and standards, Secure coding practices, Risk management and compliance, Communication and collaboration, Analytical and problem-solving skills, and Continuous learning.

Projects to taste the responsibility -

• Do a threat modeling with MITRE ATT&CK. The following GitHub repo has a step-by-step explanation to help do so.

GitHub - bvoris/mitreattackthreatmodeling: This provides a guided step by step walkthrough for…

Conclusion:

It is impossible to overestimate the significance of defensive responsibilities in cybersecurity in an era dominated by digital connectedness. Any comprehensive cybersecurity strategy must include security analysts, incident responders, and architects. Through dedication, organizations may reduce risks, protect vital information, and gain the trust of stakeholders. The fight against cyber-attacks becomes more effective when these defensive duties are prioritized.

This blog, intended for aspiring defensive security professionals, thoroughly explains three crucial roles for protecting systems and reducing threats, which is a follow-up blog to “Career in Cybersecurity: Exploring the Realm of Defense and Offense.”

Career in Cybersecurity: Exploring the Realm of Defense and Offense

Happy reading, and feel free to share your observation.