Cybersecurity Labs - Module 4

🎯 Goal: Deploy Splunk SIEM platform for log aggregation

📝 Why This Matters:
SIEM (Security Information and Event Management) is the central nervous system of security operations. It collects logs from all systems and correlates them to detect attacks spanning multiple sources. Without SIEM, attacks go undetected because no single log shows the full picture.

💻 Command:
sudo apt install splunk

🔍 What This Does:
• Downloads and installs Splunk package
• Creates /opt/splunk directory structure
• Sets up web interface on port 8000
• Initializes indexing and search engine

🎯 Goal: Launch the Splunk daemon and web interface

📝 Why This Matters:
Splunk runs as a background service that continuously indexes logs as they arrive. Starting the service initializes search heads, indexers, and forwarders that make up the distributed architecture.

💻 Command:
sudo systemctl start splunk

🔍 Architecture Components:
• Search Head - User interface and queries
• Indexers - Store and index log data
• Forwarders - Collect logs from sources
• Deployment Server - Manages configs

🎯 Goal: Set up Universal Forwarder to send auth logs

📝 Why This Matters:
Forwarders are agents deployed on monitored systems. They tail log files and send events to indexers. This distributed architecture scales to millions of endpoints without overwhelming the SIEM.

💻 Command:
splunk add forward-server localhost:9997

🔍 Forwarder Configuration:
• Port 9997 = Splunk-to-Splunk protocol
• Compresses and encrypts data in transit
• Can buffer locally if indexer is down
• Sends logs in near real-time (5s delay)

🎯 Goal: Ingest Linux auth logs for security monitoring

📝 Why This Matters:
Authentication logs (/var/log/auth.log) record every login attempt - success and failure. Critical for detecting brute force, credential stuffing, and unauthorized access. CySA+ heavily tests auth log analysis.

💻 Command:
splunk add monitor /var/log/auth.log -sourcetype linux_auth

🔍 Key auth.log Fields:
• Timestamp - When login occurred
• User - Account attempting access
• Source IP - Origin of connection
• Result - success, failed, timeout
• Service - ssh, su, sudo, login

🎯 Goal: Detect brute force with 5+ failed logins in 5 minutes

📝 Why This Matters:
Single failed logins are normal (typos happen). But 5+ failures quickly indicates automated attack or credential stuffing. Correlation rules identify patterns across multiple events - SIEM's real power.

💻 Command:
splunk add alert 'failed_logins' 'sourcetype=linux_auth action=failure | stats count by user | where count>=5'

🔍 SPL Query Breakdown:
• sourcetype=linux_auth - Filter to auth logs
• action=failure - Only failed logins
• stats count by user - Count per username
• where count>=5 - Threshold trigger

🎯 Goal: Query Splunk to investigate the brute force attack

📝 Why This Matters:
When alerts fire, analysts investigate context: Who was targeted? From where? What happened next? SPL (Search Processing Language) is how you ask these questions - it's SQL for security logs.

💻 Command:
splunk search 'sourcetype=linux_auth action=failure user=admin | table _time, src_ip, user'

🔍 Investigation Approach:
• Identify attack timeline (first/last event)
• Enumerate source IPs (single or distributed?)
• Check if attack succeeded (successful login?)
• Look for lateral movement (other systems?)
• Correlate with firewall/IDS logs

🎯 Goal: Configure an authenticated network scan with best-practice settings

📝 Why This Matters:
Scan policies determine what Nessus checks. Unauthenticated scans only see external services - missing 70% of vulnerabilities! Authenticated scans log into systems to check patch levels and configurations. SecurityX requires understanding credentialed vs non-credentialed scans.

💻 Actions:
1. Click "Create Scan Policy"
2. Policy Name: TechCorp-Authenticated-Scan
3. Scan Template: Authenticated Credentialed Scan
4. Port Range: 1-65535
5. Scan Intensity: Select any option
6. Performance: Select any option
7. Check Enable Safe Checks
8. Click "Create Policy"

🔍 Authenticated Scan Benefits:
• Detects missing patches
• Checks local configurations
• Identifies privilege escalation risks
• Much lower false positive rate

🎯 Goal: Define IP ranges and credentials for scanning

📝 Why This Matters:
Vulnerability management only works if you scan ALL assets. Unscanned systems are where attackers hide. Organizations use CMDB to track every IP, then scan systematically.

💻 Actions:
1. Click "Add Targets"
2. Target Type: Select CIDR Notation
3. Credential Type: Select SSH
4. Target Specification: 192.168.1.0/24
5. Scan Schedule: Select Run Immediately
6. Asset Priority: Select any option
7. SSH Username: scanner
8. SSH Auth Method: Select Password
9. SSH Password: Scan123!
10. Privilege Escalation: Select sudo
11. Click "Add Target"

🔍 Target Discovery Methods:
• Static IP ranges (data center)
• DHCP logs (dynamic IPs)
• Active Directory queries (Windows)
• Cloud APIs (AWS/Azure instances)

🎯 Goal: Launch the scan and wait for completion

📝 Why This Matters:
The scan connects to targets, logs in, enumerates software, and compares against Tenable's vulnerability database (150,000+ plugins). Full network scans can run hours - plan during low-traffic periods.

💻 Actions:
1. Click "Launch Scan" button
2. Confirm scan start
3. Monitor progress bar
4. Wait for "Scan Complete"

🔍 What Nessus Does:
• Port scan to find services
• Banner grabbing for versions
• SSH login to check patches
• Configuration audits
• Exploit checks (safe mode)

🎯 Goal: Review results and prioritize by severity

📝 Why This Matters:
Organizations can't patch everything at once. CVSS (Common Vulnerability Scoring System) provides standardized severity ratings (0-10). SecurityX focuses on risk-based vulnerability management: patch Critical first, Low last.

💻 Actions:
1. Click "View Results" button
2. Review vulnerability counts by severity:
• Critical (9.0-10.0): Remote code execution
• High (7.0-8.9): Privilege escalation
• Medium (4.0-6.9): Info disclosure
• Low (0.1-3.9): Minor leaks
3. Sort by CVSS score (highest first)

🔍 CVSS Factors:
• Attack Vector (Network > Local)
• Complexity (Low > High)
• Privileges Required (None > High)
• User Interaction (None > Required)

🎯 Goal: Understand how to fix each vulnerability

📝 Why This Matters:
Finding vulnerabilities is half the job. Nessus provides actionable remediation: which patch, what config change, or how to mitigate if no patch exists. Critical for closing vulnerability windows quickly.

💻 Actions:
1. Click a vulnerability (e.g., OpenSSL RCE)
2. Read Description - what the flaw is
3. Read Solution - exact fix
4. Check References - CVE, vendor advisory
5. Note Plugin ID - for tracking

🔍 Remediation Methods:
• Patch: Apply vendor update (preferred)
• Upgrade: Move to safe version
• Workaround: Config change to mitigate
• Compensating Control: Firewall, IPS
• Accept Risk: Document why not fixing

🎯 Goal: Create executive summary report

📝 Why This Matters:
Technical scan data doesn't resonate with executives. They need business context: How many vulnerabilities? What's the risk? PDF reports translate technical findings into business language for decision-makers and compliance auditors.

💻 Actions:
1. Click "Generate Report"
2. Review report sections
3. Click "Download PDF"
4. Report saves to Downloads

🔍 Report Audiences:
• Executive: Risk summary, business impact
• Technical: CVEs, remediation steps
• Compliance: PCI/HIPAA findings
• Trending: Month-over-month reduction

📄 Download and analyze the Vulnerability Assessment Report PDF carefully before answering these certification-focused questions.

Question 1: According to CVSS v3.1 scoring methodology used in the report, which factor combination results in the HIGHEST base score for a vulnerability?

Submit Answer

Question 2: The vulnerability assessment report shows 8 Critical and 15 High severity findings. Per CompTIA SecurityX best practices for vulnerability management, what should be your FIRST remediation priority?

Submit Answer

Question 3: The report indicates authenticated credentialed scans were used. Why is this methodology critical for accurate vulnerability assessment in enterprise environments?

Submit Answer

🎯 Goal: Document the ransomware detection in IRTOOL

📝 Why This Matters:
Incident response starts with documentation. Every action, timestamp, and decision must be recorded for legal/forensic purposes. If this ends up in court, your IR ticket is exhibit A. CISSP Domain 7 emphasizes proper incident handling.

💻 Actions:
1. Click "Create Incident"
2. Incident Title: Ransomware Detection - Finance Dept
3. Incident Category: Select Malware/Ransomware
4. Severity/Priority: Select P1 - Critical
5. Business Impact Score: Select Critical
6. Affected Business Unit: Select Finance
7. Affected Users: Enter any number (e.g., 25)
8. Detection Source: Select any option
9. Assigned To: Select any option
10. Description: Ransomware encrypting files on fileserver01
11. Click "Create Incident"

🔍 Severity Criteria:
• Critical: Active destruction, ransomware, breach
• High: Compromised servers, privilege escalation
• Medium: Contained malware, phishing attempt
• Low: Policy violation, suspicious activity

🎯 Goal: Determine infected systems and data at risk

📝 Why This Matters:
You can't contain what you can't see. Impact assessment identifies patient zero, lateral movement paths, and data exposure. Is it 1 laptop or 100 servers? CISSP requires understanding business impact analysis in IR.

💻 Actions:
1. Click "Assess Impact"
2. Affected Systems Count: 3
3. Estimated Records Affected: 50000
4. System Types Affected: Select any options
5. Data Types Compromised: Select any options
6. Data Classification: Select Confidential
7. Estimated Financial Impact: Select any option
8. Compliance/Regulatory Impact: Select any options
9. Service Availability Status: Select any option
10. Click "Save Assessment"

🔍 Impact Questions:
• How many systems infected? (scope)
• What data exposed? (confidentiality)
• Are systems operational? (availability)
• Data exfiltrated? (breach notification)
• Financial impact? (business impact)

🎯 Goal: Isolate infected systems to stop spread

📝 Why This Matters:
Containment is the emergency brake. Every minute ransomware runs, more files encrypt. Network isolation stops lateral movement immediately. NIST SP 800-61 defines containment as critical second phase after detection.

💻 Actions:
1. Click "Contain Threat"
2. Primary Containment Method: Select Network Isolation
3. Scope of Containment: Select any option
4. Secondary Containment Actions: Select any options
5. Notification Required: Select any options
6. Evidence Preservation: Select any option
7. Check both confirmation boxes
8. Click "Execute Containment"

🔍 Containment Strategies:
• Network Isolation: Disconnect from LAN (fast)
• Firewall Rules: Block specific IPs (surgical)
• VLAN Quarantine: Isolated VLAN (forensics)
• Account Disable: Block credentials
• System Shutdown: Last resort (loses RAM)

🎯 Goal: Remove ransomware and close initial access

📝 Why This Matters:
Containment stops bleeding, eradication fixes the wound. Remove ALL malware artifacts (executables, scheduled tasks, registry) and patch the vulnerability that allowed entry. Skip this and ransomware returns in hours.

💻 Actions:
1. Click "Eradicate"
2. Primary Eradication Method: Select Full System Re-image
3. Malware/Threat Artifacts: ransomware.exe, scheduled tasks, registry keys
4. Vulnerability Remediation: Select any options
5. Post-Eradication Validation: Select any options
6. Root Cause Analysis: Unpatched RDP service exposed to internet
7. Additional Hardening: Patch RDP vulnerability, reset credentials
8. Click "Execute Eradication"

🔍 Eradication Methods:
• Re-imaging: Wipe and rebuild (cleanest)
• AV Removal: Automated (fast, may miss)
• Manual Removal: Hunt IOCs (thorough)
• Patch Vulnerabilities: Close entry point
• Password Resets: Revoke credentials

🎯 Goal: Restore systems from clean backups

📝 Why This Matters:
Recovery is why you have backups! Restore from last known-good backup BEFORE infection. Verify backups aren\'t corrupted or encrypted. Many ransomware strains target backups first. CISSP covers BCP/DR integration with IR.

💻 Actions:
1. Click "Recover Systems"
2. Primary Restoration Method: Select Full Backup Restore
3. Backup Source: Select any option
4. Backup Date/Time: Select a date
5. Service Restoration Priority: Select any option
6. Recovery Point Objective: 4 hours
7. Recovery Time Objective: 8 hours
8. Data Integrity Validation: Select any options
9. Post-Recovery Testing: Select any options
10. User Communication Plan: Email notification to all users about service restoration
11. Check all three confirmation boxes
12. Click "Restore Systems"

🔍 Recovery Validation:
• Systems boot normally
• Data integrity verified (checksums)
• Business apps functional
• No malware artifacts remain
• Monitor 24-48 hours for re-infection

🎯 Goal: Create post-incident report for leadership

📝 Why This Matters:
The incident report documents what happened, how you responded, and lessons learned. Required for compliance (GDPR 72-hour notification, HIPAA, PCI-DSS), insurance claims, and continuous improvement. Poor post-mortems lead to repeat incidents.

💻 Actions:
1. Click "Generate Report"
2. Review report sections
3. Click "Download PDF"
4. Report saves for compliance/audit

🔍 Lessons Learned Meeting:
• What worked well? (celebrate wins)
• What didn't work? (no blame, fix process)
• What should we change? (actionable items)
• How prevent recurrence? (long-term fixes)

📄 Download and analyze the Incident Response Report PDF carefully before answering these CISSP-focused questions.

Question 1: According to NIST SP 800-61 incident response lifecycle documented in the report, what is the PRIMARY purpose of the "Lessons Learned" phase?

Submit Answer

Question 2: The incident report shows a 4-hour Recovery Point Objective (RPO) and 8-hour Recovery Time Objective (RTO). What do these metrics mean for business continuity?

Submit Answer

Question 3: The report documents network isolation as the primary containment strategy. Per CISSP Domain 7, why is this preferred over immediately powering off infected systems?

Submit Answer