Google Cybersecurity Certificate Course 6 - Sound the Alarm - Detection and Response

This is the sixth course of the Google Cybersecurity Certificate Course on Coursera. Again it’s a mix of my notes and definitions from the course.

Here is a link to my main page for the course.

Course 6 Overview

• Incident response lifecycle
• Monitor and analyze network traffic
• Processes and procedures
• Interpret logs and alerts

Module 1: Introduction to detection and incident response

Module 2: Network monitoring and analysis

Components of a packet

1. Header
2. Payload
3. Footer

Packet sniffers, e.g. tcpdump, Wireshark.

Packet capture (PCAP): a file containing data packets intercepted from an interface or network.

TCP/IP Model Application Transport Internet Network Access

IPv4 and IPv6 have different but similar fields.

Version IHL ToS Total Length

Identification Flags Fragment Offset

Time To Live Protocol Header Checksum

Source Address

Destination Address

Options (optional)

Module 3: Incident investigation and response

• Investigate and verify an incident
• Plans and processes behind incident response
• Post-incident actions

Final reports

Playbooks again

Module 4: Network traffic and logs using IDS and SIEM tools

• Logs, logs, logs
• Interpret signatures
• Search in SIEM tools

Importance of logs

• How we detect unusual events
• What, where, and when an event occurred on a network
  • Date, time, location, action, names
• Can build a timeline with log analysis

Log types

• Network
• System
• Application
• Security
• Authentication

Login Event [2022/11/16 05:45:15.892673] auth_performer.cc:470 User1 Authenticated successfully from device1 (192.168.1.2)

Precision with logs is key. Find the goldilocks zone–not too much, not too little.

Logs contain

• Timestamps
• System characteristics
• Action

Commonly used log formats

• Syslog
• JavaScript Object Notation (JSON)
  • Simple, easily readable
• eXtensible Markup Language (XML)
  • Uses tags
• Comma Separated Values (CSV)

Host-based vs network-based intrusion detection systems (IDS). Combine them both to provide layered security.

Signature analysis is a detection method that is used to find events of interest. Lowers the rate of false positives; however, they can be evaded and require updates.

Components of a detection signature

1. Action - alert, pass, or reject
2. Header - source and dest IPs, ports, etc
3. Rule options - msg, rev, etc.

Suricata

• Can be used as an IDS, IPS, or NSM

Resources

• Wireshark User’s Guide
• tcpdump - Home page
• tcpdump tutorial - by Daniel Miessler
• Pyramid of Pain
• generatedata - quickly generate data sets in various formats (JSON, CSV, XML, etc.)
• Suricata
• Splunk Search Manual
• Chronicle quick start