Among personal information, the RailYatri hack has also exposed the location details of millions of travellers across India.
RailYatri, a popular Indian train ticket booking platform, has suffered a massive data breach that has exposed the personal information of over 31 million (31,062,673) users/travellers. The breach is believed to have occurred in late December 2022, with the database of sensitive information now being leaked online.
The compromised data includes email addresses, full names, genders, phone numbers, and locations, which could put millions of users at risk of identity theft, phishing attacks, and other cyber crimes.
Hackread.com can confirm that the database has been leaked on Breachforums, a hacker and cybercrime forum that surfaced as an alternative to the popular and now-seized Raidforums.
Image credit: Hackread.com
RailYatri and its Data Breach Yatra
RailYatri means train passenger, while Yatra stands for the journey. The RailYatri data breach is not a typical case of hackers exploiting vulnerabilities, stealing, and leaking data. In fact, it began in February 2020 when cybersecurity researcher Anurag Sen identified a misconfigured Elasticsearch server exposed to the public without any password or security authentication.
Sen noted that the server belonged to RailYatri and informed the company about the issue, which initially denied that it belonged to them. Later, the company claimed that it was merely test data. At that time, the server contained over 700,000 logs with over 37 million entries in total including internal production logs.
In 2020, Railyatri managed to secure its data only when Indian Computer Emergency Response Team (CERT-In) got involved; however, two years later, on February 16th, 2023, hackers rattled the company with yet another security breach due to a new leak.
Screenshot from RailYatri’s data exposure in 2020 (Image credit: Anurag Sen)
“Back in 2020, when I reached out to Railyatri, they never replied or reached out to me, but after I contacted Cert-In, the server got closed,” Anurag told Hackread.com. “I have reported various data leaks in India; the most common issue I saw is that these companies are not getting fined due to India not having any GDPR-like law,” added Anurag.
Anurag believes that the latest data breach could have been avoided “if the company had implemented proper cybersecurity measures from the outset.”
Hackread.com advises all users to change their passwords and enable two-factor authentication on their accounts as a precautionary measure. They have also advised users to monitor their bank accounts and credit card statements for any suspicious activity.
This breach serves as a stark reminder of the increasing frequency and severity of cyber attacks, particularly in the wake of the COVID-19 pandemic, which has forced millions of people to rely on online platforms for their daily needs. It highlights the need for companies to prioritize cybersecurity measures and take all necessary steps to protect their customers’ personal information.
Now, that the Galaxy S23 is officially available, Amazon is giving you another deal to help you pick one up from them. That is up to a $100 gift card with the purchase of a Galaxy S23. The Galaxy S23 gets a $50 gift card, while the Galaxy S23 Plus and Ultra both get a $100 gift card. But now that the pre-order period is over, you won’t get that storage upgrade. But hey, this is still free money.
The Galaxy S23 is the latest smartphone from Samsung. It sports all of the high-end specs that you’d expect. That includes the Snapdragon 8 Gen 2 for Galaxy, 8GB of RAM and 128GB of storage (256GB base on the Plus and Ultra).
Now, the small Galaxy S23 does sport a 6.1-inch display, while the Galaxy S23 Plus does have a 6.6-inch display. Both of these are flat FHD+ panels, and use Adaptive 120Hz refresh rate. They also have 3,900mAh and 4,700mAh capacity batteries respectively.
The Galaxy S23 Ultra is the big-boy, with a 6.8-inch QHD+ Adaptive 120Hz display. It also has a larger 5,000mAh capacity battery inside, which is pretty good for the size. Samsung has also included the S Pen in the Ultra, so those Galaxy Note users will absolutely love this phone. Samsung has also added the world’s-first 200-megapixel camera to the Galaxy S23 Ultra. Which early impressions show that it is a pretty impressive camera. So it definitely might be worth the upgrade for some people.
If you’re looking to upgrade your phone to the latest and greatest, this might be the best time to do just that.
You can pick up the Galaxy S23 series from Amazon by clicking the link below. This sale is not going to last long though.
It was bound to happen, but it appears that Paramount Plus will also be getting a price increase. But this isn’t as bad as you might have originally thought.
This price increase is tied to Paramount Plus and SHOWTIME merging. So yes, you’re paying more, but you’re also getting more content. Currently, Paramount Plus is $4.99/month for ads and $9.99 per month for the Premium ad-free plan. Those prices will go up to $5.99 and $11.99 respectively. That’s a pretty small bump in price, and actually brings the Premium version up to the original price of SHOWTIME.
So it’s a pretty good deal. Especially if you already subscribe to SHOWTIME, because now you’ll get Paramount Plus included for basically the same price. And if you were paying for ad-free SHOWTIME, then you’ll actually be paying $3 less per month and getting a larger library. Definitely good news. Keep in mind that the ad-supported Paramount Plus plan will not get SHOWTIME.
When does the new price start?
Paramount hasn’t been specific about the new pricing and when it would start, but they are saying Q3 2023. So that would be between July 1 and September 30.
It’s a pretty interesting move for Paramount. But it is something that needed to be done. Currently, the company has three different streaming services – Paramount Plus, BET Plus and SHOWTIME. Now there’s no word on whether BET Plus will merge or not, but it’s likely that will stay separate as it does hit a different audience from the other two services.
We’ve seen a lot of streaming services jumping up in price in recent months, so it was bound to happen to Paramount Plus. But getting it and SHOWTIME included for just $12 per month is not a bad price bump at all. There’s plenty of great content available on both, and now you get them in one app.
Google Dorks List “Google Hacking” is mainly referred to pulling sensitive information from Google using advanced search terms that help users to search the index of a specific website, specific file type and some interesting information from unsecured Websites.
Google Dorks list 2023 can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. payment card data).
Here could see an example to understand how Google Darkspasswords used by hackers to gain sensitive information from specific websites.
“inurl: domain/” “additional dorks
A hacker would simply use in the desired parameters as follows:
inurl = the URL of a site you want to query
domain = the domain for the site
dorks = the sub-fields and parameters that a hacker wants to scan
The best way to use Google dorks legally is to find vulnerabilities on your own website.
We can also use other search filed than URLs that will help to uncover a lot of information about a site.
info: The query [info:] will present some information that Google has about that web page. For instance, [info:www.google.com] will show information about the Google homepage. Note there can be no space between the “info:” and the web page url.
link: The query [link:] will list webpages that have links to the specified webpage. For instance, [link:www.google.com] will list web pages that have links pointing to the Google homepage. Note there can be no space between the “link:” and the web page url.
site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain.
For instance, [help site:www.google.com] will find pages about help within www.google.com. [help site:com] will find pages about help within .com urls. Note there can be no space between the “site:” and the domain.
inurl: If you include [inurl:] in your query, Google will restrict the results to documents containing that word in the url. For instance, [inurl:google search] will return documents that mention the word “google” in their url, and mention the word “search” anywhere in the document (url or no).
The Google dorks list is a never-ending one and the list keeps on growing based on the new technologies and the vulnerabilities.
Conclusion
Google dorks is also known as Googlehacking. We have tried our best to give you a most relevant Google Dorks list to query for best search results using about search operator and give you most of the information that is difficult to locate through simple search queries.
There are thousand of Google dorks are available online, here we have made a comprehensive list that helps you to test your network and helps to find more vulnerable sites.
Whether it’s with television or on a streaming service, this age-old dilemma persists: There’s a ton of stuff on but nothing to watch. Netflix has a feature that will shuffle content for you named “Surprise Me”. However, that feature has gotten the boot.
It seems weird that Netflix would have a shuffle feature. If you opened the app but didn’t know what you wanted to watch, you could press the Surprise Me button to get a randomly-selected piece of media. You might have gotten a show or a movie.
That sounds scary, but you’d only get content based on your watch history. If you’re big into Disney movies, you wouldn’t get a random hack n’ slash film.
Netflix got rid of its shuffle feature
If you liked using this feature, then there’s bad news. According to The Wall Street Journal (via Android Police), the company discontinued the feature back in January. It’s new now because most people didn’t even know that the feature was nixed. The company admitted that it canceled the feature because people just weren’t using it.
A Netflix spokesperson said that when people log onto the platform, they have a solid idea of what they want to watch. There’s not much point in this feature if people aren’t on the search for content.
As you can imagine, the Surprise Me feature was a way of keeping people on the app. If you open the app and you can’t find what you’re looking for, you’re going to leave the app. That’s a bigger issue now than ever when there are about 1,000 other streaming services you can go to for content.
But, now that the feature is gone, Netflix is going to move forward. It’s still working putting a halt on password-sharing. The company has been getting a ton of flack for its aggressive password sharing. Only one person is allowed to have an account. If that person wants to share their password, they’ll need to pay more each month.
According to The Verge, The Google-owned wearables maker Fitbit is reportedly working to bring a blood pressure technology to its products or the next generation of Pixel Watch. The company has recently filed a patent that enables blood pressure readings on a smartwatch by tapping on the display.
As per the filing details, the technology includes a force-sensitive screen and a photoplethysmography (PPG) sensor to measure blood pressure. Filing the patent means that the Fitbit engineers are working on this technology, but we don’t know when it will find its way toward the company’s products.
Fitbit might be developing blood pressure technology for the next Pixel Watch
Smartwatches are currently offering a plethora of health monitoring features, but blood pressure is a rare feature among them. You can now find blood pressure technology on Samsung Galaxy Watch 5. Likewise, other manufacturers like Apple and Google are also expected to add this technology to their next wearables. That’s why we should take the Fitbit claims with a pinch of salt.
Many believe that the Pixel Watch has become the main focus of Google, and Fitbit products aren’t a priority anymore. Google has recently rebranded the company to “Fitbit by Google.” Additionally, the latest Fitbit smartwatches don’t offer anything extraordinary compared to the Pixel Watch or other rivals.
With the prediction of dire economic conditions for Google, the company might be less likely to invest in multiple similar products at the same time. Another scenario is Google doesn’t want to turn Fitbit smartwatches into a rival to Pixel Watch.
Yet, it needs to be determined if this blood pressure technology will come to a Fitbit-branded product or the next Pixel Watch. Judging based on recent events, Fitbit is more likely to hand over this technology to the Pixel Watch to be used as a competitive advantage. Also, Apple’s 2024 smartwatches are expected to launch with blood pressure checkers (via Bloomberg).
Today’s Cyber security operations center (CSOC) should have everything it needs to mount a competent defense of the ever-changing information technology (IT) enterprise.
This includes a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals. Yet, most CSOCs continue to fall short in keeping the adversary—even the unsophisticated one—out of the enterprise.
Ensuring the confidentiality, integrity, and availability of the modern information technology (IT) enterprise is a big job.
It incorporates many tasks, from robust systems engineering and configuration management (CM) to effective cybersecurity or information assurance (IA) policy and comprehensive workforce training.
It must also include cybersecurity operations, where a group of people is charged with monitoring and defending the enterprise against all measures of cyber attack.
What Is a SOC?
A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents using cybersecurity incident response tools.
The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.
There are many terms that have been used to reference a team of cybersecurity experts assembled to perform CND.
They include:
Computer Security Incident Response Team (CSIRT)
Computer Incident Response Team (CIRT)
Computer Incident Response Center (or Capability) (CIRC)
Computer Security Incident Response Center (or Capability) (CSIRC)
Security Operations Center (SOC)
Cybersecurity Operations Center (CSOC)
Computer Emergency Response Team(CERT)
In order for an organization to be considered a SOC, it must:
1. Provide a means for constituents to report suspected cybersecurity incidents
2. Provide incident handling assistance to constituents
3. Disseminate incident-related information to constituents and external parties.
Mission and Operations Tempo
SOCs can range from small, five-person operations to large, national coordination centers. A typical midsize SOC’s mission statement typically includes the following elements:
1. Prevention of cybersecurity incidents through proactive:
a. Continuous threat analysis
b. Network and host scanning for vulnerabilities
c. Countermeasure deployment coordination
d. Security policy and architecture consulting.
2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources
3. Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures
4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations
5. Engineering and operating CND technologies such as IDSes and data collection/ analysis systems.
Of these responsibilities, perhaps the most time-consuming are the consumption and analysis of copious amounts of security-relevant data. Among the many security-relevant data feeds a Security Operations Center is likely to ingest, the most prominent are often IDSes.
IDS’es are systems placed on either the host or the network to detect potentially malicious or unwanted activity that warrants further attention by the SOC analyst.
Combined with security audit logs and other data feeds, a typical SOC will collect, analyze, and store tens or hundreds of millions of security events every day.
An event is “Any observable occurrence in a system and/or network. Events sometimes provide an indication that an incident is occurring” (e.g., an alert generated by an IDS or a security audit service). An event is nothing more than raw data.
It takes human analysis—the process of evaluating the meaning of a collection of security-relevant Fundamentals Ten Strategies of a World-Class Cybersecurity Operations Center 11 data, typically with the assistance of specialized tools—to establish whether further action is warranted.
Tier Level:
Tier 1
Tier 2
Tier 3
Soc Manager
Tier 1: Alert Analyst
Duties
Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work.
Required Training
Alert triage procedures; intrusion detection; network, security information and event management (SIEM) and host-based investigative training; and other tool-specific training, you take SOC Training from leading experts.
Tier 2: Incident Responder
Duties
Performs deep-dive incident analysis by correlating data from various sources; determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats.
Required Training
Advanced network forensics, host-based forensics, incident response procedures, log reviews, basic malware assessment, network forensics and threat intelligence. Certifications could include SANS SEC501: Advanced Security Essentials – Enterprise Defender; SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.
Tier 3 Subject Matter Expert/ Hunter
Duties
Possesses in-depth knowledge of network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident “hunter,” not waiting for escalated incidents; closely involved in developing, tuning and implementing threat detection analytics.
Required Training
Advanced training on anomaly detection; tool-specific training for data aggregation and analysis and threat intelligence.
Certifications could include SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling; SANS SEC561: Intense Hands-on Pen Testing Skill Development; SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.
SOC Manager
Duties
Manages resources to include personnel, budget, shift scheduling and technology strategy to meet SLAs; communicates with management; serves as organizational point person for business-critical incidents; provides overall direction for the SOC and input to the overall security strategy
Required Training
Project management, incident response management training, general people management skills. Certifications include CISSP, CISA, CISM or CGEIT.
The SOC typically will leverage internal and external resources in response to and recovery from the incident. It is important to recognize that a SOC may not always deploy countermeasures at the first sign of an intrusion. There are three reasons for this:
1. The SOC wants to be sure that it is not blocking benign activity.
2. A response action could impact a constituency’s mission services more than the incident itself.
3. Understanding the extent and severity of the intrusion by watching the adversary is sometimes more effective than performing static forensic analysis on compromised systems, once the adversary is no longer present.
To determine the nature of the attack, the SOC often must perform advanced forensic analysis on artifacts such as hard drive images or full-session packet capture (PCAP), or malware reverse engineering on malware samples collected in support of an incident.
Sometimes, forensic evidence must be collected and analyzed in a legally sound manner. In such cases, the SOC must observe greater rigor and repeatability in its procedures than would otherwise be necessary.
Building a Security Operations Center (SOC)
In addition to SOC analysts, a security operations center requires a ringmaster for its many moving parts.
The SOC manager often fights fires, within and outside of the SOC. The SOC manager is responsible for prioritizing work and organizing resources with the ultimate goal of detecting, investigating and mitigating incidents that could impact the business.
The SOC manager should develop a workflow model and implement standardized operating procedures (SOPs) for the incident-handling process that guides analysts through triage and response procedures.
Processes
Defining repeatable incident triage and investigation processes standardize the actions a SOC analyst takes and ensures no important tasks fall through the cracks.
By creating a repeatable incident management workflow, team members’ responsibilities and actions from the creation of an alert and initial Tier 1 evaluation to escalation to Tier 2 or Tier 3 personnel are defined.
Based on the workflow, resources can be effectively allocated.
One of the most frequently used incident response process models is the DOE/CIAC model, which consists of six stages: preparation, identification, containment, eradication, recovery and lessons learned.
Technology
An enterprisewide data collection, aggregation, detection, analytic and management solution is the core technology of a successful SOC.
An effective security monitoring system incorporates data gathered from the continuous monitoring of endpoints (PCs, laptops, mobile devices and servers) as well as networks and log and event sources.
With the benefit of network, log and endpoint data gathered prior to and during the incident, SOC analysts can immediately pivot from using the security monitoring system as a detective tool to using it as an investigative tool, reviewing suspicious activities that make up the present incident, and even as a tool to manage the response to an incident or breach.
Compatibility of technologies is imperative, and data silos are bad—particularly if an organization has an existing security monitoring solution (SIEM, endpoint, network or other) and wants to incorporate that tool’s reporting into the incident management solution.
Adding Context to Security Incidents
The incorporation of threat intelligence, asset, identity and other context information is another way that an effective enterprise security monitoring solution can aid the SOC analyst’s investigative process.
Often, an alert is associated with a network or host-based activity and, initially, may contain only the suspicious endpoint’s IP address.
In order for Network Flows Network Traffic Security Events Identity/ Asset Context Endpoint Data System Logs Threat Intel Feeds SECURITY MONITORING SYSTEM.
Compatible Technologies Aid Detection Data Aggregation for Improved Incident Handling Visibility. By centralizing these various sources of data into a security monitoring system, the SOC gains actionable insight into possible anomalies indicative of threat activity.
Action Based on findings, automated and manual interventions can be made to include patching, firewall modification, system quarantine or reimage, and credential revocation. Analysis.
Security operations analysts can analyze data from various sources and further interrogate and triage devices of interest to scope an incident.
A Roadmap the SOC analyst to investigate the system in question, the analyst generally needs other information, such as the owner and hostname of the machine or DHCP-sourced records for mapping IP and host information at the time of the alert.
If the security monitoring system incorporates asset and identity information, it provides a huge advantage in time and analyst effort, not to mention key factors the analyst can use to prioritize the security incident—generally speaking, higher-value business assets should be prioritized over lower-value assets.
Defining Normal Through Baselining
The ability to create a baseline of activity for users, applications, infrastructure, network and other systems, establishing what normal looks like, is one advantage of aggregated data collected from various enterprise sources.
Armed with the definition of “normal,” detecting suspicious behavior—activities that are in some way outside of the norm— becomes easier.
A properly baselined and configured security monitoring system sends out actionable alerts that can be trusted and often automatically prioritized before getting to the Tier 1 analyst.
one of the top challenges in utilizing log data cited by respondents is the inability to discern normal from suspicious activity.
A best practice is to use platforms that can build baselines by monitoring network and endpoint activity for a period of time to help determine was “normal” looks like and then provide the capability to set event thresholds as key alert drivers.
When an unexpected behavior or deviation of normal activity is detected, the platform creates an alert, indicating further investigation is warranted.
Threat Intelligence
Mature SOCs continually develop the capability to consume and leverage threat intelligence from their past incidents and from information-sharing sources, such as a specialized threat intelligence vendor, industry partners, the cybercrimes division of law enforcement, information-sharing organizations (such as ISACs), or their security monitoring technology vendors.
According to the 2015 SANS Cyber threat Intelligence (CTI) Survey, 69% of respondents reported that their organization implemented some cyber threat intelligence tools capability, with 27% indicating that their teams fully embrace the concept of CTI and integrated response procedures across systems and staff.
A security monitoring system’s capability to operationalize threat intelligence and use it to help spot patterns in endpoint, log and network data, as well as associate anomalies with past alerts, incidents or attacks, can enhance an organization’s capability to detect a compromised system or user prior to it exhibiting the characteristics of a breach.
In fact, 55% of the respondents of the CTI Survey are currently using a centralized security management system to aggregate, analyze and operationalize their CTI.
Efficient SOC Incident Handling To achieve efficient incident handling, the SOC must avoid bottlenecks in the IR process that moves incidents through Tier 1, into Tier 2, and finally through Tier 3.
Bottlenecks can occur due to too much “white noise,” alerts of little consequence or false-positives that lead to analyst “alert fatigue.”
This phenomenon is a common experience among responders, Incident Response Survey results, where 15% reported responding to more than 20 false-positive alarms originally classified as incidents.
When choosing an enterprise security monitoring tool, look for such features as alert threshold customization and the ability to combine many alerts into a single incident.
Also when incidents include additional context, analysts can triage them more quickly, reducing the layers of evaluation that must take place before an issue can be confirmed and quickly mitigated.
Types of SOC
Categorize SOCs that are internal to the constituency into five organizational models of how the team is comprised,
1. Security team.
No standing incident detection or response capability exists. In the event of a computer security incident, resources are gathered (usually from within the constituency) to deal with the problem, reconstitute systems, and then 16 stands down.
Results can vary widely as there is no central watch or consistent pool of expertise, and processes for incident handling are usually poorly defined. Constituencies composed of fewer than 1,000 users or IPs usually fall into this category.
2. Internal distributed SOC.
A standing SOC exists but is primarily composed of individuals whose organizational position is outside the SOC and whose primary job is IT or security related but not necessarily CND related.
One person or a small group is responsible for coordinating security operations, but the heavy lifting is carried out by individuals who are matrixed in from other organizations. SOCs supporting a small- to the medium-sized constituency, perhaps 500 to 5,000 users or IPs, often fall into this category.
3. Internal centralized SOC.
A dedicated team of IT and cybersecurity professionals comprise a standing CND capability, providing ongoing services.
The resources and the authorities necessary to sustain the day-to-day network defense mission exist in a formally recognized entity, usually with its own budget.
This team reports to a SOC manager who is responsible for overseeing the CND program for the constituency. Most SOCs fall into this category, typically serving constituencies ranging from 5,000 to 100,000 users or IP addresses.
4. Internal combined distributed and centralized SOC.
The Security Operations Center is composed of both a central team (as with internal centralized SOCs) and resources from elsewhere in the constituency (as with internally distributed SOCs). Individuals supporting CND operations outside of the main SOC are not recognized as separate and distinct SOC entities.
For larger constituencies, this model strikes a balance between having a coherent, synchronized team and maintaining an understanding of edge IT assets and enclaves.
SOCs with constituencies in the 25,000–500,000 user/IP range may pursue this approach, especially if their constituency is geographically distributed or they serve a highly heterogeneous computing environment.
5. Coordinating SOC.
The SOC mediates and facilitates CND activities between multiple subordinate distinct SOCs, typically for a large constituency, perhaps measured in the millions of users or IP addresses.
A coordinating SOC usually provides consulting services to a constituency that can be quite diverse.
It typically does not have active or comprehensive visibility down to the end host and most often has limited authority over its constituency.
Coordinating SOCs often serve as distribution hubs for cyber intel, best practices, and training. They also can offer analysis and forensics services, when requested by subordinate SOCs.
Capabilities
A SOC satisfies the constituency’s network monitoring and defense needs by offering a set of services.
SOCs have matured and adapted to increased demands, a changing threat environment, and tools that have dramatically enhanced the state of the art in CND operations.
We also wish to articulate the full scope of what a SOC may do, regardless of whether a particular function serves the constituency, the SOC proper, or both. As a result, SOC services into a comprehensive list of SOC capabilities.
the SOC’s management chain is responsible for picking and choosing what capabilities best fits its constituency’s needs, given political and resource constraints.
Real-Time Analysis
Intel and Trending
Incident Analysis and Response
Artifact Analysis
SOC Tools Life-Cycle Support
Audit and Insider Threat
Scanning and Assessment
Outreach
Real-Time Analysis
Call Center
Tips, incident reports, and requests for CND services from constituents received via phone, email, SOC website postings, or other methods. This is roughly analogous to a traditional IT help desk, except that it is CND specific.
Real-Time Monitoring and Triage
Triage and short-turn analysis of real-time data feeds (such as system logs and alerts) for potential intrusions.
After a specified time threshold, suspected incidents are escalated to an incident analysis and response team for further study. Usually synonymous with a SOC’s Tier 1 analysts, focusing on real-time feeds of events and other data visualizations.
Note: This is one of the most easily recognizable and visible capabilities offered by a SOC, but it is meaningless without a corresponding incident analysis and response capability, discussed below.
Intel and Trending
Cyber Intel Collection and Analysis
Collection, consumption, and analysis of cyber intelligence reports, cyber intrusion reports, and news related to information security, covering new threats, vulnerabilities, products, and research.
Materials are inspected for information requiring a response from the Security Operations Center or distribution to the constituency.
Intel can be culled from coordinating SOCs, vendors, news media websites, online forums, and email distribution lists.
Cyber Intel Distribution
Synthesis, summarization, and redistribution of cyber intelligence reports, cyber intrusion reports, and news related to information security to members of the constituency on either a routine basis (such as a weekly or monthly cyber newsletter) or a non-routine basis (such as an emergency patch notice or phishing campaign alert).
Cyber
Intel Creation Primary authorship of new cyber intelligence reporting, such as threat notices or highlights, based on primary research performed by the SOC. For example, analysis of a new threat or vulnerability not previously seen elsewhere.
This is usually driven by the SOC’s own incidents, forensic analysis, malware analysis, and adversary engagements.
Cyber Intel Fusion
Extracting data from cyber intel and synthesizing it into new signatures, content, and understanding of adversary TTPs, thereby evolving monitoring operations (e.g., new signatures or SIEM content).
Trending
Long-term analysis of event feeds, collected malware, and incident data for evidence of malicious or anomalous activity or to better understand the constituency or adversary TTPs.
This may include unstructured, open-ended, deep-dive analysis on various data feeds, trending and correlation over weeks or months of log data, “low and slow” data analysis, and esoteric anomaly detection methods.
Threat Assessment
Holistic estimation of threats posed by various actors against the constituency, its enclaves, or lines of business, within the cyber realm.
This will include leveraging existing resources such as cyber intel feeds and trending, along with the enterprise’s architecture and vulnerability status. Often performed in coordination with other cybersecurity stakeholders.
Incident Analysis and Response
Incident Analysis
Prolonged, in-depth analysis of potential intrusions and of tips forwarded from other SOC members. This capability is usually performed by analysts in tiers 2 and above within the SOC’s incident escalation process.
It must be completed in a specific time span so as to support a relevant and effective response. This capability will usually involve analysis leveraging various data artifacts to determine the who, what, when, where, and why of an intrusion—its extent, how to limit damage, and how to recover. An analyst will document the details of this analysis, usually with a recommendation for further action.
Tradecraft Analysis
Carefully coordinated adversary engagements, whereby SOC members perform a sustained “down-in-the-weeds” study and analysis of adversary TTPs, in an effort to better understand them and inform ongoing monitoring.
This activity is distinct from other capabilities because (1) it sometimes involves ad-hoc instrumentation of networks and systems to focus on an activity of interest, such as a honeypot, and (2) an adversary will be allowed to continue its activity without immediately being cut off completely.
This capability is closely supported by trending and malware and implant analysis and, in turn, can support cyber intel creation.
Incident Response Coordination
Work with affected constituents to gather further information about an incident, understand its significance, and assess mission impact. More important, this function includes coordinating response actions and incident reporting. This service does not involve the Security Operations Center directly implementing countermeasures.
Countermeasure Implementation
The actual implementation of response actions to an incident to deter, block, or cut off adversary presence or damage. Possible countermeasures include logical or physical isolation of involved systems, firewall blocks, DNS black holes, IP blocks, patch deployment, and account deactivation.
On-site Incident Response
Work with constituents to respond and recover from an incident on-site. This will usually require SOC members who are already located at, or who travel to, the constituent location to apply hands-on expertise in analyzing damage, eradicating changes left by an adversary, and recovering systems to a known good state. This work is done in partnership with system owners and sysadmins.
Remote Incident Response
Work with constituents to recover from an incident remotely. This involves the same work as on-site incident response.
However, SOC members have comparatively less hands-on involvement in gathering artifacts or recovering systems. Remote support will usually be done via phone and email or, in rarer cases, remote terminal or administrative interfaces such as Microsoft Terminal Services or Secure Shell (SSH).
Artifact Analysis
Forensic Artifact Handling
Gathering and storing forensic artifacts (such as hard drives or removable media) related to an incident in a manner that supports its use in legal proceedings. Depending on jurisdiction, this may involve handling media while documenting chain of custody, ensuring secure storage, and supporting verifiable bit-by-bit copies of evidence.
Malware and Implant Analysis
Also known as malware reverse engineering or simply “reversing.” Extracting malware (viruses, Trojans, implants, droppers, etc.) from network traffic or media images and analyzing them to determine their nature.
SOC members will typically look for initial infection vector, behavior, and, potentially, informal attribution to determine the extent of an intrusion and to support timely response.
This may include either static code analysis through decompilation or runtime/execution analysis (e.g., “detonation”) or both.
This capability is primarily meant to support effective monitoring and response. Although it leverages some of the same techniques as traditional “forensics,” it is not necessarily executed to support legal prosecution.
Forensic Artifact Analysis
Analysis of digital artifacts (media, network traffic, mobile devices) to determine the full extent and ground truth of an incident, usually by establishing a detailed timeline of events.
This leverages techniques similar to some aspects of malware and implant analysis but follows a more exhaustive, documented process. This is often performed using processes and procedures such that its findings can support legal action against those who may be implicated in an incident.
SOC Tool Life-Cycle Support
Border Protection Device O&M
Operation and maintenance (O&M) of border protection devices (e.g., firewalls, Web proxies, email proxies, and content filters). Includes updates and CM of device policies, sometimes in response to a threat or incident. This activity is closely coordinated with a NOC.
SOC Infrastructure O&M
O&M of SOC technologies outside the scope of sensor tuning. This includes care and feeding of SOC IT equipment: servers, workstations, printers, relational databases, trouble-ticketing systems, storage area networks (SANs), and tape backup.
If the Security Operations Center has its own enclave, this will likely include maintenance of its routers, switches, firewalls, and domain controllers, if any.
This also may include O&M of monitoring systems, operating systems (OSes), and hardware. Personnel who support this service have “root” privileges on SOC equipment.
Sensor Tuning and Maintenance
Care and feeding of sensor platforms owned and operated by the SOC: IDS, IPS, SIEM, and so forth. This includes updating IDS/IPS and SIEM systems with new signatures, tuning their signature sets to keep event volume at acceptable levels, minimizing false positives, and maintaining up/down health status of sensors and data feeds.
SOC members involved in this service must have a keen awareness of the monitoring needs of the SOC so that the SOC may keep pace with a constantly evolving consistency and threat environment.
Changes to any in-line prevention devices (HIPS/NIPS) are usually coordinated with the NOC or other areas of IT operations. This capability may involve a significant ad-hoc scripting to move data around and to integrate tools and data feeds.
Custom Signature Creation
Authoring and implementing original detection content for monitoring systems (IDS signatures, SIEM use cases, etc.) on the basis of current threats, vulnerabilities, protocols, missions, or other specifics to the constituency environment.
This capability leverages tools at the SOC’s disposal to fill gaps left by commercially or community-provided signatures. The SOC may share its custom signatures with other SOCs.
Tool Engineering and Deployment
Market research, product evaluation, prototyping, engineering, integration, deployment, and upgrades of SOC equipment, principally based on free or open source software (FOSS) or commercial off-the-shelf (COTS) technologies.
This service includes budgeting, acquisition, and regular recapitalization of SOC systems. Personnel supporting this service must maintain a keen eye on a changing threat environment, bringing new capabilities to bear in a matter of weeks or months, in accordance with the demands of the mission.
Tool Research and Development
Research and development (R&D) of custom tools where no suitable commercial or open-source capability fits an operational need. This activity’s scope spans from code development for a known, structured problem to multiyear academic research applied to a more complex challenge.
Audit and Insider Threat
Audit Data Collection and Distribution
Collection of a number of security-relevant data feeds for correlation and incident analysis purposes.
This collection architecture may also be leveraged to support distribution and later retrieval of audit data for on-demand investigative or analysis purposes outside the scope of the SOC mission.
This capability encompasses long-term retention of security-relevant data for use by constituents outside the SOC.
Audit Content Creation and Management
Creation and tailoring of SIEM or log maintenance (LM) content (correlation, dashboards, reports, etc.) for purposes of serving constituents’ audit review and misuse detection.
This service builds on the audit data distribution capability, providing not only a raw data feed but also content built for constituents outside the SOC.
Insider Threat Case Support
Support to insider threat analysis and investigation in two related but distinct areas: 1. Finding tip-offs for potential insider threat cases (e.g., misuse of IT resources, time card fraud, financial fraud, industrial espionage, or theft).
The SOC will tip off appropriate investigative bodies (law enforcement, Inspector General [IG], etc.) with a case of interest. 2. On behalf of these investigative bodies, the SOC will provide further monitoring, information collection, and analysis in support of an insider threat case.
Insider Threat Case Investigation
The SOC leverages its own independent regulatory or legal authority to investigate insider threats, including focused or prolonged monitoring of specific individuals, without needing support or authority from an external entity.
In practice, few SOCs outside the law enforcement community have such authorities, so they usually act under another organization’s direction
Scanning and Assessment
Network Mapping
Sustained, regular mapping of constituency networks to understand the size, shape, makeup, and perimeter interfaces of the constituency, through automated or manual techniques. These maps often are built in cooperation with—and distributed to—other constituents.
Vulnerability Scanning
Interrogation of consistency hosts for vulnerability status, usually focusing on each system’s patch level and security compliance, typically through automated, distributed tools.
As with network mapping, this allows the Security Operations Center to better understand what it must defend. The Security Operations Center can provide this data back to members of the constituency—perhaps in report or summary form. This function is performed regularly and is not part of a specific assessment or exercise
Vulnerability Assessment
Full-knowledge, open-security assessment of a constituency site, enclave, or system, sometimes known as “Blue Teaming.”
SOC members work with system owners and sysadmins to holistically examine the security architecture and vulnerabilities of their systems, through scans, examining system configuration, reviewing system design documentation, and interviews.
This activity may leverage network and vulnerability scanning tools, plus more invasive technologies used to interrogate systems for configuration and status.
From this examination, team members produce a report of their findings, along with recommended remediation. SOCs leverage vulnerability assessments as an opportunity to expand monitoring coverage and their analysts’ knowledge of the constituency
Penetration Testing
No-knowledge or limited-knowledge assessment of a specific area of the constituency, also known as “Red Teaming.”
Members of the SOC conduct a simulated attack against a segment of the constituency to assess the target’s resiliency to an actual attack.
These operations usually are conducted only with the knowledge and authorization of the highest level executives within the consistency and without forewarning system owners.
Tools used will actually execute attacks through various means: buffer overflows, Structured Query Language (SQL) injection, and input fuzzing. Red Teams usually will limit their objectives and resources to model that of a specific actor, perhaps simulating an adversary’s campaign that might begin with a phishing attack.
When the operation is over, the team will produce a report with its findings, in the same manner as a vulnerability assessment.
However, because penetration testing activities have a narrow set of goals, they do not cover as many aspects of system configuration and best practices as a vulnerability assessment would.
In some cases, Security Operations Center personnel will only coordinate Red Team Tools and its activities, with a designated third party performing most of the actual testing to ensure that testers have no previous knowledge of constituency systems or vulnerabilities.
Outreach
Product Assessment
Testing the security features of point products being acquired by constituency members. Analogous to miniature vulnerability assessments of one or a few hosts, this testing allows in-depth analysis of a particular product’s strengths and weaknesses from a security perspective.
This may involve “in-house” testing of products rather than remote assessment of production or preproduction systems.
Security Consulting
Providing cybersecurity advice to constituents outside the scope of CND; supporting new system design, business continuity, and disaster recovery planning; cybersecurity policy; secure configuration guides; and other efforts.
Training and Awareness Building
Proactive outreach to constituents supporting general user training, bulletins, and other educational materials that help them understand various cybersecurity issues.
The main goals are to help constituents protect themselves from common threats such as phishing/pharming schemes, better secure end systems, raise awareness of the SOC’s services, and help constituents correctly report incidents
Situational Awareness
Regular, repeatable repackaging and redistribution of the SOC’s knowledge of constituency assets, networks, threats, incidents, and vulnerabilities to constituents.
This capability goes beyond cyber intel distribution, enhancing constituents’ understanding of the cybersecurity posture of the constituency and portions thereof, driving effective decision-making at all levels.
This information can be delivered automatically through a SOC website, Web portal, or email distribution list.
Redistribution of TTPs
Sustained sharing of Security Operations Center internal products to other consumers such as a partner or subordinate SOCs, in a more formal, polished, or structured format.
This can include almost anything the SOC develops on its own (e.g., tools, cyber intel, signatures, incident reports, and other raw observables).
The principle of quid pro quo often applies: information flow between SOCs is bidirectional.
Media Relations
Direct communication with the news media. The SOC is responsible for disclosing information without impacting the reputation of the constituency or ongoing response activities.
Summary
As you tackle the challenge of building a security operations center (SOC), your ability to anticipate common obstacles will facilitate smooth startup, build-out, and maturation over time.
Though each organization is unique in its current security posture, risk tolerance, expertise, and budget, all share the goals of attempting to minimize and harden their attack surface and swiftly detecting, prioritizing and investigating security incidents when they occur.
Snap, the company behind the social media app Snapchat, has announced a significant milestone. The service has reached 750 million monthly active users globally. More than half of those (about 375 million) use or open the app daily.
The social media company revealed the figures during an investor day event yesterday. According to an official press release, Snapchat now has more than 150 million monthly active users in North America. On average, US-based users open the app about 40 times per day. Over 60 percent of Snapchat users who open the app each day create Snaps, the company’s VP of Product Jack Bordy said. Overall, more than five billion Snaps are shared every day globally.
While Snapchat has users all around the world, CEO Evan Spiegel revealed that 20 countries represent more than 50 percent of its total advertising market. While he didn’t name them, the Snap CEO said that the app is used by over two-thirds of 13 to 34-year-olds in those markets. Spotlight, the TikTok-inspired feed of short vertical videos on Snapchat, is rapidly becoming a crowd favorite. However, new users love its AR features more than anything. Over 70 percent of people who download Snapchat use AR on the first day.
Snapchat+, the company’s subscription service launched last year, has also added over 2.5 million subscribers within the first six months. The service, which gives users a handful of exclusive features, is on track to generate an annual revenue of more than $100 million. Snap Map, which is a social map feature on the app, also sees regular use. Over 300 million Snapchatters use it monthly, with users opening it six times per day on average.
Snapchat aims to reach one billion users in the next two to three years
Snapchat’s 750 million monthly active users are significantly low than over 1.2 billion monthly active users of Meta’s Instagram. Facebook has almost three billion monthly and two billion daily active users. However, Snap is carving its own path in this crowded social media space. The company says it is seeing a healthy growth rate and is on track to reach over one billion users in the next two to three years.
“We are well on our way to building a community of 1 billion monthly active users, with our core product of visual communication delivering significant reach into some of the most valuable markets in the world, and a young demographic that is difficult to reach elsewhere,” said Snap’s CFO Derek Andersen. “We believe that AR will drive the next computing platform and that our combination of leading AR technology, a well-established creator ecosystem, and a community deeply engaged with AR experiences, positions us well to be a leader in the next computing platform transition.”
After a somewhat long wait, Apple has finally released the first beta for iOS 16.4. And it has a good number of features that are coming in the stable iOS 16.4 update in the coming future. Currently, developers are still getting their hands on the build, so we’re still finding new features that are coming in iOS 16.4. So here’s what we know so far.
Keep in mind that this is the developer beta. The public beta will be available to users in the coming days. If you are a registered developer, you can download the update now.
What’s new in iOS 16.4 Beta
So what’s new in iOS 16.4 Beta? Well, so far, it’s mostly pretty small things. Which is expected, this close to the iOS 17 announcement. But we are getting new emoji in the iOS 16.4 update. This update brings new Unicode 15 emoji characters. This is the first time that Apple has added new emoji in over a year.
There’s also a handful of smaller updates here. For example, now you can get beta and developer betas onto your device without downloading a beta or developer beta profile. Which is currently how you can get onto the beta track. There will be a new option in the Software Update page to change this. Which is pretty neat. Hopefully it won’t be front and center, so it’s a little tougher for users to download the beta.
We’re also seeing some changes in the Apple Music app, that brings your profile picture into the top right corner. Of course, this is another small update. But remember, Apple’s apps only get updated with new versions of iOS, and not through the App Store.
This is just the first beta for iOS 16.4, so we’d expect to see about 4-5 more betas. Usually about every week or two weeks. So don’t expect to see this one hit stable until probably April.
This article covers Active directory penetration testing that can help for penetration testers and security experts who want to secure their network.
“Active DirectoryPentesting” Called as “AD penetration Testing” is a directory service that Microsoft developed for the Windows domain network. Using it you can to control domain computers and services that are running on every node of your domain.
In this section, we have some levels, the first level is a reconnaissance of your network. every user can enter a domain by having an account in the domain controller (DC).
All this information is just gathered by the user that is an AD user. In the username, there are two parts the first is the domain name and the second part is your username. like below :
Reconnaissance Commands:
+ c:\ > net user
By running this command in CMD (Command Prompt) you can easily see local users on your PC.
+ c:\ >whoami
This command can help you to see the current user associated with Active Directory logged in.
+ c:\ >whoami /groups
This command helps you to show you the current group
+ c:\ > net user \domain
This command shows you all users from any group in the active directory. also, you can see every user’s group by running this command :
+ c:\ > net user [username] domain.
To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of Security“.
It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.
You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:
Picture2 – List of AD GroupsPicture3 – List of DNS Record Zones
When you get all AD users, now you should take a look at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy, you can see environment policy such as”Account Lockout Policy“.
It is a method that provides you networks users to be secure from password-guessing attacks. Also, you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
When you get all the data that you need, now you can execute different attacks on users like :
Brute Force Active Directory
To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use below auxiliary:
msf > use auxiliary/scanner/smb/smb_login
The options of this auxiliary you can set username file and password file. and set an IP that has SMB service open.
then you can run this auxiliary by entering “run” command.
If you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.
If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you can see in Password Policy, you can set your password list to brute-force.
All hashes are stored in a file named “NTDS.dit” in this location :
C:\Windows\NTDS
You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below : mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv
Then you can see hashes and password (if the password can be found).
The active directory includes several services that run on Windows servers, it includes user groups, applications, printers, and other resources.
It helps server administrators to manage devices connected with the network and it includes a number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.
Active directory penetration testing is required for any organization, nowadays APT groups actively targeting Active Directories using different techniques.
