Linux Monitoring and Attack Detection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 37 minutes
Video Transcription
Hello, My name is Isaac. Welcome to lean out Security.
Cyber security operations consist of the processes, tools and people that monitor, analyze and protect information systems.
The tools used for network security monitoring include love aggregation tools for pulling in security logs.
So we have to that perform full pack it captures
and security data coming from network intrusion detection systems as well as host intrusion detection systems.
These security logs feed the network security monitoring system with all the data that will be processed and analyzed.
So you have tools like Why Shark Grow, See slog and oh SEK Performing the task of capturing and pulling insecurity related events.
The information security tools that provides security analyst and interface to view analytics is the final end of information technology tools.
This is where the security information and event management system comes into play.
The scene is an aggregation of tools that monitor network and server events in real time
and provide real time analytics that helped the analyst to correlate security events from the stored and real time data that is produced.
This technology will naturally be handling
large amounts of data filtering through
to normalize data by merging redundant information to reduce the duplication and manage data throughput.
So the computational capability of a scene system will be able to handle both data. Computational analysis of huge amounts of security feeds and logs that are constantly streaming into the system
seem consists of many tools that are integrated on a single platform.
The genuine linens operating system can support many of these applications for security event monitoring.
Leaners operating system is a platform that is known to be very stable and can operate for several years even without a reboot.
Oh, that's a great one for Linux. So the installation for security applications on linens provides assurance for stable performance.
The collection, storied and analysis of security information are the core structural friend works in which a seam operates
the products you use for your security monitoring, maybe commercial products or open source products, depending on the knees and capabilities of the organization.
So commercial products usually offer technical support and management for systems, thereby reducing the time to install and configure seem operations that would have otherwise had to be done, and Charlie by internal I T workers as correctly and effectively deploy and open source tools
require highly skilled professionals with lots of experience.
Nevertheless, the open source tools are usually the foundation on which the commercial products are built on
a solution that integrates many applications for the same environment is a security on your tool.
This is Alina distribution that is Debian based. So when you think of Debian based distributions like you want to,
the emphasis for this leaners environment is to provide free, open source software
security. Onion is a you boon to based operating system that is used for network security monitoring, which can be deployed on a single system as well as on a large scale. Were distributed service system
the many applications that run on security onion can be grouped into three categories.
These are applications that collect data applications that optimize security data and applications that present data to the analysts. So we're looking on a lot of information here that interacts with security information and processes it in a stack structure that perform complex slows
stories, correlations, analysis and visual ization of security data,
and the various types of data that get processed through the scene stack come from parsed traffic and logs of system. A large transaction data session data, meta data, food packet captures and statistical data.
All these data types are the network security monitoring data that provide unique analytic information to the analyst.
It's data type has many data sets, and Analyst will be analyzing information by correlating information of each data set with information from all the data sets within the same information type.
the tools used for data collection in the security onion are tools for log aggregation, network intrusion,
network intrusion detection, a lots,
host based intrusion detection, a loss and packet capture. Tools
security. Onion uses nets need energy for packet captures and tools like Bro and snort for network intrusion detection, while six wise while see while sees Log. Angie is used for classifying information,
while CeCe Log Angie is used for classifying incoming sis log messages and storing them in a plain text log file.
At the optimization stage, the stored flat files can be parsed and transformed into a relational database structure, using the enterprise log search and archive, too.
The results in database can be processed in response to real time queries to provide a visual output in the form of dashboard reports for final analysis at Representation State.
The security Operation Center analyst makes use of such network security monitoring data to gain visibility of the events that are taking place in the network.
So security onions. Elsa to provide functionality at both the data optimization stage as well as at representation stage as Elsa Database and Elsa Web Front two, respectively.
The sea's log nd application can pick logs from the bro. Deanna's files on a disk or TCP or UDP source. Drivers on network or even from Elsa imports
with an import that Theo extension.
The cold templates for excess ing each file source are defined separately,
so each source template has a source type identified as a source or destination driver, followed by the file path to access or posted the log.
For example, the internal source driver excesses internally generated logs and to read log from a particular file. The found source driver opens the file in the specified path.
Likewise, the program driver reads the standard output from the specified program.
The destination for the laws also uses a similar template by defining the destination file type the device driver and files pass in Lena's directory or the destination i p address in port numbers. So for a structured query language database destination, the sickle driver
is specified in the destination template,
so the generals intact for the templates consists of the object type object. Identify an object parameters.
The system log nd application can be installed independent off the security only in two. By issuing the pseudo app installed. Sis Log, Angie Command for both the sea slug and G client and server motives that will be the source and destination of log messages.
After the system locked and he has been installed. The Seas log anti process can be initiated with the system Control start CeCe Log and G Command.
All these technical specifications for collecting logs from multiple clients enable a system administrator the pool in logs from several clients onto a centralized log. System.
Logs usually contain a lot of information, and it seem too will need to extract useful information that it can work with.
This information also needs to be presented to the scene using a generic format, so the logs that are received our parts into a rules based template that defines all the specific data types that must be included in the structured or relational database.
The process of processing filters out all of these and tablets the useful data for further analysis.
So this is done at optimization stage of the security only in structure.
The collection of data logs can be done using either structured or unstructured stack
destructed logs, which can be based on the Jason or CSB structured look, template Posser or faster to search. Not all loans, however, can be presented in a structured format.
The pattern database posture is used to parse on structured logs, and Elsa is compatible with a pattern database posture, making it versatile, too, for extracting
useful data from logs. The goal of security monitoring tools is to get a large on security events and take proper action
Threat. Actors, on the other hand, brandish ways to circumvent it detection.
The meter Peter Payload is an example of a metal exploit attack payload that evades detection by not writing onto persistent storage. Rather, it uses reflective Diello injection techniques to inject malicious code into system processes that are already running in memory.
The meter reader DLL injection is created over a network session using stagers and stages
the Stager is a lightweight program that establishes connection between the attacker and the target system, using a reverse TCP shell that connects back to the attacker.
The attacker can then upload the stages payload through the meter, prettier shell to the victim's machine.
The stage is payload does not initiate new processes.
The payload hijacks handles of existing legitimate process is to create new threads of militias, child processes from the parent process. And this way, host based intrusion detection systems will not be able to detect intrusions.
Lino's operating system, Windows and Mac systems are all vulnerable to deal injection attacks
in the winner's environment process. Sockets can be intercepted by loading libraries into the process from the lower library. Environment and processes can be manipulated. Yuri Wrong Time with P trace system calls.
Another technique used for injecting into process is to read and write into the memory space off a process by accessing it with a process Process i d Memory Command
to provide protection against yellow injection in next environment.
The OS query to can be used to pull a structured query language, view off the detail processes in winners,
monitoring and detecting high volume of data generated for Petri system calls as well as load reload variables would be an indicator of compromise for deal injections
so protection can be provided across the attack continent by looking for indicators of compromise after and also before an attack. Protection against polymorphic malware can be achieved with advanced file analysis systems such as the content. Disarm and risk construction, too.
Here is a quick learning check
which SIS log device driver reads the content of a database
program. File. Siku Internal.
The correct answer is C C cruel, structured language.
Question number two Which of the following the CIS lock and he used to parts on structure log types
Is it Jason Prosser, Patton Devi Prosser CSB Posser XML Posser
The correct answer is B
pattern databases Posser.
In this model, we discussed the network security monitoring tools.
Up Next
Linux Fundamentals for Security Practitioners

Linux Fundamentals for Security Practitioners provides an overview on how to properly configure a Linux OS to provide a secure computing environment for end users. We'll cover a combination of materials, focusing on Linux architecture, permissions, commands, directories, and shells to achieve a hardened Linux operating system configuration.

Instructed By