I have a keen interest in cyber security, with a focus on security operations, including network and endpoint security, log and traffic analysis, malware analysis, threat hunting, digital forensics, incident response, threat intelligence, web applications security, and vulnerability management. I use my GitHub account to curate homelabs to simulate diverse security operations scenarios, which I then use to test SOC tools. Additionally, I create content covering system administration, network administration, and cyber security topics. My certificates can be found here.
I've been exploring some homelabs described in YouTube channels and blogs on topics such as threat hunting (XDR), endpoint security (EDR), monitoring (SIEM), and network security (IDS/IPS)
- Configured in VirtualBox an Internal Network with:
- DHCP Server
- Ubuntu Server (Elastic Host)
- Windows 10 (Victim)
- Configured Elastic Stack 8 on Ubuntu Server:
- Elastic Stack: Elasticsearch, Kibana (UI), and Elastic Agent + Integrations.
- Integrations: Fleet Server, System, Windows, and Elastic Defend.
- Simulated two malicious tests on the Victim machine:
- EICAR Malware Test.
- MITRE ATT&CK Test with Red Team Automation (RTA).
Source: https://github.com/robsann/ElasticStackLab
- Configured in VirtualBox a NAT Network with:
- DHCP Server and Host Gateway access.
- Windows 11 (Target) with Windows Defender disabled, Sysmon and LimaCharlie sensor installed.
- Ubuntu Server (Attack) with Sliver installed, a Command & Control (C2) framework by BishopFox.
- Generated in Sliver a C2 payload and executed the payload on the Target machine to start a Sliver C2 session on the Attack machine.
- Used the Sliver C2 session to perform two attacks on the Target machine:
- LSASS access (credential-stealing attack).
- Volume shadow copies deletion using vssadmin Windows utility (used in ransomware attacks).
- Detection and response rules were created in the LimaCharlie platform to detect the two previous attacks and take action. The rules were tested by repeating the attacks.
Source: https://github.com/robsann/LimaCharlieEDRTelemetry
- Microsoft Sentinel was used to monitor failed RDP login attempts from global attackers on an exposed Windows 10 virtual machine configured in Microsoft Azure.
- A custom log file (
failed_rdp.log
) was generated using a PowerShell script that extracts failed login events from Security Log on Event Viewer and forwards them to a third-party API to get geolocation data. - A custom table (
FAILED_RDP_WITH_GEO_CL
) was created in Log Analytics Workspace on Microsoft Azure using the generated log file (failed_rdp.log
). Custom fields were extracted from the table using a Kusto Query Language (KQL) query. - A workbook was created in Microsoft Sentinel using KQL to query data from the
FAILED_RDP_WITH_GEO_CL
table to display global attackers (RDP login failure) on the world map according to physical location and magnitude (attack count).
Source: https://github.com/robsann/AzureSentinelSIEMAttackMap
- Snort network IDS mode configuration in Ubuntu Server.
- NMAP scan detection using Snort (NIDS):
- NMAP Ping Scan, various TCP scans including SYN, Connect, NULL, FIN, and XMAS, as well as UDP Scans.
- Attack detection using Snort (NIDS):
- SQL injection attacks using tools like WPSCan & WordPress and Burp Suite & SQLmap.
- Backdoor attacks using Empire post-exploitation framework and Katana penetration test framework.
- Rogue DHCP & Rogue Routing attacks.
- ICMP Redirect attack.
Source: https://github.com/robsann/NetworkSecurityWithSnort
I'm developing educational materials covering IT fundamentals like system and network administration, as well as cyber security fundamentals. I started by creating visual maps to outline the content of various certification exams, including CompTIA A+, CompTIA Linux+, CompTIA Network+, CompTIA Security+, and CompTIA CySA+. You can access these maps in PDF format on Dropbox by clicking on the images.
📝 CompTIA A+ Core 2 (220-1102) Objectives - CompTIA link
The CompTIA A+ Core 2 certification objectives cover advanced troubleshooting, operating systems, security, and software troubleshooting. It includes topics like hardware, networking, mobile devices, virtualization, and cloud computing. Candidates are tested on their ability to secure and manage various devices and technologies, ensuring comprehensive IT skills and knowledge. CompTIA A+ Core 2 demonstrates proficiency in essential IT areas.
1.0
Operating Systems2.0
Security3.0
Software Troubleshooting4.0
Operational ProceduresProfessor Messer CompTIA A+ Core 2 (220-1102) course - YouTube Link
📝 CompTIA Linux+ (XK0-005) Objectives - CompTIA link
The CompTIA Linux+ certification validates essential skills in Linux system administration and operation. Covering topics such as system architecture, Linux installation, package management, command line usage, file permissions, and security, this certification ensures proficiency in managing Linux-based systems. Candidates learn troubleshooting, scripting, and networking in a Linux environment, making them well-equipped for various IT roles requiring Linux expertise. Achieving CompTIA Linux+ certification demonstrates a thorough understanding of Linux systems.
1.0
System Management2.0
Security3.0
Scripting, Containers, and Automation4.0
TroubleshootingShawn Powers' CompTIA Linux+ (XK0-005) prep (in progress) - YouTube Link
📝 CompTIA Network+ (N10-008) Objectives - CompTIA link
The CompTIA Network+ certification validates essential skills in networking, covering topics such as network architecture, security, troubleshooting, and cloud technologies. Candidates learn to design and implement functional networks, configure network devices, and manage network security protocols. The certification also emphasizes practical skills in areas like network installation, configuration, and diagnostics, ensuring proficiency in both wired and wireless networks. Overall, CompTIA Network+ certification demonstrates expertise in network administration.
1.0
Networking Fundamentals2.0
Network Implementations3.0
Network Operations4.0
Network Security5.0
Network TroubleshootingProfessor Messer CompTIA Network+ (N10-008) course - YouTube Link
📝 CompTIA Security+ (SY0-501) Objectives - CompTIA link
The CompTIA Security+ certification objectives cover essential topics in cybersecurity, including network security, threats and vulnerabilities, access control, identity management, cryptography, and risk management. It also emphasizes security compliance, incident response, and security architecture. Successfully mastering these objectives demonstrates proficiency in securing IT systems.
1.0
Threats, Attacks and Vulnerabilities2.0
Technologies and Tools3.0
Architecture and Design4.0
Identity and Access Management5.0
Risk Management6.0
Cryptography and PKIProfessor Messer's CompTIA Security+ (SY0-501) course - YouTube Link
📝 CompTIA Cybersecurity Analyst (CySA+) (CS0-003) Objectives - CompTIA link
The CompTIA Cybersecurity Analyst (CySA+) certification focuses on identifying and responding to security threats and vulnerabilities in a cybersecurity context. CySA+ certified professionals demonstrate skills in threat detection, analysis, and response using various tools and techniques. They are proficient in analyzing data to identify vulnerabilities, threats, and risks to an organization's information systems. CySA+ certification validates expertise in cybersecurity operations, enhancing an individual's ability to protect and secure organizational assets against cyber threats.
1.0
Security Operations2.0
Vulnerability Management3.0
Incident Response and Management4.0
Reporting and Communication💾 Cyber Security Domains from 2021 (credits to MyDFIR)
Mind map from 2021 that provides a comprehensive overview of the various domains within cyber security.
- TryHackMe: Hands-on cyber security training with offensive and defensive paths.
- HackTheBox: Hands-on cyber security training with offensive and defensive paths.
- LetsDefend: Hands-on security operations training with alert addressing on simulated SOC environment.
- CyberDefenders: A blue team training platform.
The Linux File System is a hierarchical structure that organizes and stores files on a Linux system. It uses a tree-like directory structure, starting with the root directory ("/"), with directories and files arranged systematically to facilitate efficient file management and access.
Linux File Permissions dictate the access level of users (owner, group, and others) to files and directories. They are represented by read, write, and execute permissions, providing control over file security and user interactions.
Linux commands help users navigate the file system, interact with the files, and administer the entire system using the command line interface.
Note: Use the man
command to display the manual page for other commands (e.g., man ls
), providing detailed documentation and usage instructions, or use the --help
option (e.g., ls --help
) for a quick overview of the command options.
- Configuration files (/etc/) store system-wide settings, preferences, and configurations for various applications, facilitating centralized management.
- System Info files (/proc/) provide a virtual file system exposing kernel and process information, allowing dynamic access to real-time system details and parameters.
- Log files (/var/log/) store system and application logs, aiding in troubleshooting by capturing events, errors, and diagnostic information for analysis and monitoring.
The Open Systems Interconnection (OSI) model is a conceptual framework used to describe how network communications work. The OSI model characterizes computing functions into a universal set of rules and requirements in order to support interoperability between different products and software.
TCP (Transmission Control Protocol) is a connection-oriented and reliable transport layer protocol, that ensures data integrity and ordered delivery. UDP (User Datagram Protocol) is a connectionless and lightweight transport layer protocol that sacrifices reliability for reduced latency, making it suitable for real-time applications where occasional data loss is acceptable.
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on IP networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client-server architecture.
The Domain Name System (DNS) is a naming database that translates human-readable domain names (e.g., www.example.com) to machine-readable IP addresses (e.g., 93.184.216.34) used for device communication. If the website is not cached, the DNS resolver will query Root Servers, Top-Level Domain (TLD) Servers, and Authoritative Nameservers to retrieve the IP address.
The CIA Triad is a fundamental concept in information security, representing the core principles of Confidentiality (ensuring data privacy), Integrity (maintaining data accuracy and trustworthiness), and Availability (ensuring data accessibility). These principles guide security measures and strategies to protect information assets in various computing environments.
The Cyber Kill Chain is a framework outlining the stages of a cyber attack, from initial reconnaissance to achieving the attacker's objectives, providing a structured approach for understanding, analyzing, and defending against advanced cyber threats.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that catalogs and describes the tactics, techniques, and procedures used by cyber adversaries. It provides a comprehensive framework for understanding and analyzing the full spectrum of cyber threats, aiding organizations in improving their detection, defense, and response capabilities.
The Pyramid of Pain is a conceptual framework in cybersecurity that categorizes indicators of compromise (IOCs) in six levels based on the difficulty for adversaries to change or evade detection. The pyramid is structured in ascending order of difficulty, as illustrated below:
Security Operations Center (SOC) technologies encompass a range of tools designed to monitor, analyze, and respond to cyber security threats. These include SIEM for log analysis, EDR for endpoint protection, SOAR for orchestration, and other solutions that collectively fortify an organization's cyber security posture.
The NIST Incident Response Framework provides a systematic approach for organizations to prepare for, detect, respond to, and recover from cybersecurity incidents. It guides the development of robust incident response capabilities through a four-phase process: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.
The SANS Incident Response Framework provides a structured approach for organizations to effectively respond to cybersecurity incidents, comprising six key phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. It guides the development of robust incident response capabilities to detect, mitigate, and recover from security incidents.