CYBERSECURITY JOB HUNTING GUIDE
Letsdefend
Author: Stefan Waldvogel
Letsdefend is a blue lab and prepares you for a SOC Analyst position
Overview:
Letsdefend is a platform for SOC Analysts (Level 1 and Level 2). You can get the knowledge for this job, and you can improve your skills. Letsdefend simulates a company and gives you access to a SIEM. Now you can investigate some issues with this network. It looks very realistic.
Letsdefend is a platform for SOC Analysts (Level 1 and Level 2). You can get the knowledge for this job, and you can improve your skills. Letsdefend simulates a company and gives you access to a SIEM. Now you can investigate some issues with this network. It looks very realistic.
HR relevant:
No
Advantages:
Affordable, up do date content, and the tutorial is impressive. The free version offers 5 cases per month, but there is much more free content to discover (DFIR, Malware Analysis, Academy). If you are a student, you get 50% off.
Disadvantages:
These labs are unknown. It is not a real disadvantage.
Pricing:
$0 / $25 / $40 a month
$0 / $225 / $360 a year
Recertification costs:
-none- does not provide a certification
Website:
letsdefend.io/
First impression
The structure is clean and has a typical blue color.
No
Advantages:
Affordable, up do date content, and the tutorial is impressive. The free version offers 5 cases per month, but there is much more free content to discover (DFIR, Malware Analysis, Academy). If you are a student, you get 50% off.
Disadvantages:
These labs are unknown. It is not a real disadvantage.
Pricing:
$0 / $25 / $40 a month
$0 / $225 / $360 a year
Recertification costs:
-none- does not provide a certification
Website:
letsdefend.io/
First impression
The structure is clean and has a typical blue color.
Letsdefend offer a lot of free materials.
Starting point
The tutorial looks impressive with all the videos. As we go through all the steps, this lab/module is very realistic. It seems like a game, but many companies use software to show incidents. As a SOC Analyst, you pick some things you like and take a playbook. Now you can solve the problem. As a SOC (Level1) Analyst, you do not solve very complex situations. You escalate these challenging incidents. If you have to do that, try to watch the progress and understand what is happening. You want to move up, and in a year, you want to solve complex incidents. If you have time, learn as much as you can.
Letsdefend has easy and more complex incidents.
I will try to give you job-relevant background information about why you see some details. If you go into a SOC Analyst job interview, you might get a minor incident, and if you can explain what you see, this is an advantage.
You can start your defense by following the steps below:
1-Select an alert from monitoring page
2-Create a case for investigation
3-Follow instructions on playbook
4-Turning off the alert at monitoring page
I googled a bit, and an easy starter case is "Phishing Mail Detected."
The tutorial looks impressive with all the videos. As we go through all the steps, this lab/module is very realistic. It seems like a game, but many companies use software to show incidents. As a SOC Analyst, you pick some things you like and take a playbook. Now you can solve the problem. As a SOC (Level1) Analyst, you do not solve very complex situations. You escalate these challenging incidents. If you have to do that, try to watch the progress and understand what is happening. You want to move up, and in a year, you want to solve complex incidents. If you have time, learn as much as you can.
Letsdefend has easy and more complex incidents.
I will try to give you job-relevant background information about why you see some details. If you go into a SOC Analyst job interview, you might get a minor incident, and if you can explain what you see, this is an advantage.
You can start your defense by following the steps below:
1-Select an alert from monitoring page
2-Create a case for investigation
3-Follow instructions on playbook
4-Turning off the alert at monitoring page
I googled a bit, and an easy starter case is "Phishing Mail Detected."
The incident offers more details and gives an overview of what happened. You can click the mail symbol, too. Click the Action button (Take ownership) on the right side to take this incident.
What can we take out of these lines?
EventID:
Usually, companies track incidents, and if you talk to a co-worker, a number is helpful. This module is a game and, therefore, not relevant.
Event Time:
In the real world, this is important. Most SOCs have different SLAs. SLAs are service agreements and things like payment, how fast you have to solve an incident, and other factors are connected to the time. This incident is a medium finding, and maybe you must pick it up in 3 hours.
Rule:
This rule looks like a random number and text, but that is not true. Rules are often generated via Security Information and Event Management tools (SIEM) or other solutions. If we go back to the Tutorial, we see the structure. At the bottom is a "Log Collector" and every device sends logs. Now you can query the logs and try to find something malicious or save the logs.
EventID:
Usually, companies track incidents, and if you talk to a co-worker, a number is helpful. This module is a game and, therefore, not relevant.
Event Time:
In the real world, this is important. Most SOCs have different SLAs. SLAs are service agreements and things like payment, how fast you have to solve an incident, and other factors are connected to the time. This incident is a medium finding, and maybe you must pick it up in 3 hours.
Rule:
This rule looks like a random number and text, but that is not true. Rules are often generated via Security Information and Event Management tools (SIEM) or other solutions. If we go back to the Tutorial, we see the structure. At the bottom is a "Log Collector" and every device sends logs. Now you can query the logs and try to find something malicious or save the logs.
Our rule is about an email. The SIEM analyzed the data, found a matching pattern, and triggered an alarm.
SMTP:
This is a protocol (Simple Mail Transfer Protocol) and the sender's IP address. Tools can tell us more about this IP. We can use https://ip-sc.net/ for this IP, and it is in China.
SMTP:
This is a protocol (Simple Mail Transfer Protocol) and the sender's IP address. Tools can tell us more about this IP. We can use https://ip-sc.net/ for this IP, and it is in China.
Another free tool is virustotal and we get a different result:
Virustotal checked this website 19 hours ago, and it flagged it as malicious. Hackers will change IPs very quickly, but still good to know. IP addresses can be spoofed, so it is not 100% reliable.
Device Action:
The status is allowed; someone in our network got this email from China.
Source:
This is a gmail, which does not match the SMTP IP.
Address:
empty, nothing to see
Destination:
This mail goes to our company, and the receiver is Mark. The question is, did Mark open this email from China or not?
Address:
empty
Subject:
"Must have..." this looks like spam. The question is: If Mark opens the email, does the mail have an attachment, and did he open the attachment?
We have to dig deeper into this incident. We can take five incidents per month. That is why we get this warning. We moved this incident to the investigation channel.
Device Action:
The status is allowed; someone in our network got this email from China.
Source:
This is a gmail, which does not match the SMTP IP.
Address:
empty, nothing to see
Destination:
This mail goes to our company, and the receiver is Mark. The question is, did Mark open this email from China or not?
Address:
empty
Subject:
"Must have..." this looks like spam. The question is: If Mark opens the email, does the mail have an attachment, and did he open the attachment?
We have to dig deeper into this incident. We can take five incidents per month. That is why we get this warning. We moved this incident to the investigation channel.
With the >> we can create a case and get a small summary. The incident type is Exchange, and it is related to our email server.
Start the playbook. The name suggests it is part of a game, but it is an accurate word, and you will see it many times during your career.
A playbook is a flexible guideline to solve an issue. It asks important questions like: "Did someone opens the attachment?" It is more a hint.
A different word you might see in this context is "runbook." A runbook is a step-by-step path and covers standard operating procedures. Most likely, if you work in a SOC, you work with a runbook and not with a playbook.
-> The problem is, many do not know the difference between a runbook and a playbook. The game talks about taking steps in the correct order, so the valid name is maybe Phishing Runbook. We will see.
A playbook is a flexible guideline to solve an issue. It asks important questions like: "Did someone opens the attachment?" It is more a hint.
A different word you might see in this context is "runbook." A runbook is a step-by-step path and covers standard operating procedures. Most likely, if you work in a SOC, you work with a runbook and not with a playbook.
-> The problem is, many do not know the difference between a runbook and a playbook. The game talks about taking steps in the correct order, so the valid name is maybe Phishing Runbook. We will see.
Start it, and we got questions. Do you want to work as an outstanding SOC Analyst? Questions are important.
The next step asks us about an attachment/URL, but we do not have the answer. We have to go to a different area and find the answer.
The reason is, a playbook is a separate document, but we have to find the information somewhere else. This step is realistic.
What do we have?
The reason is, a playbook is a separate document, but we have to find the information somewhere else. This step is realistic.
What do we have?
- Incident Type: Exchange
- We have an IP: 146.56.195.192
- Time: April 4th, 11 pm
It looks like we do not have an attachment, but a link with a bizarre address (http://nuangaybantiep(dot)xyz). What does virustotal say about this URL?
We have one finding. That could be a bad sign, but maybe not. We can use other tools to investigate this URL. One option is Joe's Sandbox. If you are a student, use your student email to create an account (You cannot use a private email). If you do not have a corporate email, it does not matter, and I will add the result link. Joe's Sandbox is a professional tool, and big companies use it.
The result: www.joesandbox.com/analysis/417421/0/html
The result: www.joesandbox.com/analysis/417421/0/html
This link is not active anymore, but it was related to a bot/Trojan in the past.
-> We have the wanted answer (the URL) and some details about it.
Go back to "Case Management," start the playbook again and answer the first question. We can answer the second question, and you get more free tools.
We used Joe's Sandbox, but AnyRun is similar. I am using Joe's Sandbox because the free version is more powerful compared to AnyRun.
-> We have the wanted answer (the URL) and some details about it.
Go back to "Case Management," start the playbook again and answer the first question. We can answer the second question, and you get more free tools.
We used Joe's Sandbox, but AnyRun is similar. I am using Joe's Sandbox because the free version is more powerful compared to AnyRun.
The next question is about artifacts and delivery. We want to feed our database. Add the URL.
In the beginning, we saw the field: "Device Action," and it was green with Allowed.
In the beginning, we saw the field: "Device Action," and it was green with Allowed.
Delete the email with a click on delete. This step is most likely not realistic. You might have to log into the email server in the real world and delete the mail and inform the user about your action.
The next question needs a bit of work. What is a c2 address? To answer this question, we have to think about what did the attacker do?
Our user Mark opened this email, clicked the link, and without his knowledge, an attacker installed software on his machine. This software is a client and is waiting for commands. The command server is called c2 because the full name is Command and Control server.
If the software is installed, we should see a connection. Marks PC wants to talk to this command server. In the real world, this is called a beacon.
Marks PC asks the c2 constantly: Do you have something to do for me? If yes, Mark's PC does perform scans or do other things like keylogging.
Some beacons ask every 15 seconds or every 15 minutes. Some have jitter in it, so the beacon harder to detect.
Bonus: You want to play with these things: Try RITA. It is free and open-source.
Our user Mark opened this email, clicked the link, and without his knowledge, an attacker installed software on his machine. This software is a client and is waiting for commands. The command server is called c2 because the full name is Command and Control server.
If the software is installed, we should see a connection. Marks PC wants to talk to this command server. In the real world, this is called a beacon.
Marks PC asks the c2 constantly: Do you have something to do for me? If yes, Mark's PC does perform scans or do other things like keylogging.
Some beacons ask every 15 seconds or every 15 minutes. Some have jitter in it, so the beacon harder to detect.
Bonus: You want to play with these things: Try RITA. It is free and open-source.
--> If we go back to the question, we should see the beacon in a log file. We need to know some things:
Time, Mark's IP and PC name, the bad URL, and other things depending on the log management system. The only thing I have out of the list is the event time:
April 4th, 11 pm
Time, Mark's IP and PC name, the bad URL, and other things depending on the log management system. The only thing I have out of the list is the event time:
April 4th, 11 pm
We have something on this day at this time. It looks like Mark opened the email at 11:10 pm. Before we move on, we can think about this log entry.
We assume Mark's IP is 172.16.17.88, and the traffic is going to 192.64.119.190 on port 80. If you have knowledge of networking, think about the class and where the traffic is going. Attackers might change the C2 IP over time, but does our company have more connections to this IP? This IP is going to New York and owned by Namecheap (a domain name registrar).
The traffic is going to port 80. The reason is, this traffic is usually allowed and not blocked. Attackers use known ports like 80, 443, 53, and others.
Click on Raw to see the details:
We assume Mark's IP is 172.16.17.88, and the traffic is going to 192.64.119.190 on port 80. If you have knowledge of networking, think about the class and where the traffic is going. Attackers might change the C2 IP over time, but does our company have more connections to this IP? This IP is going to New York and owned by Namecheap (a domain name registrar).
The traffic is going to port 80. The reason is, this traffic is usually allowed and not blocked. Attackers use known ports like 80, 443, 53, and others.
Click on Raw to see the details:
Here we have HTTP traffic and a GET request. -> The traffic is most likely encrypted, and if we check the log files on our router, we should see the traffic in cleartext.
This log is not very useful, and in the real world, you might get more details about the Process Id (PID). From what we see in this log, the GET request was allowed, and at this time, the URL was active.
If we go back to the question: Open someone the URL, we can say Yes.
At this point, we know Mark's machine has malware on it and is waiting for commands. We have to do two things:
First, we disconnect Mark's computer, but securely. We could turn the computer off and re-image the system, but we lose data and cannot investigate the incident if we do. We want to know more about the incident.
Second: What did Mark's computer do during this time? Are passwords compromised? Think about lateral movement. The incident happened in April, and the drill time was about two months. That is a long time, and the hacker had a lot of fun. The average drill time in the real world is between 6 months and years.
-> This part is crucial, but we play a game ;) and move on to Containment.
This log is not very useful, and in the real world, you might get more details about the Process Id (PID). From what we see in this log, the GET request was allowed, and at this time, the URL was active.
If we go back to the question: Open someone the URL, we can say Yes.
At this point, we know Mark's machine has malware on it and is waiting for commands. We have to do two things:
First, we disconnect Mark's computer, but securely. We could turn the computer off and re-image the system, but we lose data and cannot investigate the incident if we do. We want to know more about the incident.
Second: What did Mark's computer do during this time? Are passwords compromised? Think about lateral movement. The incident happened in April, and the drill time was about two months. That is a long time, and the hacker had a lot of fun. The average drill time in the real world is between 6 months and years.
-> This part is crucial, but we play a game ;) and move on to Containment.
The game does not have an EDR page, and it is called "Endpoint Security". We find Mark's machine and request a containment.
In this case, Mark's IP and the host name are the same. In the real world, take the IP and not the name.
In this case, Mark's IP and the host name are the same. In the real world, take the IP and not the name.
Finish the playbook, go back to the Investigation Channel, close the case, and you are done!!
Good job.
Good job.
Conclusion
Letsdefend is a great place to brush up on your SOC skills. If you use it, think about the bigger picture. Here, we solved a small email problem, but it could be a small thing of the bigger campaign against our company. Additionally, we see the attacker had at least two months to do many other things.
In the real world, we need to know all the details.
-> As a SOC Analyst, you start with the basic things, and therefore this training is excellent. If this incident is actual and you close the incident, you made a terrible mistake. During the last weeks, the attacker did something and you do not know what. The good news: As a SOC Analyst, it is not your job to fix the bigger problem, but you should see and understand it. An Incident Handler/Incident Responder will take your case and fix the bigger problem.
Always think about the difference between a game and the real world.
Yes, right now, you might not have the knowledge to see the bigger picture, but be eager to learn more. You want to get the next better job, right!
Letsdefend is a great place to brush up on your SOC skills. If you use it, think about the bigger picture. Here, we solved a small email problem, but it could be a small thing of the bigger campaign against our company. Additionally, we see the attacker had at least two months to do many other things.
In the real world, we need to know all the details.
-> As a SOC Analyst, you start with the basic things, and therefore this training is excellent. If this incident is actual and you close the incident, you made a terrible mistake. During the last weeks, the attacker did something and you do not know what. The good news: As a SOC Analyst, it is not your job to fix the bigger problem, but you should see and understand it. An Incident Handler/Incident Responder will take your case and fix the bigger problem.
Always think about the difference between a game and the real world.
Yes, right now, you might not have the knowledge to see the bigger picture, but be eager to learn more. You want to get the next better job, right!
© 2021. This work is licensed under a CC BY-SA 4.0 license