├── 1 - Conduct an Audit
└── 1.1 - Ketmanto - Conduct a security audit.md
├── 2 - Network Security
├── 2.1 - Ketmanto - Analyze network layer communication.md
├── 2.2 - Ketmanto - Analyze network attack.md
├── 2.3 - Ketmanto - OS hardening.md
├── 2.4 - Ketmanto - Security risk assessment report.md
└── 2.5 - Ketmanto - NIST respond.md
├── 3 - Linux & SQL
├── 3.1 - Ketmanto - File permissions (Linux).pdf
├── 3.2 - Ketmanto - Manage files (Linux).pdf
├── 3.3 - Ketmanto - Manage users (Linux).pdf
├── 3.4 - Ketmanto - SQL filters.pdf
├── 3.5 - Ketmanto - SQL JOIN.pdf
└── README.md
├── 4 - Assets & Threats & Vulnerabilities
├── 4.1 - Ketmanto - Home asset inventory.pdf
├── 4.2 - Ketmanto - Risk register.pdf
├── 4.3 - Ketmanto - Data leak worksheet.pdf
├── 4.4 - Ketmanto - Compare hash values.md
├── 4.4B - Ketmanto - Decrypt an encrypted message.md
├── 4.5 - Ketmanto - Access control worksheet.pdf
├── 4.6 - Ketmanto - Vulnerability assessment report.md
├── 4.7 - Ketmanto - Cyber attack mindset.md
├── 4.8 - Ketmanto - PASTA framework.md
└── README.md
├── 5 - Detection & Response
├── 5.1 - Ketmanto - Final report.md
├── 5.2 - Ketmanto - Incident handler's journal.pdf
└── README.md
├── 6 - Tcpdump & Wireshark
├── 6.1 - Ketmanto - Tcpdump.md
└── 6.2 - Ketmanto - Wireshark.md
├── 7 - IDS & SIEM
├── 7.1 IDS - Ketmanto - Suricata.md
├── 7.2 SIEM - Ketmanto - Splunk.md
└── 7.3 SIEM - Ketmanto - Chronicle.md
├── 8 - Automation with Python
├── Python - Ketmanto - Automation.ipynb
├── Python - Ketmanto - File Updates.md
├── README.md
├── allow_list.txt
└── allow_list_revised.txt
├── LICENSE
└── README.md
/1 - Conduct an Audit/1.1 - Ketmanto - Conduct a security audit.md:
--------------------------------------------------------------------------------
1 | # Controls and Compliance Assessment
2 |
3 | ## Case Study
4 |
5 | This is based on a fictional company:
6 |
7 | Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and warehouse for their products. However, Botium Toy’s online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide.
8 |
9 | The manager of the IT department has decided that an internal IT audit needs to be conducted. She expresses concerns about not having a solidified plan of action to ensure business continuity and compliance, as the business grows. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).
10 |
11 | The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.
12 |
13 | Your task is to review the IT manager’s scope, goals, and risk assessment report. Then, perform an internal audit by completing a controls and compliance checklist.
14 |
15 | ## Scenario
16 | Botium Toys: Scope, Goals, and Risk Assessment Report
17 |
18 | ### Scope
19 |
20 | The scope is defined as the entire security program at Botium Toys. This means all assets need to be assessed alongside internal processes and procedures related to the implementation of controls and compliance best practices.
21 |
22 | ### Goals
23 | Assess existing assets and complete the controls and compliance checklist to determine which controls and compliance best practices need to be implemented to improve Botium Toys’ security posture.
24 |
25 | ### Current assets
26 | Assets managed by the IT Department include:
27 | * On-premises equipment for in-office business needs
28 | * Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.
29 | * Storefront products available for retail sale on site and online; stored in the company’s adjoining warehouse
30 | * Management of systems, software, and services: accounting, telecommunication, database, security, ecommerce, and inventory management
31 | * Internet access
32 | * Internal network
33 | * Data retention and storage
34 | * Legacy system maintenance: end-of-life systems that require human monitoring
35 |
36 | ### Risk assessment
37 |
38 | #### Risk description
39 | Currently, there is inadequate management of assets. Additionally, Botium Toys does not have all of the proper controls in place and may not be fully compliant with U.S. and international regulations and standards.
40 |
41 | #### Control best practices
42 | The first of the five functions of the NIST CSF is Identify. Botium Toys will need to dedicate resources to identify assets so they can appropriately manage them. Additionally, they will need to classify existing assets and determine the impact of the loss of existing assets, including systems, on business continuity.
43 |
44 | #### Risk score
45 | On a scale of 1 to 10, the risk score is 8, which is fairly high. This is due to a lack of controls and adherence to compliance best practices.
46 |
47 | #### Additional comments
48 | The potential impact from the loss of an asset is rated as medium, because the IT department does not know which assets would be at risk. The risk to assets or fines from governing bodies is high because Botium Toys does not have all of the necessary controls in place and is not fully adhering to best practices related to compliance regulations that keep critical data private/secure. Review the following bullet points for specific details:
49 |
50 | #### Additional Info
51 |
52 | In Cybersecurity, control types can be classified in three ways:
53 | 1. Administrative/Managerial controls
54 | 2. Technical controls
55 | 3. Physical/Operational controls
56 |
57 | Control types (providing defense and protecting assets) include, but are not limited to:
58 | 1. Preventative (preventing an incident from occurring in the first place)
59 | 2. Corrective (restoring an asset after an incident)
60 | 3. Detective (Determining whether an incident has occurred or is in progress)
61 | 4. Deterrent (Discouraging attacks)
62 |
63 | ## Controls Assessment Checklist
64 |
65 | Does Botium Toys currenly have this control in place?
66 |
67 | | Yes / No / ? | Control | Explanation |
68 | | :------- | :---: | :--- |
69 | | No | Least Privilige | The employees have access to customer data. This has to be changed to reduce the risk of breach. |
70 | | No | Disaster Recovery Plan | At the moment, there is no plan for handling disaster. Implementing this ensures the business continuity. |
71 | | Yes | Firewall | The organization has a firewall to block traffic based on an appropriately defined set of security rules. |
72 | | ? | Password policies | Password policy exists, yet the requirements are considered weak and put the identity management access at risk. |
73 | | Yes | Antivirus | The antivirus software is active and regulary monitored by IT team. |
74 | | No | Backups | This is as same as disaster recovery plan. They are not prepared in the case of breach. They have to implement the backup plan, such as incremental, full, or partial. |
75 | | No | Encryption | This would protect confidentiality of data. |
76 | | No | IDS | This would help IT team to identiy possible intrusions by the threat actors. |
77 | | Yes | Storefront| Although IT team is not responsible for the management at the storefront, however the organization should have sufficient locks.|
78 | | Yes | CCTV | It is working and functioning. |
79 | | Yes | Fire detection | The organization has these. However, the team should maintain it and establish a plan on how to use it. |
80 |
81 | ## Compliance Checklist
82 | Does Botium Toys currenly adhrere to this compliance best practice?
83 |
84 | * Payment Card Industry Data Security Standard (PCI DSS)
85 |
86 | | Yes/ No / ? | Best Practice | Explanation |
87 | | :--- | :---: | :--- |
88 | | No | Authorized users can access to customer's credit card. | At the moment, all employees have access to it which is a bad practice in the business. |
89 | | No | Credit card is stored in a secure environment. | It is not encrypted and violates the law and regulations. |
90 | | No | Encryption is secured. | No, the encryption has not taken place yet. |
91 |
92 | * GDPR
93 |
94 | | Yes/ No / ? | Best Practice | Explanation |
95 | | :--- | :---: | :--- |
96 | | No | EU customers are kept secured. | The organization does not apply GDPR practice. Thus, it puts them at risk of being fined by the EU government. |
97 | | Yes | Privacy policies are maintained properly.| According to the scenario, it has been enforced by the IT Team members and other staff. |
98 |
99 | * System and Organizations Controls
100 |
101 | | Yes/ No / ? | Best Practice | Explanation |
102 | | :--- | :---: | :--- |
103 | | No | User access policies are established | Employees have access to internally stored data which means the access policy has not been applied. |
104 | | Yes | Data integrity is consistent, complete, accurate | Data integrity is in place. |
105 | | No | Data is available to authorized users | Currently, all the employees can access all the data. |
106 |
107 | ## Recommendations (optional)
108 |
109 | After researching Botium Toys's security posture, the analysts agreed that the security practice is far from the expectation. It lacks of protection of confidentialiy of sensitive information. The following are:
110 | 1. Least privilege
111 | 2. Disaster recovery plan
112 | 3. Password policies
113 | 4. Encryption
114 | 5. Password management system
115 |
116 | To address gaps in compliance, Botium needs to implement and establish the policies that can address the following above. Botium also needs to update its assets so the additional control can be identified as soon as possible to improve their security practice.
117 |
118 |
--------------------------------------------------------------------------------
/2 - Network Security/2.1 - Ketmanto - Analyze network layer communication.md:
--------------------------------------------------------------------------------
1 | # Cybersecurity Incident Report: Analyze Network Layer Communication
2 | > Network layer communication.
3 |
4 | > Please visit this [link](https://www.coursera.org/learn/networks-and-network-security?specialization=google-cybersecurity) for further information.
5 |
6 | ## Scenario
7 |
8 | You are a cybersecurity analyst working at a company that specializes in providing IT consultant services. Several customers contacted your company to report that they were not able to access the company website www.yummyrecipesforme.com, and saw the error “destination port unreachable” after waiting for the page to load.
9 |
10 | You are tasked with analyzing the situation and determining which network protocol was affected during this incident. To start, you visit the website and you also receive the error “destination port unreachable.” Next, you load your network analyzer tool, tcpdump, and load the webpage again. This time, you receive a lot of packets in your network analyzer. The analyzer shows that when you send UDP packets and receive an ICMP response returned to your host, the results contain an error message: “udp port 53 unreachable.”
11 |
12 | 
13 |
14 | In the DNS and ICMP log, you find the following information:
15 |
16 | 1. In the first two lines of the log file, you see the initial outgoing request from your computer to the DNS server requesting the IP address of yummyrecipesforme.com. This request is sent in a UDP packet.
17 |
18 | 2. Next you find timestamps that indicate when the event happened. In the log, this is the first sequence of numbers displayed. For example: 13:24:32.192571. This displays the time 1:24 p.m., 32.192571 seconds.
19 |
20 | 3. The source and destination IP address is next. In the error log, this information is displayed as: 192.51.100.15.52444 > 203.0.113.2.domain. The IP address to the left of the greater than (>) symbol is the source address. In this example, the source is your computer’s IP address. The IP address to the right of the greater than (>) symbol is the destination IP address. In this case, it is the IP address for the DNS server: 203.0.113.2.domain.
21 |
22 | 4. The second and third lines of the log show the response to your initial ICMP request packet. In this case, the ICMP 203.0.113.2 line is the start of the error message indicating that the ICMP packet was undeliverable to the port of the DNS server.
23 |
24 | 5. Next are the protocol and port number, which displays which protocol was used to handle communications and which port it was delivered to. In the error log, this appears as: udp port 53 unreachable. This means that the UDP protocol was used to request a domain name resolution using the address of the DNS server over port 53. Port 53, which aligns to the .domain extension in 203.0.113.2.domain, is a well-known port for DNS service. The word “unreachable” in the message indicates the message did not go through to the DNS server. Your browser was not able to obtain the IP address for yummyrecipesforme.com, which it needs to access the website because no service was listening on the receiving DNS port as indicated by the ICMP error message “udp port 53 unreachable.”
25 |
26 | The remaining lines in the log indicate that ICMP packets were sent two more times, but the same delivery error was received both times.
27 |
28 | Now that you have captured data packets using a network analyzer tool, it is your job to identify which network protocol and service were impacted by this incident. Then, you will need to write a follow-up report.
29 |
30 | ## Provide a Summary of the Problem Found in the DNS and ICMP Traffic Log
31 |
32 | * DNS server is down as a result of port 53 being unreachable. The ICMP request packet indicates that the packet has not been delivered to the port of DNS server successfully.
33 | * As we know, Port 53 is commonly used for DNS. That being said, the most likely issue is the DNS is not responding and it can be caused by DDOS attack against the DNS server.
34 | * The UDP protocol reveals that: DNS is not responding.
35 | This is based on the results of the network analysis, which show that the ICMP echo reply returned the error message: at port 53 , UDP port 53 unreachable.
36 | * The port noted in the error message is used for: DNS Server
37 | The most likely issue is: DNS server is not responding.
38 |
39 | ## Explain Your Analysis of the Data and Provide at Least One Cause of the Incident
40 |
41 | * Time incident occurred: 1.23pm.
42 | * Explain how the IT team became aware of the incident: The customer reported to the company that they were unable to gain access to the company’s website. It was then reported that the message on the web page is “port unreachable”.
43 | * Explain the actions taken by the IT department to investigate the incident:
44 | Security engineers had a look on the webpage and received an error “port being unreachable”. The team used TCPdump (network analyzer) to see the network traffic surrounding the website.
45 | * Note key findings of the IT department's investigation (i.e., details related to the port affected, DNS server, etc.):
46 | Go to website then load the webpage while monitoring the networks via TCPdump. It received lots of traffic. Sent UDP packets and received ICMP response to return to the host that indicates port 53 unreachable.
47 | * Note a likely cause of the incident:
48 | Determine whether port 53 is working or not. IF it’s fine, then check firewall.
49 | -Firewall: The ability to block network traffic on specific ports. Port blocking can be used to stop or prevent an attack.
50 | -DOS: There could be flood of information being sent to the network device to make it crash or unable to function. The hacker could disable dns server using DOS attack. Or someone within the organization might have disabled port 53 on firewalls.
51 |
--------------------------------------------------------------------------------
/2 - Network Security/2.2 - Ketmanto - Analyze network attack.md:
--------------------------------------------------------------------------------
1 | # Cybersecurity Incident Report: Analyze Network Attacks
2 | > Network attacks.
3 |
4 | > Please visit this [link](https://www.coursera.org/learn/networks-and-network-security?specialization=google-cybersecurity) for further information.
5 |
6 | ## Scenario
7 |
8 | You work as a security analyst for a travel agency that advertises sales and promotions on the company’s website. The employees of the company regularly access the company’s sales webpage to search for vacation packages their customers might like.
9 |
10 | One afternoon, you receive an automated alert from your monitoring system indicating a problem with the web server. You attempt to visit the company’s website, but you receive a connection timeout error message in your browser.
11 |
12 | You use a packet sniffer to capture data packets in transit to and from the web server. You notice a large number of TCP SYN requests coming from an unfamiliar IP address. The web server appears to be overwhelmed by the volume of incoming traffic and is losing its ability to respond to the abnormally large number of SYN requests. You suspect the server is under attack by a malicious actor.
13 |
14 | You take the server offline temporarily so that the machine can recover and return to a normal operating status. You also configure the company’s firewall to block the IP address that was sending the abnormal number of SYN requests. You know that your IP blocking solution won’t last long, as an attacker can spoof other IP addresses to get around this block. You need to alert your manager about this problem quickly and discuss the next steps to stop this attacker and prevent this problem from happening again. You will need to be prepared to tell your boss about the type of attack you discovered and how it was affecting the web server and employees.
15 |
16 | ## Identify the Type of Attack That May Have Caused This Network Interruption
17 |
18 | * One potential explanation for the website's connection timeout error message is: DOS attack
19 | * The logs show that: Web server stops responding after receiving so many SYN packet requests
20 | * This event could be: Syn flood attack
21 |
22 | ## Part 2: Explain How the Attack is Causing the Website Malfunction
23 | When website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol. Explain the three steps of the handshake:
24 |
25 | | Step | Description |
26 | |---|---|
27 | | 1 | `SYN` : Client sends SYN packet to the server, requesting a connection. |
28 | | 2 | `SYN/ACK` : Server responds with SYN/ACK packet, acknowledging the client's SYN and requesting confirmation of the connection. |
29 | | 3 | `ACK` : Client sends ACK packet to the server, acknowledging the server's SYN/ACK. |
30 |
31 | * Explain what happens when a malicious actor sends a large number of SYN packets all at once: It slows down the traffic to the point where such request will fail to be executed. It overwhelms the server’s available resources to reserve for the connection. When this happens, there are no server resources left for legitimate TCP connection requests.
32 | * Explain what the logs indicate and how that affects the server: The server has become overloaded and unable to receive any more visitors. In addition, those new visitors will receive a connection timeout message.
33 |
--------------------------------------------------------------------------------
/2 - Network Security/2.3 - Ketmanto - OS hardening.md:
--------------------------------------------------------------------------------
1 | # Cybersecurity Incident Report: OS Hardening
2 | > OS hardening.
3 |
4 | > Please visit this [link](https://www.coursera.org/learn/networks-and-network-security?specialization=google-cybersecurity) for further information.
5 |
6 | ## Scenario
7 |
8 | You are a cybersecurity analyst for yummyrecipesforme.com, a website that sells recipes and cookbooks. A disgruntled baker has decided to publish the website’s best-selling recipes for the public to access for free.
9 | The baker executed a brute force attack to gain access to the web host. They repeatedly entered several known default passwords for the administrative account until they correctly guessed the right one. After they obtained the login credentials, they were able to access the admin panel and change the website’s source code. They embedded a javascript function in the source code that prompted visitors to download and run a file upon visiting the website. After running the downloaded file, the customers are redirected to a fake version of the website where the seller’s recipes are now available for free.
10 | Several hours after the attack, multiple customers emailed yummyrecipesforme’s helpdesk. They complained that the company’s website had prompted them to download a file to update their browsers. The customers claimed that, after running the file, the address of the website changed and their personal computers began running more slowly.
11 | In response to this incident, the website owner tries to log in to the admin panel but is unable to, so they reach out to the website hosting provider. You and other cybersecurity analysts are tasked with investigating this security event.
12 | To address the incident, you create a sandbox environment to observe the suspicious website behavior. You run the network protocol analyzer tcpdump, then type in the URL for the website, yummyrecipesforme.com. As soon as the website loads, you are prompted to download an executable file to update your browser. You accept the download and allow the file to run. You then observe that your browser redirects you to a different URL, greatrecipesforme.com, which is designed to look like the original site. However, the recipes your company sells are now posted for free on the new website. The logs show the following process:
13 | 1. The browser requests a DNS resolution of the yummyrecipesforme.com URL
14 | 2. The DNS replies with the correct IP address
15 | 3. The browser initiates an HTTP request for the webpage
16 | 4. The browser initiates the download of the malware
17 | 5. The browser requests another DNS resolution for greatrecipesforme.com
18 | 6. The DNS server responds with the new IP address
19 | 7. The browser initiates an HTTP request to the new IP address
20 |
21 | A senior analyst confirms that the website was compromised. The analyst checks the source code for the website. They notice that javascript code had been added to prompt website visitors to download an executable file. Analysis of the downloaded file found a script that redirects the visitors’ browsers from yummyrecipesforme.com to greatrecipesforme.com.
22 | The cybersecurity team reports that the web server was impacted by a brute force attack. The disgruntled baker was able to guess the password easily because the admin password was still set to the default password. Additionally, there were no controls in place to prevent a brute force attack.
23 | Your job is to document the incident in detail, including identifying the network protocols used to establish the connection between the user and the website. You should also recommend a security action to take to prevent brute force attacks in the future.
24 |
25 | ## How to read DNS & HTTP Traffic log (Modified version, cut short, just for example)
26 |
27 | | No | Description |
28 | |---|---|
29 | | 1 | ***14:18:32.192571*** _(A)_ IP ***your.machine.52444*** _(B)_ > ***dns.google.domain:*** _(C)_ 35084+ A? ***yummyrecipesforme.com*** _(D)_. (24)
A: Timestamps
B: The source computer (IP your.machine) using port 52444
C: DNS server (dns.google.domain)
D: The destination URL |
30 | | 2 | 14:18:32.204388 IP dns.google.domain > ***your.machine.52444***: _(E)_ 35084 1/0/0 A 203.0.113.22 (40)
E: Reply comes back from the DNS server to the source computer with the IP address of the destination URL of yummyrecipesforme.com (203.0.113.22). |
31 | | 3 | TCP Flag codes include:
Flags [S] - Connection Start
Flags [F] - Connection Finish
Flags [P] - Data Push
Flags [R] - Connection Reset
Flags [.] - Acknowledgment
14:18:36.786501 IP your.machine.36086 > yummyrecipesforme.com.http: ***Flags [S]*** _(F)_, seq 2873951608, win 65495, options [mss 65495,sackOK,TS val 3302576859 ecr 0,nop,wscale 7], length 0
F: The connection has been started.
32 |
33 | ## Traffic Log:
34 |
35 | | Description |
36 | |---|
37 | | 14:18:32.192571 IP your.machine.52444 > dns.google.domain: 35084+ A? yummyrecipesforme.com. (24) |
38 | | 14:18:32.204388 IP dns.google.domain > your.machine.52444: 35084 1/0/0 A203.0.113.22 (40) |
39 | | 14:18:36.786501 IP your.machine.36086 > yummyrecipesforme.com.http: Flags [S], seq 2873951608, win 65495, options [mss 65495,sackOK,TS val 3302576859 ecr 0,nop,wscale 7], length 0 |
40 | | 14:18:36.786517 IP yummyrecipesforme.com.http > your.machine.36086: Flags [S.], seq 3984334959, ack 2873951609, win 65483, options [mss 65495,sackOK,TS val 3302576859 ecr 3302576859,nop,wscale 7], length 0 |
41 | | 14:18:36.786529 IP your.machine.36086 > yummyrecipesforme.com.http: Flags[.], ack 1, win 512, options [nop,nop,TS val 3302576859 ecr 3302576859], length 0 |
42 | | 14:18:36.786589 IP your.machine.36086 > yummyrecipesforme.com.http: Flags [P.], seq 1:74, ack 1, win 512, options [nop,nop,TS val 3302576859 ecr3302576859], length 73: HTTP: GET / HTTP/1.1 |
43 | | 14:18:36.786595 IP yummyrecipesforme.com.http > your.machine.36086: Flags[.], ack 74, win 512, options [nop,nop,TS val 3302576859 ecr 3302576859], length 0 |
44 | ......
45 |
46 | | Description |
47 | |---|
48 | | 14:20:32.192571 IP your.machine.52444 > dns.google.domain: 21899+ A?greatrecipesforme.com. (24) |
49 | | 14:20:32.204388 IP dns.google.domain > your.machine.52444: 21899 1/0/0 A192.0.2.17 (40) |
50 | | 14:25:29.576493 IP your.machine.56378 > greatrecipesforme.com.http: Flags[S], seq 1020702883, win 65495, options [mss 65495,sackOK,TS val 3302989649ecr 0,nop,wscale 7], length 0 |
51 | | 14:25:29.576510 IP greatrecipesforme.com.http > your.machine.56378: Flags[S.], seq 1993648018, ack 1020702884, win 65483, options [mss 65495,sackOK,TSval 3302989649 ecr 3302989649,nop,wscale 7], length 0 |
52 | | 14:25:29.576524 IP your.machine.56378 > greatrecipesforme.com.http: Flags[.], ack 1, win 512, options [nop,nop,TS val 3302989649 ecr 3302989649], length 0 |
53 | | 14:25:29.576590 IP your.machine.56378 > greatrecipesforme.com.http: Flags[P.], seq 1:74, ack 1, win 512, options [nop,nop,TS val 3302989649 ecr3302989649], length 73: HTTP: GET / HTTP/1.1 |
54 | | 14:25:29.576597 IP greatrecipesforme.com.http > your.machine.56378: Flags[.], ack 74, win 512, options [nop,nop,TS val 3302989649 ecr 3302989649], length 0 |
55 | ......
56 |
57 | ## Respond:
58 | ### Part 1 : Identify the network protocol involved in the incident
59 |
60 | The protocol that got impacted is HTTP or commonly found in port 80. TCPdump detected the problem, captured the protocol and traffic activity in DNS (Port 53) and HTTP traffic log. Since the malicious file is being transported to users, this incident occurred at the application layer.
61 |
62 | ### Part 2 : Document the incident
63 |
64 | Several customers reported that when they visited the website, they were prompted/given one option: Download and run a file to update their browsers. Soon after, they were locked out of their account.
65 |
66 | The security team used a sandbox to test the website in an isolated environment. They ran tcpdump to capture the network and protocol traffic packets when interacting with the website. They saw a prompt asking them to update the browser and ran it. Then, the fake website(greatreceipesforme.com) is generated and looks identical to the real one. (yummyrecipesforme.com).
67 |
68 | Based on the logs, initially, the browser requested the IP address for yummyreceipesforme.com. Once the connection was established over the HTTP protocol, the prompt was to persuade the analyst to download and execute the file. After that, the logs showed a sudden change in network traffic as the new IP resolution for “websites” was generated.
69 |
70 | When the senior team received this, he discovered the attack had manipulated the website to inject code that prompted users to download a malicious file disguised as a browser update. Since the administrator account was compromised, everyone’s account was locked out. The team believed that it was a brute force attack. Now, the malicious file has spread to further damage other computers.
71 |
72 | ### Part 3: Recommend one remediation for brute force attacks
73 |
74 | 2-factor authentication (2FA). One-time password OTP to either their email or phone. Once the user confirms their identity via credential and OTP, they will gain access to the system. Any malicious actor that attempts a brute force attack will not likely gain access to the system because it requires additional authorization.
75 |
--------------------------------------------------------------------------------
/2 - Network Security/2.4 - Ketmanto - Security risk assessment report.md:
--------------------------------------------------------------------------------
1 | # Security Risk Assessment Report: Network Hardening
2 | > Network hardening.
3 |
4 | > Please visit this [link](https://www.coursera.org/learn/networks-and-network-security?specialization=google-cybersecurity) for further information.
5 |
6 | ## Scenario
7 |
8 | You are a security analyst working for a social media organization. The organization recently experienced a major data breach, which compromised the safety of their customers’ personal information, such as names and addresses. Your organization wants to implement strong network hardening practices that can be performed consistently to prevent attacks and breaches in the future.
9 | After inspecting the organization’s network, you discover four major vulnerabilities. The four vulnerabilities are as follows:
10 | 1. The organization’s employees' share passwords.
11 | 2. The admin password for the database is set to the default.
12 | 3. The firewalls do not have rules in place to filter traffic coming in and out of the network.
13 | 4. Multifactor authentication (MFA) is not used.
14 | If no action is taken to address these vulnerabilities, the organization is at risk of experiencing another data breach or other attacks in the future.
15 | In this activity, you will write a security risk assessment to analyze the incident and explain what methods can be used to further secure the network.
16 |
17 | ## Respond
18 | ### Part 1: Select up to three hardening tools and methods to implement
19 | 1. Implementing multi-factor authentication (MFA)
20 | MFA requires users to use more ways to identify and verify their credentials before accessing an application. Some may include fingerprint and retina scans, facial recognition (Something you are), ID cards and phone numbers or devices (Something you have/possess), PINs and passwords (Something you know).
21 | 2. Enforcing strong password policies
22 | It requires the employees to include rules regarding the strength of the passwords, the combination of text, numbers, and symbols and discourage password sharing. Additionally, the organization can set up a prompt that the user will lose access to the network after three unsuccessful attempts.
23 | 3. Performing firewall maintenance regularly and port filtering
24 | Firewall maintenance checks and updates security configurations to detect threats. Additionally, the firewall can block specific port numbers to limit unwanted communication (Port filtering).
25 |
26 | ### Part 2: Explain your recommendations
27 | 1. With MFA, the organization can reduce the likelihood of malicious actors accessing a network. Under normal circumstances, the malicious actors will use “Brute Force Attack” or other related attacks to conduct the attacks. MFA also promotes secure identity access to the network.
28 | 2. Strong password policies will make the company powerful against hackers trying to hack the network.
29 | 3. A firewall can detect suspicious incoming and outgoing traffic. The administrator should monitor this regularly. In addition, this measure is to protect against various DoS and DDoS attacks. Also, port filtering can control the network traffic and prevent attackers from entering a private network.
30 |
--------------------------------------------------------------------------------
/2 - Network Security/2.5 - Ketmanto - NIST respond.md:
--------------------------------------------------------------------------------
1 | # Cybersecurity Framework NIST
2 |
3 | > Please visit this [link](https://www.coursera.org/learn/networks-and-network-security?specialization=google-cybersecurity) for further information.
4 |
5 | ## Scenario
6 |
7 | You are a cybersecurity analyst working for a multimedia company that offers web design services, graphic design, and social media marketing solutions to small businesses. Your organization recently experienced a DDoS attack, which compromised the internal network for two hours until it was resolved.
8 | During the attack, your organization’s network services suddenly stopped responding due to an incoming flood of ICMP packets. Normal internal network traffic could not access any network resources. The incident management team responded by blocking incoming ICMP packets, stopping all non-critical network services offline, and restoring critical network services.
9 | The company’s cybersecurity team then investigated the security event. They found that a malicious actor had sent a flood of ICMP pings into the company’s network through an unconfigured firewall. This vulnerability allowed the malicious attacker to overwhelm the company’s network through a distributed denial of service (DDoS) attack.
10 | To address this security event, the network security team implemented:
11 | A new firewall rule to limit the rate of incoming ICMP packets
12 | Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets
13 | Network monitoring software to detect abnormal traffic patterns
14 | An IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics
15 | As a cybersecurity analyst, you are tasked with using this security event to create a plan to improve your company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). You will use the CSF to help you navigate through the different steps of analyzing this cybersecurity incident and integrate your analysis into a general security strategy:
16 |
17 | 1. Identify security risks through regular audits of internal networks, systems, devices, and access privileges to identify potential gaps in security.
18 | 2. Protect internal assets through the implementation of policies, procedures, training and tools that help mitigate cybersecurity threats.
19 | 3. Detect potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections.
20 | 4. Respond to contain, neutralize, and analyze security incidents; implement improvements to the security process.
21 | 5. Recover affected systems to normal operation and restore systems data and/or assets that have been affected by an incident.
22 |
23 | ## Respond
24 |
25 | ### Summary
26 | ICMP/ping flood attack is possible due to multiple compromised systems sending a huge volume of ICMP echo requests to the target. In this case, ICMP/ping flood causes network services to become unresponsive or stop working. Then, the organization decided to block the flood attack and stop all non-critical network services to overcome the disruptions caused by denial of services (DDos) through incoming ICMP/Ping flood packets.
27 |
28 | ### NIST CSF
29 | | No | Description |
30 | |---|---|
31 | | 1 | `Identify` the following:
- Technology/Asset: Which system and devices were affected?
- Process/Business environment: Which business processes were affected in the attack?
- People: Who needs access to the affected systems?
Here is my respond: The attacker targeted the company with an ICMP flood attack. As a result, the internal network was affected and disrupted all staff from doing the operation tasks. Therefore, to function again, the internal network has to be restored. |
32 | | 2 | `Protect` and implement safeguards:
- Access controls: Who needs to the affected items? How are non-trusted sources blocked from having access?
- Awareness/Training: Who needs to be made aware of this attack and how to prevent it from happening again?
- Data security: Is there any affected data that needs to be made more secure? - Information protection and procedures: Do any procedures need to be updated or added to protect data assets?
- Maintenance: Do any of the affected hardware, OS or software need to be updated?
Protective Technology: Are there any protective technologies, like a firewall or an intrusion prevention system (IPS), that should be implemented to protect against future attacks?
Here is my respond: The cybersecurity team should be alerted immediately when the attacks occur. Since all staff need to gain access via the internal network, it is best to implement a new firewall rule to limit the rate of incoming ICMP packets and update it regularly to keep up with the attack trends. In addition, the cybersecurity team should update and monitor the current status of devices, OS or software to ensure the latest updates have taken place. Moreover, the cybersecurity team should implement an IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics. |
33 | | 3 | `Detect` threats and attacks:
- Anomalies and events: What tools could be used to detect and alert IT security staff of anomalies and security events, such as a security information and event management system (SIEM) tool?
- Security continuous monitoring: What tools or IT processes are needed to monitor the network for security events?
- Detection process: What tools are needed to detect security events, such as an IDS?
Here is my respond: The cybersecurity team could configure source IP address verification on the firewall, analyze the spoofed IP address on wireshark or TCPdump on incoming ICMP packets, and implemented network monitoring software (SIEM, such as Splunk, LogRhythm) to detect abnormal traffic patterns. |
34 | | 4 | `Respond` to threats and attacks:
- Planning: What action plans need to be implemented to respond to similar attacks in the future?
- Communications: How will security event response procedures be communicated within the organization and with those directly affected by the attack, including end users and IT staff?
- Analysis: What analysis steps should be followed in response to a similar attack?
Mitigation: What responding steps could be used to mitigate the impact of an attack, such as offlining or isolating affected resources?
Improvements: What improvements are needed to improve response procedures in the future?
Here is my respond: The cybersecurity team should establish risk management for future security events. This report should act as a guide or standard operation when threats arise. Should it occur, the cybersecurity would inform the end users what is the next step immediately and take action to reduce the spread of malicious files in the network by isolating affected systems. The team will attempt to restore any disruptive critical systems and services. Then, the team will analyze network logs to check for suspicious and abnormal activity. The team will have to report all incidents to upper management and legal authorities as per law and regulation. |
35 | | 5 | `Recover` affected systems or data:
- Recovery planning: How will resources be restored following an attack?
- Improvements: Do any improvements need to be made to the current recovery systems or processes?
- Communications: How will restoration procedures be communicated within the organization and with those directly affected by the attack, including end users and IT staff?
Here is my respond: To begin with, we need to address the issue of ICMP flooding to ensure uninterrupted access to network services. The team may use a firewall to block ICMP flood attacks. In practice, the critical network services should be the top priority, while the non-critical networks could go offline. Finally, once the flood of ICMP packets has timed out, all non-critical network systems and services can go back online. |
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/3 - Linux & SQL/3.1 - Ketmanto - File permissions (Linux).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/3 - Linux & SQL/3.1 - Ketmanto - File permissions (Linux).pdf
--------------------------------------------------------------------------------
/3 - Linux & SQL/3.2 - Ketmanto - Manage files (Linux).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/3 - Linux & SQL/3.2 - Ketmanto - Manage files (Linux).pdf
--------------------------------------------------------------------------------
/3 - Linux & SQL/3.3 - Ketmanto - Manage users (Linux).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/3 - Linux & SQL/3.3 - Ketmanto - Manage users (Linux).pdf
--------------------------------------------------------------------------------
/3 - Linux & SQL/3.4 - Ketmanto - SQL filters.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/3 - Linux & SQL/3.4 - Ketmanto - SQL filters.pdf
--------------------------------------------------------------------------------
/3 - Linux & SQL/3.5 - Ketmanto - SQL JOIN.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/3 - Linux & SQL/3.5 - Ketmanto - SQL JOIN.pdf
--------------------------------------------------------------------------------
/3 - Linux & SQL/README.md:
--------------------------------------------------------------------------------
1 | # README
2 |
3 | For this module, all files are provided in `PDF` format. Loading the entire document may take some time. If you experience significant delays, please try **reloading** the page. Thank you.
4 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.1 - Ketmanto - Home asset inventory.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/4 - Assets & Threats & Vulnerabilities/4.1 - Ketmanto - Home asset inventory.pdf
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.2 - Ketmanto - Risk register.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/4 - Assets & Threats & Vulnerabilities/4.2 - Ketmanto - Risk register.pdf
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.3 - Ketmanto - Data leak worksheet.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/4 - Assets & Threats & Vulnerabilities/4.3 - Ketmanto - Data leak worksheet.pdf
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.4 - Ketmanto - Compare hash values.md:
--------------------------------------------------------------------------------
1 | # Compare Hash Values
2 |
3 | ## Description
4 | As a security analyst, one of the security controls we can implement is hashing. It produces a code that cannot be decrypted. It works by uniquely identifying the contents of a file, later
5 | known as a unique identifier (hash value or digest). For example, a malicious program may mimic an original program. If one code line is different from the original program, it produces a different hash value. Security teams can then identify the malicious program and work to mitigate the risk.
6 |
7 | ## Generate Hashes
8 | First, `ls` command shows the files within the directory. We have two files and we would like to show the contents of them (`cat`). We could see from the picture below that the contents of both files appear to be identical.
9 |
10 | 
11 |
12 | We can find if the files are really different or not by using the `sha256` command. From the picture below we can see both files have different hash values.
13 |
14 | 
15 |
16 | ## Compare Hashes Files
17 | Let’s generate the hash of the `file1.txt` and `file2.txt` to a new file for `file1hash` and `file2hash` respectively.
18 |
19 | 
20 |
21 | Inspect the contents of them by using `cat` commands. Last but not least, compare both files by using `cmp` command.
22 |
23 | 
24 |
25 | 
26 |
27 | ## Summary
28 | Though the contents of both files appear to be identical, only hash values of each file that can determine if they are the same or not.
29 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.4B - Ketmanto - Decrypt an encrypted message.md:
--------------------------------------------------------------------------------
1 | # Decryption
2 |
3 | ## Scenario
4 |
5 | In this scenario, all of the files in your home directory have been encrypted. You’ll need to use Linux commands to break the Caesar cipher and decrypt the files so that you can read the hidden messages they contain.
6 |
7 | Here’s how you’ll do this task: First, you’ll explore the contents of the home directory and read the contents of a file. Next, you’ll find a hidden file and decrypt the Caesar cipher it contains. Finally, you’ll decrypt the encrypted data file to recover your data and reveal the hidden message.
8 |
9 | OK, it's time to decrypt some messages in Linux!
10 |
11 | > It starts with you logged in as user analyst, with your home directory, /home/analyst, as the current working directory.
12 |
13 | ## Solution
14 |
15 | 1. Read the contents of a file
16 | * Use the `ls` command to list the files in the directory:
17 | `ls /home/analyst`.
18 |
19 | 
20 |
21 |
22 | * List the contents of the README.txt file:
23 | `cat README.txt`.
24 |
25 | 
26 |
27 | The message in the README.txt file advises that the caesar subdirectory contains a hidden file.
28 |
29 | 2. Find a hidden file
30 | In this task, you need to find a hidden file in your home directory and decrypt the Caesar cipher it contains.
31 | * Use `cd` command to caesar subdirectory and use `ls -a` to list all files including hidden files: `cd caesar` and `ls -a`.
32 |
33 | 
34 |
35 | * Use the `cat` command to list the contents of the hidden file:
36 | `cat .leftShift3`.
37 |
38 | 
39 |
40 | The message appears to be scrambled due to being encrypted with a Caesar cipher. The cipher can be solved by shifting each alphabet character to the left or right by a fixed number of spaces. In this example, the shift is three letters to the left. Thus `"d"` stands for `"a"`, and `"e"`stands for `"b"`.
41 |
42 | * Decrypt the Cipher using the command `cat` and `tr`:
43 | `cat .leftShift3 | tr "d-za-cD-ZA-C" "a-zA-Z"`.
44 |
45 | 
46 |
47 | > The tr command translates text from one set of characters to another, using a mapping. The first parameter to the tr command represents the input set of characters, and the second represents the output set of characters. Hence, if you provide parameters “abcd” and “pqrs”, and the input string to the tr command is “ac”, the output string will be “pr".
48 |
49 |
50 | 4. Decrypt a file
51 | * Go back to initial working directory and run this command to decrypt a file:
52 | `openssl aes-256-cbc -pbkdf2 -a -d -in Q1.encrypted -out Q1.recovered -k ettubrute`.
53 |
54 | 
55 |
56 |
57 |
58 | This command reverses the encryption of the file with a secure symmetric cipher as indicated by AES-256-CBC. The `-pbkdf2` option is used to add extra security to the key, and `-a` indicates the desired encoding for the output. The `-d` indicates decrypting, while `-in` specifies the input file and `-out` specifies the output file. The `-k` specifies the password, which in this example is ettubrute.
59 |
60 | * Use the `ls` command and `cat Q1.recovered`.
61 |
62 | 
63 |
64 |
65 |
66 |
67 |
68 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.5 - Ketmanto - Access control worksheet.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/4 - Assets & Threats & Vulnerabilities/4.5 - Ketmanto - Access control worksheet.pdf
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.6 - Ketmanto - Vulnerability assessment report.md:
--------------------------------------------------------------------------------
1 | # Vulnerability Assessment
2 |
3 | ## Scenario
4 |
5 | You are a newly hired cybersecurity analyst for an e-commerce company. The company stores information on a remote database server, since many of the employees work remotely from locations all around the world.
6 | Employees of the company regularly query, or request, data from the server to find potential customers. The database has been open to the public since the company's launch three years ago.
7 | As a cybersecurity professional, you recognize that keeping the database server open to the public is a serious vulnerability.
8 | A vulnerability assessment of the situation can help you communicate the potential risks with decision makers at the company. You must create a written report that clearly explains how the vulnerable server is a risk to business operations and how it can be secured.
9 |
10 | ## Report
11 |
12 | Date : November 14th 2023 - January 14th 2024 (3 Months. You may put an actual date for this).
13 |
14 | ### System Desrcription
15 | The database server runs on Debian Linux with 1TB of memory and powerful CPU processor. It hosts a MySQL database management system. The network connection uses IPV4 address, yet the security measure uses SSL instead of TLS.
16 |
17 | ### Scope
18 | The scope of this report covers the current access controls of the system. It was conducted from November 14th 2023 to January 14th 2024. The risk analysis of the information system is based on [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Alternatively, please have a look on other versions published by NIST.
19 |
20 | ### Purpose
21 | The database server stores large amounts of data. The data could be customer, campaign, analytic, that can track performance and personalize marketing efforts. Due to its nature, the system has to be secured from unauthorized personnels.
22 |
23 | ### Risk Assessment
24 | | Threat source | Threat Event | Likelihood | Severity | Risk |
25 | | --- | --- | :---: | :---: | :---: |
26 | | Hackers | Sensitive information is leaked to public due to exfiltration | 3 | 3 | 9|
27 | | Former employees | Sensitive information is leaked to public or sold to competitors by the former employees | 2 | 3 | 6 |
28 | | Current employees | Disrupt operation activities | 2 | 3 | 6 |
29 | | Customer | Alter information | 1 | 3 | 3|
30 |
31 | ### Approach
32 | Threat source and events were identified based on likelihood of incidents due to open access permissions. The severity was measured against the impact on day-to-day operational needs. Some hackers might publish this information on the internet and bring down the organization's reputation. As for former employees, there was a case when they left the company and sold the confidential information to the competitors. While it might not happen easily, the severity is high. In addition, the current employees might disrupt operation activities, while customer may alter the information to their heart's content.
33 |
34 |
35 | ### Remediation Strategy
36 | * Make it private to protect the confidentiality
37 | * Implement Role-Based Access (RBA)
38 | * Implement authentication, authorization, and audit on the business practices to ensure only authorized users can gain access to the database server
39 | * Implement multi-factor authentication (SMS, email, ID card, employee card, etc.)
40 | * Encrypt the data using TLS instead of SSL (TLS is the new version of SSL) to prevent users from the internet to gain access to the database server
41 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.7 - Ketmanto - Cyber attack mindset.md:
--------------------------------------------------------------------------------
1 | # Parking Lot USB drive
2 |
3 | ## Scenario
4 | You are part of the security team at Rhetorical Hospital and arrive to work one morning. On the ground of the parking lot, you find a USB stick with the hospital's logo printed on it. There’s no one else around who might have dropped it, so you decide to pick it up out of curiosity.
5 |
6 | You bring the USB drive back to your office where the team has virtualization software installed on a workstation. Virtualization software can be used for this very purpose because it’s one of the only ways to safely investigate an unfamiliar USB stick. The software works by running a simulated instance of the computer on the same workstation. This simulation isn’t connected to other files or networks, so the USB drive can’t affect other systems if it happens to be infected with malicious software.
7 |
8 | Jorge's drive contains a mix of personal and work-related files. For example, it contains folders that appear to store family and pet photos. There is also a new hire letter and an employee shift schedule. The flash drive appears to contain a mixture of personal and work-related files. Consider how an attacker might use this information if they obtained it. Also, consider whether this whole event was staged.
9 |
10 | ## Solution
11 |
12 | |Points| Description|
13 | |---|---|
14 | |Contents | Not all documents contain personal information. However, Jodge would not want them to be made public anyway. Some of the work files include personal information and its hospital's operations.|
15 | |Attacker mindset | The information that the attackers would obtain could benefit them to trick Jodge. Now, they can send malicious email to manipulate Jodge to obtain more personal information (Payment cards and more).|
16 | |Risk analysis | Educating all employees about these types of attacks can raise awareness and prevent the incident from happening again. This is a managerial control. Second, setting up a protection system, such as installing antivirus and scanning the device on a regular basis is an operational control. Third, to prevent malicious code from being executed when a USB drive is plugged in, we can disable “the autoplay” feature or make sure the file has to be sent through an email address that has antivirus in it.|
17 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/4.8 - Ketmanto - PASTA framework.md:
--------------------------------------------------------------------------------
1 | # PASTA Model Framework
2 | > Processs of Attack Simulation and Threat Analysis
3 |
4 | ## Scenario
5 | You’re part of the growing security team at a company for sneaker enthusiasts and collectors. The business is preparing to launch a mobile app that makes it easy for their customers to buy and sell shoes.
6 |
7 | You are performing a threat model of the application using the PASTA framework. You will go through each of the seven stages of the framework to identify security requirements for the new sneaker company app.
8 |
9 | ## Components of PASTA
10 | * Define Business and Security Objectives
11 | * Define the Technical Scope
12 | * Decompose Application (Data flow diagram)
13 | * Threat analysis
14 | * Vulnerability analysis
15 | * Attack modeling (Attack tree)
16 | * Risk anaylsis and impact
17 |
18 | ## Implementation
19 |
20 | ### Define Business and Security Objectives
21 | |Business| Security |
22 | |---|---|
23 | |Process transactions|One account, one payment method|
24 | |Users can create profiles| Protected by passwords and Multi-Factor Authentication|
25 | |Accept multiple payment methods| The app should be in compliance with PCI-DSS|
26 | |Database utilization |Provide multi-factor authentication|
27 |
28 | Context Diagram:
29 |
30 | |Users|Admins|
31 | |---|---|
32 | |Add sneakers to cart|Store & update catalogs|
33 | |Pay for products/service|Issue invoice|
34 | |Send inquiry |Answer inquiry|
35 |
36 | ### Define the Technical Scope
37 | * API to connect the exchange of data between customers, employees and customers.
38 | * Public key infrastructure (PKI)
39 | * SHA-256 (Hash functions to protect the sensitive data from being viewed by administrators or anyone)
40 | * SQL
41 |
42 | ### Decompose Application
43 | Data Flow Diagram Level 0 or Context Diagram:
44 | In this case, I did not include level 1 and 2 as it might be way more complex.
45 |
46 | 
47 |
48 | ### Threat Analysis
49 | * SQL Injection
50 | * Session Hijacking
51 | * Denial-of-service
52 | * Denial of service, integration issues, service disruptions
53 |
54 | ### Vulnerability Analysis
55 | * Lack of prepared statements (parameterized query, is a powerful tool in SQL that helps prevent SQL injection attacks and improve database performance.)
56 | * Weak credential logins
57 | * Overloaded app server
58 | * Broken API Token
59 |
60 | ### Attack Modelling
61 | Attack tree diagram:
62 |
63 | 
64 |
65 | ### Risk Analysis and Impact
66 | * SHA-256 Hashing
67 | * Incident response procedures
68 | * Playbook (security policy)
69 | * Password policy
70 | * Principle of least privilege
71 | * Zero-trust
72 |
--------------------------------------------------------------------------------
/4 - Assets & Threats & Vulnerabilities/README.md:
--------------------------------------------------------------------------------
1 | # README
2 |
3 | For this module, some files are provided in `PDF` format. Loading the entire document may take some time. If you experience significant delays, please try **reloading** the page. Thank you.
4 |
--------------------------------------------------------------------------------
/5 - Detection & Response/5.1 - Ketmanto - Final report.md:
--------------------------------------------------------------------------------
1 | # Final Report
2 |
3 | ## Scenario
4 |
5 | The organization experienced a security incident on January 22, 2024, at 7:20 p.m., PT, during which an individual was able to gain unauthorized access to customer personal identifiable information (PII) and financial information. Approximately 50,000 customer records were affected. The financial impact of the incident is estimated to be $100,000 in direct costs and potential loss of revenue. The incident is now closed and a thorough investigation has been conducted. At approximately 3:13 p.m., PT, on January 20, 2024, an employee received an email from an external email address. The email sender claimed that they had successfully stolen customer data. In exchange for not releasing the data to public forums, the sender requested a $25,000 cryptocurrency payment. The employee assumed the email was spam and deleted it. On January 22, 2024, the same employee received another email from the same sender. This email included a sample of the stolen customer data and an increased payment demand of $50,000. On the same day, the employee notified the security team, who began their investigation into the incident. After a thorough review, the security team found there is a vulnerability in the e-commerce web application. This vulnerability allowed the attacker to perform a forced browsing attack and access customer transaction data by modifying the order number included in the URL string of a purchase confirmation page. The organization collaborated with the public relations department to disclose the data breach and offered free identity protection services to those affected customers. The lesson learned from this incident is performing routine vulnerability scans and penetration testing. The one log that the investigation found is the information of thousands of purchase confirmation pages. In addition, the organization may implement a control mechanism to allow a specific set of URLs to block all requests outside of the URL range and ensure that only authenticated users are authorized to gain access.
6 |
7 | ## Executive Summary
8 | > A high-level summary of the report including the key findings and essential facts related to the incident.
9 |
10 | The type of security incident is data theft. The incident took place on January 22, 2024 at 7:20 pm, during which an individual gained unauthorized access to customer personal identifiable information and financial information. The attacker used forced browsing to exploit the e-commerce web application vulnerability. Approximately 50,000 customers records were affected and the financial loss is estimated to be $100,000. The incident is now closed and investigation has been conducted. The recommendation to prevent the future recurrences are:
11 | * Implement access control mechanisms.
12 | * Implement routine vulnerability scans.
13 |
14 | ## Timeline
15 | > A detailed chronological timeline of the incident that includes timestamps dating the sequence of events that led to the incident.
16 |
17 | At 3:13 pm, on January 20, 2024, an employee received an email from an external email address. The email claimed that they had successfully stolen customer data. They requested a $25,000 cryptocurrency payment. The employee assumed it was spam and deleted it.
18 | On January 22, 2024, the same employee received another email from the same sender. This time, the attacker attached a sample of the stolen data and demanded $50,000. On the same day, the employee notified the security team, and the security team is conducting the investigation.
19 |
20 | ## Investigation
21 | > A compilation of the actions taken during the detection and analysis of the incident. For example, analysis of a network artifact such as a packet capture reveals information about what activities happen on a network.
22 |
23 | * The root cause of the incident was identified as a vulnerability in the e-commerce web application. This vulnerability allowed the attacker to perform a forced browsing attack and access customer transaction data by modifying the order number included in the URL string of a purchase confirmation page. This vulnerability allowed the attacker to access customer purchase confirmation pages, exposing customer data, which the attacker then collected and exfiltrated.
24 | * After confirming the web application vulnerability, the security team analyzed the web application access logs. The logs indicated that the attacker accessed the information of thousands of purchase confirmation pages.
25 |
26 | ## Response and Remediation
27 | > Proposed solutions.
28 |
29 | The organization collaborated with the public department to disclose the data breach to its customers and offered free identity protection services to customers affected by the incident.
30 |
31 | ## Recommendations
32 | > A list of suggested actions for future prevention.
33 | * Perform routine vulnerability scans and penetration testing.
34 | * Implement the following access control mechanisms:
35 | * Implement allowlisting to allow access to a specified set of URLs and automatically block all requests outside of this URL range.
36 | * Ensure that only authenticated users are authorized access to content.
37 |
--------------------------------------------------------------------------------
/5 - Detection & Response/5.2 - Ketmanto - Incident handler's journal.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/b1d71a6995864860cfc6955bc33a05c44e4b43c4/5 - Detection & Response/5.2 - Ketmanto - Incident handler's journal.pdf
--------------------------------------------------------------------------------
/5 - Detection & Response/README.md:
--------------------------------------------------------------------------------
1 | # README
2 |
3 | For this module, `Incident handler's journal` is provided in PDF format. Loading the entire document may take some time. If you experience significant delays, please try reloading the page. Thank you.
4 |
--------------------------------------------------------------------------------
/6 - Tcpdump & Wireshark/6.1 - Ketmanto - Tcpdump.md:
--------------------------------------------------------------------------------
1 | # Tcpdump - Capture your first packet
2 |
3 | ## Scenario
4 | You’re a network analyst who needs to use tcpdump to capture and analyze live network traffic from a Linux virtual machine.
5 |
6 | The lab starts with your user account, called analyst, already logged in to a Linux terminal.
7 |
8 | Your Linux user's home directory contains a sample packet capture file that you will use at the end of the lab to answer a few questions about the network traffic that it contains.
9 |
10 | Here’s how you’ll do this: First, you’ll identify network interfaces to capture network packet data. Second, you’ll use tcpdump to filter live network traffic. Third, you’ll capture network traffic using tcpdump. Finally, you’ll filter the captured packet data.
11 |
12 |
13 | ## Solutions
14 | 1. Identify Network Interfaces.
15 |
16 | * Use `ifconfig` to identify the interfaces that are available:
17 |
18 | 
19 |
20 | * Identify the interface options available for packet capture:
21 |
22 | 
23 |
24 |
25 | 2. Inspect the network traffic of a network interface with tcpdump.
26 |
27 | * Use `sudo tcpdump -i eth0 -v -c5` to filter live network packet data:
28 |
29 | 
30 |
31 | > `-i eth0`: Capture data specifically drom the `eth0` interface.
32 |
33 | > `-v`: Display detailed packet data.
34 |
35 | > `-c5`: Capture 5 packets of data.
36 |
37 | 3. Capture network traffic:
38 |
39 | * Capture packet data into a file named called `capture.pcap`: `sudo tcpdump -i eth0 -nn -c9 port 80 -w capture.pcap &`.
40 |
41 | > `-i eth0`: Capture data from the eth0 interface.
42 |
43 | > `-nn`: Do not attempt to resolve IP addresses or ports to names.This is best practice from a security perspective, as the lookup data may not be valid. It also prevents malicious actors from being alerted to an investigation.
44 |
45 | > `-c9`: Capture 9 packets of data and then exit.
46 |
47 | > `port 80`: Filter only port 80 traffic. This is the default HTTP port.
48 |
49 | > `-w capture.pcap`: Save the captured data to the named file.
50 |
51 | > `&`: This is an instruction to the Bash shell to run the command in the background.
52 |
53 | 
54 |
55 | * Use `curl` to generate some HTTP (port 80) traffic: `curl opensource.google.com`.
56 | > Open a website and generate some HTTP (TCP Port 80) traffic that can be captured.
57 |
58 |
59 | 
60 |
61 | * Verify the packet data has been captured: `ls -l capture.pcap`.
62 |
63 | 
64 |
65 | 4. Filter the captured packet data.
66 | * Filter the packet header data from the `capture.pcap` capture file: `sudo tcpdump -nn -r capture.pcap -v`.
67 |
68 | 
69 |
70 |
71 | 
72 |
73 | > `-nn`: Disable port and protocol name lookup.
74 |
75 | > `-r`: Read capture data from the named file.
76 |
77 | > `-v`: Display detailed packet data.
78 |
79 | * Filter the extended packet data from the `capture.pcap` capture file: `sudo tcpdump -nn -r capture.pcap -X`.
80 |
81 | 
82 |
83 | 
84 |
85 |
86 | 
87 |
88 | > `-nn`: Disable port and protocol name lookup.
89 |
90 | > `-r`: Read capure data from the named file.
91 |
92 | > `-X`: Display the hexadecimal and ASCII output format packet data. Security analysts can analyze hexadecimal and ASCII output to detect patterns or anomalies during malware analysis or forensic analysis.
93 |
94 | > Note: Hexadecimal, also known as hex or base 16, uses 16 symbols to represent values, including the digits 0-9 and letters A, B, C, D, E, and F. American Standard Code for Information Interchange (ASCII) is a character encoding standard that uses a set of characters to represent text in digital form.
95 |
--------------------------------------------------------------------------------
/6 - Tcpdump & Wireshark/6.2 - Ketmanto - Wireshark.md:
--------------------------------------------------------------------------------
1 | # Wireshark - Analyze Your First Packet
2 |
3 | ## Scenario
4 |
5 | In this scenario, you’re a security analyst investigating traffic to a website.
6 |
7 | You’ll analyze a network packet capture file that contains traffic data related to a user connecting to an internet site. The ability to filter network traffic using packet sniffers to gather relevant information is an essential skill as a security analyst.
8 |
9 | You must filter the data in order to:
10 | 1. Identify the source and destination IP addresses involved in this web browsing session.
11 | 2. Examine the protocols that are used when the user makes the connection to the website.
12 | 3. Analyze the data packet to identify the type of information sent and received by the systems that connect to each other when the network data is captured.
13 |
14 | An overview of the key property columns listed for each packet:
15 | * `No` : The index number of the packet in this packet capture file.
16 | * `Time`: The timestamp of the packet.
17 | * `Source`: The source IP address.
18 | * `Destination`: The destination IP address.
19 | * `Protocol`: The protocol contained in the packet.
20 | * `Length`: The total length of the packet.
21 | * `Info`: Some infomation about the data in the packet (the payload) as interpreted by Wireshark.
22 |
23 | ## Solutions
24 | 1. Identify the source and destination IP addresses involved in this web browsing session.
25 | * On the title bar, type `ip.addr == 142.250.1.139` to filter for traffic associated with a specific IP address. Select the first packet that contains `TCP` on the info field. `addr` means either the source or the destination IP.
26 |
27 | 
28 |
29 | 
30 |
31 | * On the title bar, type `ip.src == 142.250.1.139` to filter for traffic associated with a specific IP address. `src` means it is where the packet comes from.
32 |
33 | 
34 |
35 |
36 | * On the title bar, type `ip.dst == 142.250.1.139` to filter for traffic associated with a specific IP address. `dst` means it is where the packet goes to.
37 |
38 | 
39 |
40 | * On the title bar, type `eth.addr == 42:01:ac:15:e0:02` to filter for traffic associated with a specific Ethernet MAC address. `addr` means either the source or the destination IP.
41 |
42 | 
43 |
44 | 2. Examine the protocols that are used when the user makes the connection to the website.
45 | * The TCP destination port of this TCP packet is 80 when `ip.addr == 142.250.1.139` which contains the initial web request to an HTPP website that will typically be listening on TCP port 80.
46 |
47 | 
48 |
49 | * The protocol destination port is TCP when Etherenet address was `42:01:ac:15:e0:02`. Source address is `172.21.224.2` and the destination address is `35.235.244.34`.
50 |
51 | 
52 |
53 | 3. Analyze the data packet to identify the type of information sent and received by the systems that connect to each other when the network data is captured.
54 | * On the title bar, type `tcp.port == 80` to filter for traffic associated with a specific port number. `tcp.port == 80` means only the tcp port is 80 will be shown.
55 |
56 | 
57 |
58 | * When the filter `tcp.port == 80` sets in play, the time to live is 64.
59 | * `Time to Live`: A field in the Internet Protocol (IP) header that indicates the maximum amount of time an IP packet is allowed to exist in the network before it is discarded if it has not reached its destination. TTL is used to prevent packets from circulating indefinitely in the network, which could happen in the case of routing loops. It can be used as a basic security measure to limit how far packets can propagate through the network.
60 |
61 | 
62 |
63 |
64 | * When the filter `tcp.port == 80` sets in play, the Frame Number is 37 and Frame Length is 54 bytes.
65 | * `Frame Number`: This is essentially the sequence number of a packet within a particular capture. It helps you identify and refer to packets more easily. In your case, a frame number of 37 means it's the 37th packet captured since the beginning of the capture session. This number is assigned sequentially as packets are captured, starting with the number 1 for the first packet.
66 |
67 | * `Frame Length`: This indicates the size of the packet, including all headers and payload, measured in bytes. The frame length of 54 bytes means the total size of the packet is 54 bytes. This size includes everything from the lowest layer (physical layer) up to the highest layer present in the packet that Wireshark can decode. It's useful for understanding the size of the data being transmitted and can help in various analyses, such as identifying potential issues with packet sizes that might indicate fragmentation or other problems.
68 |
69 | 
70 |
--------------------------------------------------------------------------------
/7 - IDS & SIEM/7.1 IDS - Ketmanto - Suricata.md:
--------------------------------------------------------------------------------
1 | # Intrusion Detection Systems (IDS) - Suricata
2 | > Suricata is an open-source intrusion detection system, intrusion prevention system, and network analysis tool.
3 |
4 | > An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. IDS technologies help organizations monitor the activity that happens on their systems and networks to identify indications of malicious activity.
5 |
6 | ## Overview
7 | There are three ways Suricata can be used:
8 | 1. Intrusion detection system `(IDS)`: Monitor network traffic and alert on suspicious activities and intrusions. In a practical way, it can be a host-based IDS to monitor system and network activities of a single host like a computer.
9 | 2. Intrusion prevention system `(IPS)`: Detect and block malicious activity and traffic. It requires additional configuration such as enabling IPS mode.
10 | 3. Network security monitoring `(NSM)`: Produce and save relevant network logs (live network traffic, existing packet capture files, full or conditional packet captures). This is beneficial for forensics, incident response and for testing signatures.
11 |
12 | Suricata uses signatures analysis, which is a detection method used to find events of interest. Signatures consist of three components:
13 | 1. Action: The first component of a signature. It describes the action to take if network or system activity matches the signature. Examples include: alert, pass, drop, or reject.
14 | 2. Header: The header includes network traffic information like source and destination IP addresses, source and destination ports, protocol, and traffic direction.
15 | 3. Rule options: The rule options provide you with different options to customize signatures.
16 |
17 | 
18 |
19 | ## Examine alerts, logs and rules with Suricata
20 |
21 | In this scenario, you’re a security analyst who must monitor traffic on your employer's network. You’ll be required to configure Suricata and use it to trigger alerts.
22 |
23 | Here’s how you'll do this task: First, you'll explore custom rules in Suricata. Second, you'll run Suricata with a custom rule in order to trigger it, and examine the output logs in the fast.log file. Finally, you’ll examine the additional output that Suricata generates in the standard eve.json log file.
24 |
25 | For the purposes of the tests you’ll run in this lab activity, you’ve been supplied with a sample.pcap file and a custom.rules file. These reside in your home folder.
26 |
27 | Let’s define the files:
28 |
29 | 1. The `sample.pcap` file is a packet capture file that contains an example of network traffic data, which you’ll use to test the Suricata rules. This will allow you to simulate and repeat the exercise of monitoring network traffic.
30 |
31 | 2. The `custom.rules` file contains a custom rule when the lab activity starts. You’ll add rules to this file and run them against the network traffic data in the sample.pcap file.
32 |
33 | 3. The `fast.log` file will contain the alerts that Suricata generates. The fast.log file is empty when the lab starts. Each time you test a rule, or set of rules, against the sample network traffic data, Suricata adds a new alert line to the fast.log file when all the conditions in any of the rules are met. The fast.log file can be located in the /var/log/suricata directory after Suricata runs.The fast.log file is considered to be a depreciated format and is not recommended for incident response or threat hunting tasks but can be used to perform quick checks or tasks related to quality assurance.
34 |
35 | 4. The `eve.json` file is the main, standard, and default log for events generated by Suricata. It contains detailed information about alerts triggered, as well as other network telemetry events, in JSON format. The eve.json file is generated when Suricate runs, and can also be located in the `/var/log/suricata` directory.
36 |
37 | When you create a new rule, you'll need to test the rule to confirm whether or not it worked as expected. You can use the fast.log file to quickly compare the number of alerts generated each time you run Suricata to test a signature against the `sample.pcap` file.
38 |
39 | ## Expectation
40 |
41 | * Create custom rules and run them in Suricata
42 | * Monitor traffic captured in a packet capture file
43 | * Examine the fast.log and `eve.json` output
44 |
45 | ## Step-by-step
46 |
47 | 1. Examine a custom rule in Suricata.
48 |
49 | 
50 |
51 | ```
52 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GET on wire"; flow:established,to_server; content:"GET"; http_method; sid:12345; rev:3;)
53 | ```
54 |
55 | * Action
56 | `Alert` : Instructs to alert on selected network traffic. The IDS will inspect the traffic packets and send out an alert in case it matches.
57 |
58 | * Header
59 | `http`: The rule that applies is only to HTTP traffic. The arrow indicates the direction of the traffic from $HOME_NET and going to the destination IP address $EXTERNAL_NET. In this scenario, $HOME_NET is a suricata variable defined in `/etc/suricata/suricata/yaml` as a rule definitions.
60 | $HOME_NET is definatd as the `172.21.224/0/20` subnet.
61 |
62 | * Rule options
63 | `Rule`: Customize signatures with additional parameters.
64 | * The `msg`: The alert will print out the text `GET on wire`.
65 | * The `flow:established, to_server`: Determines that packet from the client to the server should be matched (The handshakes: SYN-ACK packet).
66 | * The `content`: "GET" tells Suricata to look for the word GET in the `http.method` of the packet.
67 | * The `sid:12345`: Unique numerical value that identify the rule.
68 | * The `rev:3` indicates the signature's version which is used to identify the signature's version.
69 |
70 | 2. Trigger a custom rule in Suricata.
71 | * List the files in the `/var/log/suricata` folder: `ls -l /var/log/suricata`. Up this task, there will be no files to be found.
72 |
73 | 
74 |
75 | * We run Suricata using the `custom.rules` and `sample.pcap`: `sudo suricata -r sample.pcap -S custom.rules -k none`.
76 | * The `-r sample.pcap` option specifies an input file to mimic network traffic. In this case, the sample.pcap file.
77 | * The `-S custom.rules` option instructs Suricata to use the rules defined in the custom.rules file.
78 | * The `-k none` option instructs Suricata to disable all checksum checks.
79 |
80 | 
81 |
82 | * List the files in the `/var/log/suricata` folder again: `ls -l /var/log/suricata`.
83 |
84 | 
85 |
86 | * Display `fast.log`: `cat /var/log/suricata/fast.log`
87 |
88 | 
89 |
90 | Here, each line corresponds to an alert generated by Suricata when it processes a packet that meets the conditions of an alert generating rule. Each line consists of the rule triggered the alert, source, destination and direction of the traffic.
91 |
92 |
93 | 3. Examine `eve.json` output.
94 | * Use the cat command to display the entries in the `eve.json` file: `cat /var/log/suricata/eve.json`. The format of the data will be in JSON.
95 |
96 | 
97 |
98 | * Let's display the entries in an improved format: `jq . /var/log/suricata/eve/json | less`.
99 |
100 | 
101 |
102 | * Extract specific event data from `eve.json` file: `jq -c "[.timestamp,.flow_id,.alert.signature,.proto,.dest_ip]" /var/log/suricata/eve.json`.
103 | 
104 |
105 | > Press Q to exit the `less` command and return to the command-line prompt.
106 |
107 | 4. Several things to be found in the `eve.json`:
108 | * The value of the severity for the first alert returned by the `jq` command is 3.
109 | * The destination IP address listed for the last event in the `eve.json` file is `142.250.1.102`.
110 | * The alert signature for the first entry in the `eve.json` is `GET on WIRE`.
111 |
--------------------------------------------------------------------------------
/7 - IDS & SIEM/7.2 SIEM - Ketmanto - Splunk.md:
--------------------------------------------------------------------------------
1 | # SIEM - Splunk
2 | > Splunk is a platform that helps organizations prevent major issues, identify threats, restore services and accelerate transformation with the visibility and insights they need.
3 |
4 | ## Overview
5 | SIEM, such as an Splunk, is an important part of a security analyst's toolbox because it provides a platform for storing, analyzing, and reporting on data from different sources. The Splunk's querying language, called Search Processing Language (SPL), includes the use of pipes and wildcards. In addition, the effective search helps us efficiently identify patterns, trends, and anomalies within data.
6 |
7 | ## Scenario
8 | You are a security analyst working at the e-commerce store Buttercup Games. You've been tasked with identifying whether there are any possible security issues with the mail server. To do so, you must explore any failed SSH logins for the root account.
9 |
10 | The following are the details of the data in a zipped file which you will upload it into Splunk:
11 | * `mailsv` - Buttercup Games' mail server. Examine events generated from this host.
12 | * `www1` - This is one of Buttercup Games' web applications.
13 | * `www2` - This is one of Buttercup Games' web applications.
14 | * `www3` - This is one of Buttercup Games' web applications.
15 |
16 | vendor_sales - Information about Buttercup Games' retail sales.
17 | ## Expectation
18 | * Upload sample log data
19 | * Search through indexed data
20 | * Evaluate search results
21 | * Identify different data sources
22 | * Locate failed SSH login(s) for the root account
23 |
24 | ## Step-by-step
25 | > SIEM tools collect and process data so that it becomes searchable events that can be queried, viewed, and analyzed.
26 | 1. Login/signup to Splunk.
27 | 2. Add Data on the Splunk bar.
28 | 3. Upload data into Splunk.
29 | 4. Select file and upload `tutorialdata.zip`. Please visit this [link](https://drive.google.com/file/d/1nDz_DZB4ADbD4tvaDa54_l1FoT_jtVy4/view) for further information.
30 |
31 | 
32 |
33 | 5. Navigate to Search and Reporting tab, type on the search bar `index=main` to view repository for data and select `All time` to view all the events across all time.
34 | > Try to adjust the time using the time range dropdown or time modifiers. A shorter range returns results faster and uses fewer resources. In this scenario, I chose to display `all time`.
35 |
36 | 
37 |
38 | 6. Let's have a look at three common components: `host`, `source`, `sourcetype`.
39 | * Host: Specifies the device or system that generated the event.
40 | 
41 |
42 | * Source: Indicates the original location of the event data within a specific device or system.
43 | 
44 |
45 | * Sourcetype: Defines the format and structure of the event data. It tells Splunk how to parse and interpret the information.
46 | 
47 |
48 |
49 | 7. On the mail server, we have to explore any failed SSH logins for the root account. To do this, I wrote on the search bar: `index=main host=mailsv' to list over 9000 events that are generated by the mail server.
50 |
51 | 
52 |
53 | 8. Finally, let's Search for a failed login for root. On the search bar, enter `index=main host=mailsv fail* root`. This tells Splunik to expand the search term to find other terms that contain the word `fail` such as `failure`, `failed`, etc. In addition, the keyword `root` searches for any event that contains the term `root`.
54 |
55 | 
56 |
57 | 9. Investigation:
58 | * There are over 100,000 events that are contained in the main index across `all time`.
59 | * The `host` field specifies the name of a host, such as a network device or other system, from which an event originates.
60 | * From the scenario, The `vendor_sales` host provides information about Buttercup Games' retail sales, such as the number of products sold.
61 | * As of February 11th, 2024, there have been 346 failed SSH logins for the root account on the mail server.
62 |
--------------------------------------------------------------------------------
/7 - IDS & SIEM/7.3 SIEM - Ketmanto - Chronicle.md:
--------------------------------------------------------------------------------
1 | # SIEM - Chronicle
2 | > SIEM is an application that collects and analyzes log data to monitor critical activities in an organization.
3 |
4 | > Chronicle is a cloud service, built as a specialized layer on top of core Google infrastructure, designed for enterprises to privately retain, analyze, and search the massive amounts of security and network telemetry they generate.
5 |
6 | ## Overview
7 |
8 | In Chronicle, we can search for events using the Search field. Procedural Filtering applies filters to a search to further refine the search results. For example, you can use Procedural Filtering to include or exclude search results that contain specific information relating to an event type or log source. In addition, YARA-L is the a computer language used to create rules for searching through ingested log data.
9 | There are two types: Unified Data Mode or Raw Log Search.
10 | * Unified Data Mode (UDM) is the default search type used in Chronicle. Through a UDM Search, Chronicle searches security data that has been ingested, parsed, and normalized. This search retrieves results faster than a Raw Log Search due to indexed and structured normalized data in UDM.
11 | * Raw Log Search will search through the raw, unparsed logs. It searches through raw logs, making it slower than UDM. Here, we can specify the information such as usernames, filenames, hashes, and more. It also supports the use of regular expressions to narrow down the search to match on specific patterns.
12 |
13 | ## Scenario
14 |
15 | You are a security analyst at a financial services company. You receive an alert that an employee received a phishing email in their inbox. You review the alert and identify a suspicious domain name contained in the email's body: `signin.office365x24.com`. You need to determine whether any other employees have received phishing emails containing this domain and whether they have visited the domain. You will use [Chronicle](https://demo.backstory.chronicle.security/?warstory=) to investigate this domain.
16 |
17 | ## Expectation
18 | * Access threat intelligence reports on the domain
19 | * Identify the assets that accessed the domain
20 | * Evaluate the HTTP events associated with the domain
21 | * Identify which assets submitted login information to the domain
22 | * Identify additional domains
23 |
24 | ## Step-by-step
25 |
26 | 1. Launch Chronicle.
27 | 2. Perform a domain search.
28 | * In the search bar, type `signin.office365x24.com` and click Search. Under `DOMAINS`, click signin.office365x24.com to complete the search. Below are the screenshots of the legacy view, VT, and IP address `40.100.174.34`.
29 |
30 | * Image 1 Legacy View
31 |
32 | 
33 |
34 | * Image 2 VT
35 |
36 | 
37 |
38 | * Image 3 IP address `40.100.174.34`
39 |
40 | 
41 |
42 |
43 | * Evaluate the search result (Legacy view).
44 |
45 | | Observe | Description | Note |
46 | | :----: | :----: | :----: |
47 | | VT context | Provides `VirusTotal` information available for the domain. | Chronicle found 7 security vendors flagged this domain as malicious. |
48 | | WHOIS | Summary of information about the domain using WHOIS which includes domain names, contact information of the domain owner. This may help determining the origin of malicious websites. | Reference time can be found and first/last seen is 7 months ago, as of February 10th, 2024. |
49 | | Prevalence | A graph which outlines historical prevalence of the domain. | The domain has been accessed on July 9th, 2023 and February 10th, 2024. |
50 | | Resolved IP | This provides additional context about the domain such as the IP address to `signin.office365x24.com`. This can be helpful for further investigation to determine whether there is a broader compromise. | We found 2 IP addresses that map to `signin.office365x24.com`: `104.215.148.63` & `40.100.174.34`. |
51 | | Sibling Domains | This provides additional context about the domain, such as the top or parent domain. | We found one sibling domain: `login.office365x24.com`.
52 | | ET Intelligence Rep List | This includes additional context on the domain, such as known threats using ProofPoint's Emerging Threats (ET) Intelligence Rep List | Category: Drop site for logs or stolen credentials. Confidence (Min: 20, Max 127): 22, Severity: Medium, Active from: 2018-12-31 T00:00:00Z, Active until: 2019-0-8T00:00:00Z. More information can be found [here](https://tools.emergingthreats.net/docs/ET%20Intelligence%20Rep%20List%20Tech%20Description.pdf).|
53 | | Timeline | This provides information about the events and interactions made with the domain. | It reveals the details about the HTTP requests made including `GET` and `POST`. `GET` retrieves the data from a server while a `POST` request submits data to a server`.|
54 | | ASSETS | This provides a list of the assets that have been assessed the domain. | There are 6 assets that have accessed the domain. |
55 |
56 | 3. Launch an Investigation.
57 | * According to ET Intelligence Rep List, `signin.office365x24.com` is categorized as "Drop site for logs or stolen credentials".
58 | * The following assets are those who accessed the domain:
59 | * `ashton-davidson-pc`
60 | * `bruce-monroe-pc`
61 | * `coral-alvarez-pc`
62 | * `emil-palmer-pc`
63 | * `jude-reyes-pc`
64 | * `roger-spence-pc`
65 | * We found 2 IP addresses that map to `signin.office365x24.com`: `104.215.148.63` & `40.100.174.34`.
66 | * The IP address `40.100.174.34` resolves to `signin.office365x24.com` and `signin.accounts-google.com`.
67 | * As we can see from image 2 above, there are three `POST` requets made to `40.100.174.34`.
68 | * Some `POST` requests were made to `signin.office365x24.com`. Their target URL of the web page were sent to `http://signin.office365x24.com/login.php`.
69 |
--------------------------------------------------------------------------------
/8 - Automation with Python/Python - Ketmanto - Automation.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Scenario\n",
8 | "---\n",
9 | "You are a security professional working at a health care company. As part of your job, you're required to regularly update a file that identifies the employees who can access restricted content. The contents of the file are based on who is working with personal patient records. Employees are restricted access based on their IP address. There is an allow list for IP addresses permitted to sign into the restricted subnetwork. There's also a remove list that identifies which employees you must remove from this allow list.\n",
10 | "\n",
11 | "Your task is to create an algorithm that uses Python code to check whether the allow list contains any IP addresses identified on the remove list. If so, you should remove those IP addresses from the file containing the allow list.\n"
12 | ]
13 | },
14 | {
15 | "cell_type": "markdown",
16 | "metadata": {},
17 | "source": [
18 | "## Import and Read the File Contents"
19 | ]
20 | },
21 | {
22 | "cell_type": "code",
23 | "execution_count": 1,
24 | "metadata": {},
25 | "outputs": [],
26 | "source": [
27 | "# import the file \n",
28 | "import_file = \"allow_list.txt\"\n",
29 | "\n"
30 | ]
31 | },
32 | {
33 | "cell_type": "code",
34 | "execution_count": 3,
35 | "metadata": {},
36 | "outputs": [],
37 | "source": [
38 | "# Open the file\n",
39 | "with open(import_file, \"r\") as file: \n",
40 | " ip_addresses = file.read()"
41 | ]
42 | },
43 | {
44 | "cell_type": "code",
45 | "execution_count": 6,
46 | "metadata": {},
47 | "outputs": [
48 | {
49 | "name": "stdout",
50 | "output_type": "stream",
51 | "text": [
52 | "ip_address\n",
53 | "192.168.25.60\n",
54 | "192.168.205.12\n",
55 | "192.168.97.225\n",
56 | "192.168.6.9\n",
57 | "192.168.52.90\n",
58 | "192.168.158.170\n",
59 | "192.168.90.124\n",
60 | "192.168.186.176\n",
61 | "192.168.133.188\n",
62 | "192.168.203.198\n",
63 | "192.168.201.40\n",
64 | "192.168.218.219\n",
65 | "192.168.52.37\n",
66 | "192.168.156.224\n",
67 | "192.168.60.153\n",
68 | "192.168.58.57\n",
69 | "192.168.69.116\n",
70 | "\n"
71 | ]
72 | }
73 | ],
74 | "source": [
75 | "# display the ip_addresses\n",
76 | "print(ip_addresses)\n",
77 | "\n",
78 | "# There are 17 IP addressess in this String. "
79 | ]
80 | },
81 | {
82 | "cell_type": "markdown",
83 | "metadata": {},
84 | "source": [
85 | "## Convert the String into a List"
86 | ]
87 | },
88 | {
89 | "cell_type": "code",
90 | "execution_count": 8,
91 | "metadata": {},
92 | "outputs": [
93 | {
94 | "name": "stdout",
95 | "output_type": "stream",
96 | "text": [
97 | "['ip_address', '192.168.25.60', '192.168.205.12', '192.168.97.225', '192.168.6.9', '192.168.52.90', '192.168.158.170', '192.168.90.124', '192.168.186.176', '192.168.133.188', '192.168.203.198', '192.168.201.40', '192.168.218.219', '192.168.52.37', '192.168.156.224', '192.168.60.153', '192.168.58.57', '192.168.69.116']\n"
98 | ]
99 | }
100 | ],
101 | "source": [
102 | "# String into a list\n",
103 | "import_file = \"allow_list.txt\"\n",
104 | "\n",
105 | "# `with`statement to read the contents\n",
106 | "with open(import_file, \"r\") as file: \n",
107 | " ip_addresses = file.read()\n",
108 | "\n",
109 | "# convert from a string to a list\n",
110 | "ip_addresses = ip_addresses.split()\n",
111 | "\n",
112 | "# Display the `ip_addresses`\n",
113 | "print(ip_addresses)\n",
114 | "\n",
115 | "# There are 17 IP addressess in this list. "
116 | ]
117 | },
118 | {
119 | "cell_type": "markdown",
120 | "metadata": {},
121 | "source": [
122 | "## Remove IP Addresses That Are on the Remove List"
123 | ]
124 | },
125 | {
126 | "cell_type": "code",
127 | "execution_count": 10,
128 | "metadata": {},
129 | "outputs": [
130 | {
131 | "name": "stdout",
132 | "output_type": "stream",
133 | "text": [
134 | "['ip_address', '192.168.25.60', '192.168.205.12', '192.168.6.9', '192.168.52.90', '192.168.90.124', '192.168.186.176', '192.168.133.188', '192.168.203.198', '192.168.218.219', '192.168.52.37', '192.168.156.224', '192.168.60.153', '192.168.69.116']\n"
135 | ]
136 | }
137 | ],
138 | "source": [
139 | "# import the file \n",
140 | "import_file = \"allow_list.txt\"\n",
141 | "\n",
142 | "# Assign `remove_list` to a list of IP addresses that are no longer allowed to access restricted information. \n",
143 | "\n",
144 | "remove_list = [\"192.168.97.225\", \"192.168.158.170\", \"192.168.201.40\", \"192.168.58.57\"]\n",
145 | "\n",
146 | "# `with`statement to read the contents\n",
147 | "with open(import_file, \"r\") as file: \n",
148 | " ip_addresses = file.read()\n",
149 | "\n",
150 | "# convert from a string to a list\n",
151 | "ip_addresses = ip_addresses.split()\n",
152 | "\n",
153 | "# Build iterative statement\n",
154 | "# Name loop variable `element`\n",
155 | "# Loop through `ip_addresses`\n",
156 | "\n",
157 | "for element in ip_addresses:\n",
158 | " \n",
159 | " # Build conditional statement\n",
160 | " # If current element is in `remove_list`,\n",
161 | "\n",
162 | " if element in remove_list:\n",
163 | "\n",
164 | " # then current element should be removed from `ip_addresses`\n",
165 | "\n",
166 | " ip_addresses.remove(element)\n",
167 | "\n",
168 | "# Display `ip_addresses` \n",
169 | "\n",
170 | "print(ip_addresses)"
171 | ]
172 | },
173 | {
174 | "cell_type": "markdown",
175 | "metadata": {},
176 | "source": [
177 | "## Update the File With the Revised List of IP Addresses"
178 | ]
179 | },
180 | {
181 | "cell_type": "code",
182 | "execution_count": 11,
183 | "metadata": {},
184 | "outputs": [
185 | {
186 | "name": "stdout",
187 | "output_type": "stream",
188 | "text": [
189 | "ip_address 192.168.25.60 192.168.205.12 192.168.6.9 192.168.52.90 192.168.90.124 192.168.186.176 192.168.133.188 192.168.203.198 192.168.218.219 192.168.52.37 192.168.156.224 192.168.60.153 192.168.69.116\n"
190 | ]
191 | }
192 | ],
193 | "source": [
194 | "import_file = \"allow_list.txt\"\n",
195 | "\n",
196 | "remove_list = [\"192.168.97.225\", \"192.168.158.170\", \"192.168.201.40\", \"192.168.58.57\"]\n",
197 | "\n",
198 | "with open(import_file, \"r\") as file:\n",
199 | "\n",
200 | " ip_addresses = file.read()\n",
201 | "\n",
202 | "ip_addresses = ip_addresses.split()\n",
203 | "\n",
204 | "for element in ip_addresses:\n",
205 | " \n",
206 | " if element in remove_list:\n",
207 | "\n",
208 | " ip_addresses.remove(element)\n",
209 | "\n",
210 | "# Convert `ip_addresses` back to a string so that it can be written into the text file \n",
211 | "\n",
212 | "ip_addresses = \" \".join(ip_addresses)\n",
213 | "\n",
214 | "# Build `with` statement to rewrite the original file\n",
215 | "\n",
216 | "with open(import_file, \"w\") as file:\n",
217 | "\n",
218 | " # Rewrite the file, replacing its contents with `ip_addresses`\n",
219 | "\n",
220 | " file.write(ip_addresses)\n",
221 | "\n",
222 | "# Build `with` statement to read in the updated file\n",
223 | "\n",
224 | "with open(import_file, \"r\") as file:\n",
225 | "\n",
226 | " # Read in the updated file and store the contents in `text`\n",
227 | "\n",
228 | " text = file.read()\n",
229 | "\n",
230 | "# Display the contents of `text`\n",
231 | "\n",
232 | "print(text)"
233 | ]
234 | },
235 | {
236 | "cell_type": "code",
237 | "execution_count": null,
238 | "metadata": {},
239 | "outputs": [],
240 | "source": []
241 | }
242 | ],
243 | "metadata": {
244 | "kernelspec": {
245 | "display_name": "Python 3",
246 | "language": "python",
247 | "name": "python3"
248 | },
249 | "language_info": {
250 | "codemirror_mode": {
251 | "name": "ipython",
252 | "version": 3
253 | },
254 | "file_extension": ".py",
255 | "mimetype": "text/x-python",
256 | "name": "python",
257 | "nbconvert_exporter": "python",
258 | "pygments_lexer": "ipython3",
259 | "version": "3.12.1"
260 | }
261 | },
262 | "nbformat": 4,
263 | "nbformat_minor": 4
264 | }
265 |
--------------------------------------------------------------------------------
/8 - Automation with Python/Python - Ketmanto - File Updates.md:
--------------------------------------------------------------------------------
1 | # Python - Update a File
2 |
3 | ## Description
4 | You are a security professional working at a health care company. As part of your job, you're required to regularly update a file that identifies the employees who can access restricted content. The contents of the file are based on who is working with personal patient records. Employees are restricted access based on their IP address. There is an allow list for IP addresses permitted to sign into the restricted subnetwork. There's also a remove list that identifies which employees you must remove from this allow list.
5 |
6 | Your task is to create an algorithm that uses Python code to check whether the allow list contains any IP addresses identified on the remove list. If so, you should remove those IP addresses from the file containing the allow list. The following IPs to be removed are:
7 | * `192.168.97.225`
8 | * `192.168.158.170`
9 | * `192.168.201.40`
10 | * `192.168.58.57`
11 |
12 | > My Python code is in Jupyter Notebook. Please navigate to `Python - Ketmanto - Automation.ipynb`.
13 |
14 | ## Import and Read the File Contents
15 |
16 | ```
17 | # import the file
18 | import_file = "allow_list.txt"
19 |
20 | # Open the file
21 | with open(import_file, "r") as file:
22 | ip_addresses = file.read()
23 |
24 | # display the ip_addresses
25 | print(ip_addresses)
26 | ```
27 |
28 | For the first part of the algorithm, I imported the `allow_list.txt` by using `import` module. Then, I used `with open` statement to open the file. The `open()` function has two parameters: `import_file` and `r`. The first identifies the file to import, the second indicattes what I would like to do with the file (read the file). Finally, I assigned the string output of this method to the variable `ip_addresses` and `print` it. For your information, there are 17 IP addresses in `allow_list.txt`.
29 |
30 | The Result:
31 |
32 | 
33 |
34 | ## Convert the String into a List
35 | ```
36 | # String into a list
37 | import_file = "allow_list.txt"
38 |
39 | # `with` statement to read the contents
40 | with open(import_file, "r") as file:
41 | ip_addresses = file.read()
42 |
43 | # convert from a string to a list
44 | ip_addresses = ip_addresses.split()
45 |
46 | # Display the `ip_addresses`
47 | print(ip_addresses)
48 |
49 | ```
50 | To remove individual IP addresses from the `allow list`, I had to convert the string format into a list format. To do that, I used `split()` to convert `ip_addresses` string into a list.
51 |
52 | The Result:
53 | ```
54 | ['ip_address', '192.168.25.60', '192.168.205.12', '192.168.97.225', '192.168.6.9', '192.168.52.90', '192.168.158.170', '192.168.90.124', '192.168.186.176', '192.168.133.188', '192.168.203.198', '192.168.201.40', '192.168.218.219', '192.168.52.37', '192.168.156.224', '192.168.60.153', '192.168.58.57', '192.168.69.116']
55 | ```
56 |
57 | ## Remove IP Addresses That Are on the Remove List
58 | ```
59 | # import the file
60 | import_file = "allow_list.txt"
61 |
62 | # Assign `remove_list` to a list of IP addresses that are no longer allowed to access restricted information.
63 |
64 | remove_list = ["192.168.97.225", "192.168.158.170", "192.168.201.40", "192.168.58.57"]
65 |
66 | # `with`statement to read the contents
67 | with open(import_file, "r") as file:
68 | ip_addresses = file.read()
69 |
70 | # convert from a string to a list
71 | ip_addresses = ip_addresses.split()
72 |
73 | # Build iterative statement
74 | # Name loop variable `element`
75 | # Loop through `ip_addresses`
76 |
77 | for element in ip_addresses:
78 |
79 | # Build conditional statement
80 | # If current element is in `remove_list`,
81 |
82 | if element in remove_list:
83 |
84 | # then current element should be removed from `ip_addresses`
85 |
86 | ip_addresses.remove(element)
87 |
88 | # Display `ip_addresses`
89 |
90 | print(ip_addresses)
91 | ```
92 |
93 | I iterated through the remove list by incorporating a `for` loop: `for element in remove_list:`. If the element is in the remove list, then the current element should be removed from `ip_addresses`. The keyword `in` indicates to iterate to iterate through the sequence and assign each value to the loop variable element. Then, I applied `.remove()` to `ip_addresses` and successfully removed 4 IP addresses. Furthermore, there are 13 current IP addresses.
94 |
95 | The result:
96 | ```
97 | ['ip_address', '192.168.25.60', '192.168.205.12', '192.168.6.9', '192.168.52.90', '192.168.90.124', '192.168.186.176', '192.168.133.188', '192.168.203.198', '192.168.218.219', '192.168.52.37', '192.168.156.224', '192.168.60.153', '192.168.69.116']
98 | ```
99 |
100 | ## Update the File With the Revised List of IP Addresses
101 | ```
102 | import_file = "allow_list.txt"
103 |
104 | remove_list = ["192.168.97.225", "192.168.158.170", "192.168.201.40", "192.168.58.57"]
105 |
106 | with open(import_file, "r") as file:
107 |
108 | ip_addresses = file.read()
109 |
110 | ip_addresses = ip_addresses.split()
111 |
112 | for element in ip_addresses:
113 |
114 | if element in remove_list:
115 |
116 | ip_addresses.remove(element)
117 |
118 | # Convert `ip_addresses` back to a string so that it can be written into the text file
119 |
120 | ip_addresses = " ".join(ip_addresses)
121 |
122 | # Build `with` statement to rewrite the original file
123 |
124 | with open(import_file, "w") as file:
125 |
126 | # Rewrite the file, replacing its contents with `ip_addresses`
127 |
128 | file.write(ip_addresses)
129 |
130 | # Build `with` statement to read in the updated file
131 |
132 | with open(import_file, "r") as file:
133 |
134 | # Read in the updated file and store the contents in `text`
135 |
136 | text = file.read()
137 |
138 | # Display the contents of `text`
139 |
140 | print(text)
141 | ```
142 |
143 | As a final step in this task, I had to update the `allow list` with the revised list of IP addresses. To do so, the list format has to be converted into a string. The `.join()` method combines all items in an iterable into a string. Here, I created a string from the list `ip_addresses` so that I could write an argument `.write()` method to write a new revised IP addresses in the `allow_list.txt`. The `"\n".join(ip_addresses)` places each element on a new line.
144 |
145 | The argument `w` with the `open()` and `with` statement, indicates the file that I want to open and write over its content. Once the code above is executed, the document will be updated in `allow_list.txt`.
146 |
147 | > The file `allow_list.txt` that I attached in this directory is the initial file. You might wanna run the code and observe its content to be revised. Otherwise, please head to `allow_list_revised.txt` to observe the differences.
148 |
149 | The result in the new `allow_list.txt` (13 IP addresses):
150 | 
151 |
152 | ## Summary
153 | First, I opened the file and identified `remove_list` variable from `allow_list.txt`. Second, I converted the string into a list. Third, I removed some IP addresses from the list. Fourth, I converted the list into a string format and revise the `allow_list.txt`.
154 |
--------------------------------------------------------------------------------
/8 - Automation with Python/README.md:
--------------------------------------------------------------------------------
1 | # README
2 | > In this module, there are 4 files.
3 |
4 | ## References
5 |
6 | * `Python - Ketmanto - Automation.ipynb` : The notebook that contains python code.
7 | * `Python - Ketmanto - File Updates.md` : The analysis and report of my automation task.
8 | * `allow_list.txt` : The initial IP addresses that are allowed in the system.
9 | * `allow_list_revised.txt`: The updated IP addresses after adjustments.
10 |
--------------------------------------------------------------------------------
/8 - Automation with Python/allow_list.txt:
--------------------------------------------------------------------------------
1 | ip_address
2 | 192.168.25.60
3 | 192.168.205.12
4 | 192.168.97.225
5 | 192.168.6.9
6 | 192.168.52.90
7 | 192.168.158.170
8 | 192.168.90.124
9 | 192.168.186.176
10 | 192.168.133.188
11 | 192.168.203.198
12 | 192.168.201.40
13 | 192.168.218.219
14 | 192.168.52.37
15 | 192.168.156.224
16 | 192.168.60.153
17 | 192.168.58.57
18 | 192.168.69.116
19 |
--------------------------------------------------------------------------------
/8 - Automation with Python/allow_list_revised.txt:
--------------------------------------------------------------------------------
1 | ip_address 192.168.25.60 192.168.205.12 192.168.6.9 192.168.52.90 192.168.90.124 192.168.186.176 192.168.133.188 192.168.203.198 192.168.218.219 192.168.52.37 192.168.156.224 192.168.60.153 192.168.69.116
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 Ketmanto Wangsa
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Ketmanto-Cybersecurity-Portfolio
2 | > Modul 1-8 are inspired by Google. Please visit this [link](https://www.coursera.org/google-certificates/cybersecurity-certificate) for further information. More are to come, stay tuned!
3 |
4 | > Please make sure you include the original MIT license.
5 |
6 | ## Professional Statements
7 | Hello! Thank you for coming here. I'd love to chat with people☕.
8 |
9 | 𝑺𝒖𝒎𝒎𝒂𝒓𝒚:
10 | * Bachelor of IT (Distinction) providing technical and cybersecurity support as an Application Support Engineer.
11 | * Google IT Support and Cybersecurity certificates graduate.
12 | * Microsoft Certified: Security, Compliance, and Identity (SC-900).
13 | * Experience in application support, logistics and retail, technical support, and customer service.
14 | * IT procurement expertise (saves 25%), NIST compliance (saves ~AU$100,000), risk management (prevents 16-hour downtimes).
15 | * Passionate about Customer Service, IT Infrastructure, Networking, Artificial Intelligence, and Cybersecurity.
16 |
17 | 𝑲𝒆𝒚 𝑨𝒄𝒉𝒊𝒆𝒗𝒆𝒎𝒆𝒏𝒕𝒔:
18 | * IT Procurement: Saved 25% of the total cost of IT procurement.
19 | * NIST: Develop and maintain strategic preventive plans to counter ransomware attacks, saving over $100,000.
20 | * Risk Management: Developed a plan to prevent 16-hour downtime due to DNS migration.
21 | * Data Analysis: Developed data visualisations (Excel) to enhance sourcing reports, reducing processing time by ~10%.
22 | * Training: Conducted remote training for 6+ interns and created tutorial videos. Streamlined processes by 2 days.
23 | * Technical Support: Provided first-level support for platform inquiries, resolving 73.3% of issues.
24 | * Leadership: Led a team of 10+ interns in sourcing 15+ suppliers/week with a 95% attendance and participation rate.
25 |
26 | 𝑪𝒚𝒃𝒆𝒓𝒔𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑷𝒐𝒓𝒕𝒇𝒐𝒍𝒊𝒐:
27 | * Developed a rigorous cybersecurity project portfolio on mock clients covering NIST, audits, Linux, SQL, assets, threats, vulnerabilities, detection, incident response, escalation, Wireshark, tcpdump, IDS, SIEM, and Python automation.
28 |
29 | 𝑹𝒆𝒔𝒆𝒂𝒓𝒄𝒉 𝑷𝒂𝒑𝒆𝒓𝒔:
30 | * Published 4+ research papers spanning topics in Artificial Intelligence (AI), Blockchain, and Project Management, with three of them being SCOPUS-indexed at the international level.
31 |
32 | 𝑲𝒆𝒚 𝑺𝒌𝒊𝒍𝒍𝒔:
33 | * Microsoft Entra ID, Microsoft Intune & Exchange, Troubleshooting Hardware & Software, Windows, MacOS, Slack, JIRA, Office 365, Zapier, Networking, Domain Management, SFTP, Python.
34 |
35 | 𝑰𝒏𝒕𝒆𝒓𝒆𝒔𝒕𝒔:
36 | * Research, Cybersecurity, Artificial Intelligence, IT Infrastructure, Python, Azure, Google Cloud, AWS, Linux, Data Analytic, Blockchain, Open Source, Travelling, Soccer, Fencing.
37 |
38 | Thank you for your time.
39 | I'd welcome the chance to connect! Feel free to reach out.
40 |
41 | As of 2025, I passed `SC-900` certification. I am preparing to take `AZ-900`, `AZ-305`, `Google Cloud Cybersecurity Certificate`, `CompTIA A+`, `CompTIA Network+`, `CompTIA Security+`, and `Linux Foundation Certified Associate (LFCA)` certifications.
42 |
43 | ## Portfolio
44 | > Please visit this [link](https://www.coursera.org/professional-certificates/google-cybersecurity) for further information.
45 |
46 | > Some of my documents are in PDF format to accommodate advanced formatting, include colorful presentations, and incorporate abundant screenshots for enhanced clarity and detail.
47 |
48 | I have developed a cybersecurity portfolio showcasing various tasks and projects completed during my journey to earn the Google Cybersecurity Professional Certificate. This program has provided insights into:
49 | * Programming for cybersecurity tasks
50 | * Frameworks and controls that inform security operations
51 | * SIEM tools for cybersecurity
52 | * Detecting and responding to incidents using an intrusion detection system
53 | * Performing packet capture and analysis
54 |
55 | Additionally, it has paved the way for me to pursue one of the entry-level following roles:
56 | * Cybersecurity Analyst
57 | * Security Analyst
58 | * SOC Analyst
59 | * Information Security Analyst
60 | * IT Security Analyst
61 | * Cyber Defense Analyst
62 |
63 | ### Skills
64 | | Projects | Skills/Knowledge Gained |
65 | | :--- |:---:|
66 | | [1](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/1%20-%20Conduct%20an%20Audit) - Conduct a security audit | `INFOSEC`, `NIST Risk Management Framework`, `Security Audits`, `NIST Cybersecurity Framework`, `Incident Response Playbooks`, `CISSP`, `CIA triad` |
67 | | [2](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/2%20-%20Network%20Security) - Network Security | `TCP/IP model`, `Network Architecture`, `Network Communication`, `Security Hardening`, `Network Security`, `Cloud Networks` |
68 | | [3](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/3%20-%20Linux%20%26%20SQL) - Linux & SQL | `Command-line Interface`, `SQL`, `Linux`, `Bash` |
69 | | [4](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/4%20-%20Assets%20%26%20Threats%20%26%20Vulnerabilities) - Assets, Threats, & Vulnerabilities | `Authentication`, ` Vulnerability assessment`, `Cryptography`, `Asset Classification`, `Threat Modelling Analysis`|
70 | | [5](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/5%20-%20Detection%20%26%20Response) - Detection & Response | `Incident Lifecycle`, `Incident Journal` |
71 | | [6](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/6%20-%20Tcpdump%20%26%20Wireshark) - Tcpdump & Wireshark | `Packet Analyzer` |
72 | | [7](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/7%20-%20IDS%20%26%20SIEM) - IDS & SIEM | `Intrusion Detection System (IDS): Suricata`, `Security Information and Event Management (SIEM): Chronicle, Splunk` |
73 | | [8](https://github.com/Kwangsa19/Ketmanto-Cybersecurity-Portfolio/tree/main/8%20-%20Automation%20with%20Python) - Automation with Python | `Computer Programming`, `Python Programming`, `Coding`, `PEP 8 Style Guide`|
74 |
75 | ### Tools
76 | Several tools that I used:
77 | * Google Workspace (Drive, Docs, Sheets, Slides)
78 | * Markdown Language
79 | * Tcpdump
80 | * Wireshark
81 | * Linux OS
82 | * SQL
83 | * Chronicle
84 | * Splunk
85 | * Suricata
86 | * Python
87 |
88 | ### Other references
89 | Please have a look on other standalone portfolio that I published:
90 | * Python - Cybersecurity - [Bruteforce Zipfile](https://github.com/Kwangsa19/Python-Cybersecurity-Bruteforce-zipfile)
91 | * Python - Cybersecurity - [Automation Case](https://github.com/Kwangsa19/Python-Cybersecurity-Automation-Case)
92 | * Python - Cybersecurity - [Transaction Fraud](https://github.com/Kwangsa19/Python-Cybersecurity-Transaction-Fraud)
93 | * Cybersecurity - Investigation & Risk Assessment Based on [MITRE ATT&CK Framework and Open-Source Intelligence (OSINT)](https://github.com/Kwangsa19/Cybersecurity-Investigation-Risk-Report)
94 |
95 | and more....
96 |
97 | **Stay tuned for updates!**
98 |
99 | This portfolio will continuously grow as I complete more certificates and projects. I encourage you to visit again to see my progress and learn more about my skills and experience.
100 | Thank you for your time. For more information, please connect with me on [Linkedin](linkedin.com/in/ketmanto-wangsa/).
101 |
102 |
--------------------------------------------------------------------------------