TrtyHack Me (THM): Defensive Security Intro
Cyber Security 101 > Start Your Cyber Security Journey>Defensive Security Intro
The "Defensive Security Intro" room introduces essential concepts and practices of defensive cybersecurity. Unlike offensive security, which focuses on finding and exploiting vulnerabilities, defensive security prioritizes preventing attacks, detecting intrusions, and responding to threats effectively.
In this room, we'll be eager to explore the responsibilities of Blue Teams, the role of Security Operations Centers (SOC), and the fundamentals of Digital Forensics and Incident Response (DFIR).
You can access the room here.
Task 1: Introduction to Defensive Security
What is Defensive Security? Defensive security refers to measures and strategies for protecting systems, networks, and data from cyber threats. It complements offensive security by fortifying defences to ensure long-term resilience.
Offensive Security vs. Defensive Security
Offensive Security (Red Team): Focuses on identifying and exploiting vulnerabilities to strengthen an organization’s security posture.
Defensive Security (Blue Team): Concentrates on:
They are preventing intrusions using proactive tools like firewalls and user education.
It is detecting and responding to threats through advanced monitoring and incident management.
Key Responsibilities in Defensive Security
Core Defensive Tasks:
Cybersecurity Awareness Training: educating employees to recognize phishing attempts, avoid unsafe downloads, and use strong passwords.
Asset Management: Keeping an updated inventory of all devices and systems to protect them adequately.
System Patching: Regularly updating software to address known vulnerabilities.
Preventative Security Measures: Implementing firewalls and Intrusion Prevention Systems (IPS) to block malicious traffic.
Logging and Monitoring: Tracking network activity to detect unauthorized access or suspicious behaviour.
Which team focuses on defensive security?
Answer: Blue Team
Task 2: Areas of Defensive Security
Defensive security is divided into two essential areas: the Security Operations Center (SOC) and Digital Forensics and Incident Response (DFIR).
1. Security Operations Center (SOC)
What is a SOC?
A SOC is a centralized team that monitors and manages an organization’s security infrastructure. Its primary goals are to detect, analyze, and respond to cybersecurity incidents.
Key SOC responsibilities:
Vulnerability Management: Ensuring all identified vulnerabilities are patched or mitigated.
Policy Enforcement: Addressing policy violations, like unauthorized data sharing.
Threat detection: identifying and stopping unauthorized access, credential misuse, and network intrusions.
Threat intelligence: analyzing adversarial tactics to develop proactive defence strategies.
2. Digital Forensics and Incident Response (DFIR)
Digital Forensics:
It involves investigating cyberattacks by examining:
File Systems: Recovering deleted files and analyzing malicious programs.
System Memory: Identifying running malware or unusual processes.
Logs: Review system and network logs to uncover evidence.
Incident Response:
A systematic approach to managing and mitigating cybersecurity incidents. It involves four phases:
Preparation: Establishing tools, policies, and training to handle incidents.
Detection & Analysis: Identifying and evaluating the severity of potential threats.
Containment, Eradication, and Recovery: Halting the spread of threats, eliminating malicious actors, and restoring normal operations.
Post-Incident Review: Documenting lessons learned to strengthen future defences.
Malware Analysis Techniques:
Static Analysis: Examining malware code without running it.
Dynamic Analysis: Observing malware behavior in a controlled environment.
What would you call a team of cyber security professionals that monitors a network and its systems for malicious events?
Answer: Security Operations Center
What does DFIR stand for?
Answer: Digital Forensics and Incident Response
Which kind of malware requires payment to regain access to files?
Answer: Ransomware
Task 3: Practical Example of Defensive Security
Scenario:
You are a SOC analyst protecting a bank. You monitor alerts from various sources using a Security Information and Event Management (SIEM) tool. Your goal is to:
- Analyze alerts: Determine which ones indicate genuine threats (e.g., multiple failed logins, unknown IP addresses) and act accordingly.
- Identify flags: Use expertise to track malicious activities and detect threats.
What is the flag that you obtained by following along?
Answer: THM{THREAT-BLOCKED}
Conclusion
The Defensive Security Intro Room introduces critical concepts for protecting systems and networks from cyber threats. Key takeaways include the importance of SOCs, DFIR, threat intelligence, and hands-on experience with tools like SIEM. For further learning, consider exploring related rooms such as:
Introduction to SIEM
Security Operations
DFIR: An Introduction
Intro to Malware Analysis
#DefensiveSecurity #CyberThreats #DigitalForensics #IncidentResponse #CybersecurityTraining
I appreciate you reading my article. Please feel free to ask any questions or offer suggestions for enhancing my educational experience and the Lab THM challenges. We can also connect more on LinkedIn or X.