paint-brush
How to Detect Cyber Threatsby@grantcollins
133 reads

How to Detect Cyber Threats

by Grant CollinsFebruary 26th, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Company Mentioned

Mention Thumbnail
featured image - How to Detect Cyber Threats
Grant Collins HackerNoon profile picture


In this article, we’ll learn more about how Cyber threats occur, how we can detect them and how we can avoid them.

Watch the Video

https://www.youtube.com/watch?v=_Xw43NLo2kg&ab_channel=GrantCollins

00:00

all right so i'm finally back with the

00:01

cyber security home lab project and in

00:02

today's video

00:03

it's going to be over a sem or system

00:06

information event management

00:07

system i've done a video here talking

00:09

about what asm does

00:11

and how it works and in today's video

00:13

i'm going to be

00:14

working with splunk splunk is a industry

00:17

grade

00:18

sem and they offer a community edition

00:20

so what i'm going to be doing today

00:22

is setting up this sem and using a

00:24

universal forwarder

00:26

to forward data from a linux server over

00:29

to the sem so that i can visualize

00:32

and understand what's going on with the

00:34

different systems connected to the scent

00:36

i really have no idea what i'm doing

00:38

here

00:38

so it's going to be a lot of research so

00:40

yeah let me go ahead and give you an

00:42

overview of what i have found so far

00:44

all right so transitioning over to my

00:45

computer here i have a couple of things

00:47

that i'm running right now so i'm gonna

00:48

be separating myself

00:49

from the virtualization that i've done

00:51

on my other cybersecurity home lab

00:53

computer

00:54

and i'm actually gonna be using lenode

00:56

here and in front of me

00:58

i have a couple of machines already set

01:00

up this includes my splunk test

01:02

environment

01:03

as well as a basic linux server so i'm

01:06

gonna be using leno to

01:07

power this project i'm gonna be working

01:10

with

01:10

this guide here to go ahead and just

01:12

basically set up the splunk dashboard

01:15

and from there i can use the splunk

01:17

official documentation

01:19

to understand what's going on with uh

01:22

the universal forward or to get data

01:23

into

01:24

the dashboard probably a lot more

01:25

resources i'll be working with but here

01:27

is what i have so far so let's go ahead

01:28

and get started by setting up the splunk

01:30

dashboard

01:38

all right a couple hours later here i am

01:40

in front of me i have

01:42

the splunk dashboard up and running

01:45

so as you can see here i went ahead and

01:48

set up the splunk dashboard

01:49

on my base ubuntu server node

01:52

and from that i'm able to get into the

01:55

splunk enterprise website

01:57

by going through the ip address as well

01:59

as the default

02:00

port i'll leave that link up in the

02:02

description below so now the next thing

02:04

is to go ahead and get the data into the

02:07

splunk machine and understand what the

02:08

heck is going on here all right so while

02:10

setting up the splunk 4 i want to

02:12

quickly mention

02:12

the flexispot desk which has been sent

02:15

to me by the flexispot team

02:17

i already have a couple of flexispot

02:18

desks and they were actually generous

02:20

enough to send over

02:21

one for my home office specifically i

02:23

received the

02:24

flexi spot glass black eg8b from my home

02:27

office and so as you know i'm

02:29

all about productivity with these

02:31

standing desks the flexi spot glass

02:33

black

02:34

is a perfect standing test to meet my

02:36

productivity needs

02:37

comes with a motorized lifting system

02:39

for ease of use

02:40

there are four different numbered modes

02:42

you can use to set different height

02:44

adjustments

02:45

whether you want to stand sit or if

02:47

something in between but it also comes

02:49

with the standard up and down arrows

02:51

to meet your height needs the glass

02:53

finish looks great even comes with a

02:54

little

02:55

drawer supply for notepads and pencils

02:58

the flexispot glass black desk is a

03:00

perfect desk to boost your productivity

03:02

so if you're interested you can go ahead

03:03

and use the link in description below

03:05

and

03:05

thanks again for spot team for sending

03:08

one of these over

03:10

okay so after getting lost for a long

03:12

time i finally used that youtube video

03:14

and i figured out something the splunk

03:16

architecture processing components

03:18

so here they are in smug we have three

03:20

major components

03:21

forwarders indexers and search heads

03:23

borders are used to

03:25

forward or send data into the splunk

03:28

enterprise machine

03:29

this is going to be the centralized

03:30

device which is going to store all that

03:32

information

03:33

and populate that data so that it can be

03:35

queried after the data is forwarded it's

03:37

indexed meaning it's stored

03:39

indexers store the data so that it can

03:41

be query once the data is stored

03:43

you can go into the search heads this is

03:45

where you can actually look up the data

03:47

look for what is anomalous whatever type

03:49

of data that you're looking for

03:50

and you can use the search query

03:52

language to set up

03:54

and actively look for different types of

03:56

data and populate dashboards

03:58

from that so now that we know the basic

04:00

splunk processing components

04:02

it's time to set up this universal

04:04

forwarder okay so to actively

04:05

set up the universal forwarder you can

04:07

actually download the

04:09

splunk universal folder on the official

04:11

web page

04:12

i'm gonna be using a bare bones linux

04:14

server so i'm going to use the wpit

04:16

command

04:16

to go ahead and install this folder into

04:19

my

04:26

machine all right so it's a couple hours

04:29

later

04:29

and i finally finished kind of my basic

04:32

goal of getting

04:33

data into splunk so that i can go ahead

04:35

and search

04:36

for it all right so here in front of me

04:38

as you can see i have my

04:40

linux machine which is running splunk

04:42

right now

04:43

as well as another linux machine running

04:46

the splunk forwarder

04:48

sending data specifically the syslogs

04:51

into

04:51

my splunk dashboard here so if we close

04:54

out it here you can go ahead and see the

04:56

data coming in like i said before we can

04:58

go ahead and use

04:59

the search query for specific data

05:01

matching

05:02

a pattern or a string so in this case

05:04

you can go ahead and

05:05

use host but you can go ahead and pipe

05:08

things and

05:09

you can add other information such as

05:11

using the table

05:12

to go ahead and query for specific data

05:15

so here in front of me as you can see i

05:17

went ahead and created a table

05:19

with the source type in date hour and as

05:21

you can see it just pops up here

05:23

the query language in splunk is very

05:25

powerful

05:26

i didn't really touch a lot on it but

05:28

definitely a lot to be learned

05:29

in that front because i'm interested in

05:31

the security side of splunk i went ahead

05:33

and tested some

05:34

test use cases where you would actually

05:37

look for indicators of compromise

05:38

what i tried doing was a basic test

05:42

i wanted to see if i let's say logged

05:46

into a linux machine

05:47

and had the root username and password

05:50

as nothing

05:51

or whatever information would it be sent

05:54

to the splunk

05:54

son so that's what i went ahead and did

05:56

with a new putty session uh you can see

05:58

that the logs are sent

06:00

to the dashboard you know let's say you

06:02

had 5000 different login attempts

06:04

in two minutes and you didn't have rate

06:06

limiting or

06:07

some sort of control on that linux

06:10

machine that could be a tell that

06:11

someone is trying to break into that

06:13

linux server for instance

06:16

so just want to see you know other types

06:18

of indicators of compromise or other

06:20

types of activities that you could do on

06:22

a linux machine

06:23

so that was just a basic one that i just

06:25

performed there another very powerful

06:27

feature that i

06:28

figured out here of course i knew this

06:30

before but actually doing it

06:32

is you can go ahead and create new

06:34

dashboards

06:35

from the data that is sent to the send

06:38

so for instance you could visualize this

06:40

data so that

06:41

you know you could show in a dashboard

06:43

how many attempts you have per day

06:45

on that linux server with ssh very basic

06:49

stuff here and what you can do is you

06:51

can add new dashboards and you can

06:53

create the different types of

06:55

panel content now i didn't create any

06:56

dashboards because i didn't have a

06:58

sufficient amount of data but

07:00

using a quick youtube search as you can

07:02

tell you can make some pretty powerful

07:04

graphs line graphs bar graphs all types

07:07

of different

07:08

dashboards to visualize your data so

07:10

that was it

07:11

for what i did within this project a

07:14

very basic setup of setting up splunk

07:16

and getting a universal forwarder to

07:18

send data into splunk to search for that

07:19

data all right so that is it for today's

07:21

video

07:21

this actually wraps up the cyber

07:23

security home lab project

07:25

so today's video was pretty basic with

07:28

setting up

07:28

a sem and getting data inside it

07:30

hopefully you have enjoyed this

07:32

series and finally it is time to wrap

07:35

up alright so that is it for today's

07:36

video until the next video

07:38

have a good day

English (auto-generated)

AllRelatedWatched