A carregar...
Publicação
CyberSOC4AD: integração de tecnologia Semperis e CyberArk no ecossistema SIEM IBM QRadar e Palo Alto Cortex XSOAR do CyberSOC da Altice Portugal
| Nome: | Descrição: | Tamanho: | Formato: | |
|---|---|---|---|---|
| 1.16 MB | Adobe PDF |
Autores
Orientador(es)
Resumo(s)
Cyberattacks have been increasing, whether in number, vector diversity, targets, and impact. One of the hybrid factors that shifted the most to telecommuting for this increase was COVID-19 which forced a transition to full-time regimes or regimes, leading to an increase in the attack surface. The Advanced persistent threat (APT)
has been a great threat for some years now, especially for organizations that use the Active Directory service, as it standardizes the management of all company resources. The use of AD is so widespread that in the information technology industry it is understood that all companies, regardless of its size, use this service for user authentication and authorization, as well as managing their own network. However, defending an organization’s network against a threat of this category remains a challenge that requires a lot of technological resources. It becomes unsustainable in the long run because however many resources a company has, it becomes impossible to have the resources or the ability to detect and defend against all methods
available to attackers. An attack can be indefensible if it uses a zero-day vulnerability or through social engineering manages to enter the company’s network. From this moment, the attacker can hide on the network and take as long as he wants to carry out the malicious operation. The most common attack attempts to obtain Domain Administrator privileges, with which backdoors can be created and total control of the system can be obtained. But in this pandemic period, Ransomware has become the main threat to organizations, specially to high profile companies and governmental organizations. It has become usual to ask for ransoms in cryptocurrencies as blackmail to not encrypt or delete an organization’s data. Based on reports from organizations focused on information security, as well as academic documents, it was possible to define a set of attacks that were seen as the most impactful and frequent. Through various criteria, the use cases to be developed and through which technologies would be implemented were defined. At a certain point of the implementation, it was necessary to rethink the entire strategy of defining the use cases, since the technologies initially thought to be integrated, ended up not contributing in the necessary way to the detection of the offenses in question. Finally, the implementation of playbooks was carried out, which allows the automatic
resolution of an incident, or even its enrichment until a security analyst carries out its resolution. This work carries out an in-depth research on the main types of attacks currently and proposes to define advanced use cases that allowed the CyberSOC of DCY to be able to detect threats and suspicious behavior occured in Active Directory. The proposed objectives were achieved through a tangible strategy for the organization, with the available sources, more specifically, the Microsoft Windows Security Log provided by Supercharger, CyberArk and Semperis DSP, in conjunction with IBM QRadar and Cortex XSOAR.
Descrição
Tese de Mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de Ciências
Palavras-chave
Active Directory IBM QRadar Semperis Evento Ofensa Teses de mestrado - 2023