Security
Reader small image

You're reading from  Security Monitoring with Wazuh

Product typeBook
Published inApr 2024
PublisherPackt
ISBN-139781837632152
Edition1st Edition
Concepts
Information Security
Right arrow
Author (1)
Rajneesh Gupta
Rajneesh Gupta
author image
Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity." As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.
Read more about Rajneesh Gupta

Right arrow

Incident Response with Wazuh

It is of utmost importance to have a rapid and efficient response plan in place to handle any security events that may arise in the ever-changing world of cybersecurity. For example, a sales employee opened up a malicious file with a name attached to an email pretending to be from an authorized business partner. This can result in a ransomware attack and bring down many mission-critical services. When such an incident happens, responding promptly can help to minimize the overall damage to the network. An efficient incident response (IR) can help businesses to promptly resume normal operations, thereby reducing the amount of downtime that occurs and the expenses connected with it.

In this chapter, we will learn how to leverage the Wazuh platform and other Wazuh-supported third-party tools to build an effective IR system. We will cover the following topics in this chapter:

  • Introduction to incident response
  • What is Wazuh active response?
    • ...

Introduction to incident response

IR is the process by which an organization handles situations such as data breaches, distributed denial of service (DDoS), and ransomware attacks. It is an effort to immediately identify an attack, mitigate the impacts of the attack, contain any damage caused by the attack, and fix the cause in order to reduce the risk of future attacks. In practice, IR refers to a collection of information security rules, processes, and tools that can be used to detect, contain, and remove intrusions. Let’s discuss the two most popular IR frameworks, the National Institute of Standards and Technology (NIST) and SANS, as shown in the following diagram.

Figure 5.1 – NIST and SANS IR

Figure 5.1 – NIST and SANS IR

Different methods of incident response process

There are various methods for developing a structured IR process. There are two IR frameworks and processes that are most popular: NIST and SANS. Let us see each of them in detail.

SANS six-step...

Incident response automation

Effective IR is time-sensitive and requires teams to identify threats and initiate an incident response plan (IRP) as soon as possible. A security team receives thousands of security alerts from security tools every day and hence it is difficult to manually analyze events or assess every alarm that security tools generate. These constraints are addressed via automated IR. In Chapter 4, Security Automation and Orchestration Using Shuffle, we learned how shuffle SOAR makes this possible by creating workflows, helping the security team with automated incident enrichment, automated observable analysis with TheHive tool integration, automating Wazuh activities, and many more. In this chapter, our focus will be on using Wazuh’s in-built capability called active response to perform IR. In general, IR automation can help the security team with the following:

  • Immediate containment: Once compromised systems are identified, automated IR systems should...

Wazuh active response

One of the main components of the Wazuh platform that enables automatic responses to security events and incidents is called active response. Security analysts can respond quickly to specific security threats or triggers identified by the Wazuh system by utilizing active response. By utilizing active response features, Wazuh enables organizations to respond to security incidents quickly and aggressively. With Wazuh active response, you may develop and execute automated responses against most security alerts. These responses may include executing custom scripts, banning IP addresses, or deactivating user accounts. Automating response actions makes sure that incidents with a high significance are dealt with and mitigated in a timely and consistent way. This is especially helpful when security teams don’t have a lot of resources and have to decide how to respond first.

In this section, we will cover the following topics:

  • Active response scripts
    • ...

Blocking unauthorized SSH access

SSH attacks are among the most prevalent types of attacks against servers accessible via the internet. Automated bots that regularly monitor the internet for SSH servers with inadequate security setups carry out the major share of SSH attacks. Because attack sources are frequently scattered globally, with no single country dominating, it is a global cybersecurity threat. Organizational losses, data breaches, and compromised servers are all possible outcomes of successful SSH attacks. In this section, we will learn how to automatically block unauthorized SSH access to a victim’s machine.

We will learn about the following:

  • Lab setup
  • Setting up active response
  • Testing

Lab setup

In this lab setup, we require three things: an Ubuntu Server with a Wazuh agent installed, an attacker machine (Kali Linux), and, finally, our Wazuh server (we have used a Virtual Machine OVA file for Lab purposes only). The lab is designed as...

Isolating a Windows machine post-infection

The process of isolating a compromised endpoint is an essential part of IR in a SOC. In order to stop the threat from spreading and inflicting further damage, you must isolate the infected device or system from the network immediately. Also remember that it is important to examine the severity of the compromise, the value of the asset, and the potential impact on the business before deciding on an isolation strategy; isolation is not a silver bullet. A ransomware attack is an essential attack scenario in which isolation is a crucial step. Ransomware is a type of malware that encrypts the data of a victim and demands payment for the decryption key. It frequently spreads quickly throughout a network, potentially affecting many endpoints. In this section, we will isolate a Windows machine post-infection by malware. We will utilize the Wazuh active response capability to create an automatic outbound rule to block all outgoing traffic. In this...

Blocking RDP brute-force attacks

According to Sophos, in the first half of 2023, adversaries leveraged Remote Desktop Protocol (RDP) in 95% of attacks, increased by 88% from 2023. RDP is a Microsoft-developed proprietary protocol that allows users to connect to and remotely operate another computer or device via a network connection. Attackers employ automated software to try many login and password combinations in order to obtain unauthorized access to systems via RDP. Mitigating such risks involves proactive measures as well as quick action to block malicious IP addresses that try these assaults. In this section, we will utilize Wazuh active response to block the attacker’s IP address against an RDP brute-force attack. We will cover the following points:

  • Requirement
  • Setting up a Windows agent with an active response script
  • Setting up the Wazuh server with a rule and active response script
  • Testing
  • Visualization

Requirement

In this use case...

Summary

In this chapter, we learned about IR phases, Wazuh’s active response capability, and some important use cases. We learned how Wazuh’s active response module actively blocks unauthorized SSH and RDP access attempts. Additionally, we also learned about Wazuh’s capability to isolate infected Windows machines promptly upon detection of malware.

In the next chapter, we will learn how to conduct threat hunting using Wazuh modules. We will learn the importance of log data analysis in Wazuh for better threat investigation and hunting. We will also utilize the MITRE ATT&CK framework to streamline our threat-hunting process.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 8 of 15
Next Chapter
You have been reading a chapter from
Security Monitoring with Wazuh
Published in: Apr 2024Publisher: PacktISBN-13: 9781837632152
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity." As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.
Read more about Rajneesh Gupta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages