Offensive Security vs Defensive Security
How do cyber security professionals work in the real world?
so far we discussed basic approaches and some relevant information, however, we have not really dived into how cyber security operates in companies and the government.
Let’s examine before computers were invented how countries protected their borders or identified threats coming from internal parts of the country, the security fundamentally is of two types one is defensive and the other one is offensive.
What is an offensive method, here we target the enemy before he attacks us, or do we attack the enemy while he is coming to us to attack?
The defensive method means we protect our borders with lots of fencing and soldiers, in the cyber world you use firewalls, proxies, and honeypots as fencing tools.
Here is a video to watch about offensive and defensive security
Offensive security is, Legally doing the following.
Hacking
Vulnerability scanning
Penetration testing
Before you watch this video, understand about cyber attack kill chain
Next, we will discuss defensive security
More on Defensive security
Defensive security essentially monitors the network with various sensors which collect the logs generated by various devices in the network, this includes your windows workstations, servers, domain controllers, network devices like switches, routers, firewalls, and other critical infrastructure devices, this is a complex subject and there is a whole industry running on it which produces different products like SIEM ( Security information and event management) like IBM Qradar, Splunk, ArcSight, and various others, Endpoint security products like carbon black, sentinel, McAfee, Symantec, and various others…
often these tools correlate the collected data and generate security intelligence for the soc ( security operations center), which processes and eliminates further the noise and produces the final output, this output can lead to detecting an attack and then the security team takes action with the help of infrastructure teams.
Let’s dive into one example scenario, for example, you are monitoring the Network firewall logs collected into a SIEM or another tool, and now your job is to detect attacks happening from external to internal, what kind of attacks you can detect? here below the list
Port scanning: means somebody from external trying to see what ports are open on your network which are available to connect from external sources.
Banner Grabbing
Access control enumeration
Firewalking
Port redirection
HTTP tunneling
IP spoofing attacks
DOS and DDOS attacks.