Skip to content

Master Reference Card



DOCUMENT STRUCTURE

┌─────────────────────────────────────────────────────────────────────────────────┐
│          ABHAVTECH SECURITY OPERATIONS & VALIDATION DOCUMENTS                    │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  DOCUMENT 4A: CYBERSECURITY FRAMEWORK & OPERATIONS                              │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  • NIST CSF 2.0 Implementation (6 Functions)                                    │
│  • CIS Critical Security Controls v8 (18 Controls)                              │
│  • MITRE ATT&CK Framework Mapping (200+ Techniques)                             │
│  • ISO 27001:2022 Controls (93 Controls)                                        │
│  • SOC Procedures (24x7 Operations)                                             │
│  • Threat Hunting Program (AI-Enhanced)                                         │
│  • Continuous Security Monitoring                                               │
│  • Model: Sonnet 4.5                                                            │
│  • Size: ~40,000 words, 100 pages                                               │
│                                                                                  │
│  DOCUMENT 4B: NETWORK FORENSICS (STEP-BY-STEP)                                 │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  • Forensics Architecture & Evidence Collection                                 │
│  • 5 Real-World Investigation Scenarios (Detailed)                              │
│    - Malware C2 Communication (10 steps)                                        │
│    - Data Exfiltration (8 steps)                                                │
│    - Insider Threat (Rogue Device)                                              │
│    - Webex Toll Fraud ($12K investigation)                                      │
│    - Wireless Attack (Rogue AP)                                                 │
│  • PCAP Analysis with Wireshark (Filters, TCP Streams)                          │
│  • Chain of Custody Procedures (SHA-256, Legal Compliance)                      │
│  • AI-Enhanced Forensics (MLTK, DNAC, XDR)                                      │
│  • Model: Sonnet 4.5                                                            │
│  • Size: ~50,000 words, 125 pages                                               │
│                                                                                  │
│  DOCUMENT 4C: PENETRATION TESTING FRAMEWORK                                     │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  • PTES Methodology (6 Phases)                                                  │
│  • 15+ Test Cases Across All Platforms:                                         │
│    - SD-Access (TrustSec SGT bypass, Rogue AP, 802.1X)                          │
│    - SD-WAN (vManage access, IPsec hijacking, OMP injection)                    │
│    - Webex (SIP hijacking, Meeting enumeration, Toll fraud)                     │
│    - Zero Trust (Credential bypass, Device trust, UEBA)                         │
│    - AI Platforms (Splunk, DNAC, XDR security)                                  │
│  • Social Engineering (Phishing, Vishing, Physical)                             │
│  • Red Team vs Blue Team Exercises                                              │
│  • Purple Team Collaboration                                                    │
│  • Model: Sonnet 4.5                                                            │
│  • Size: ~35,000 words, 90 pages                                                │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

SECURITY OPERATIONS INTEGRATION MAP

┌─────────────────────────────────────────────────────────────────────────────────┐
│              ABHAVTECH SECURITY OPERATIONS INTEGRATION MAP                       │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│   ┌──────────────────────────────────────────────────────────────────────┐      │
│   │                    CYBERSECURITY FRAMEWORKS                          │      │
│   │                                                                      │      │
│   │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐           │      │
│   │  │NIST CSF  │  │   CIS    │  │  MITRE   │  │ISO 27001 │           │      │
│   │  │   2.0    │  │Controls  │  │ ATT&CK   │  │  :2022   │           │      │
│   │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘           │      │
│   └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘      │
│           │             │             │             │                          │
│           └─────────────┴─────────────┴─────────────┘                          │
│                              │                                                  │
│                              ▼                                                  │
│   ┌──────────────────────────────────────────────────────────────────────┐     │
│   │                  SECURITY OPERATIONS CENTER (SOC)                    │     │
│   │                                                                      │     │
│   │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐           │     │
│   │  │   XDR    │  │  Splunk  │  │   ISE    │  │  DNAC    │           │     │
│   │  │(SecureX) │  │  (SIEM)  │  │(Identity)│  │(Network) │           │     │
│   │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘           │     │
│   └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘     │
│           │             │             │             │                          │
│           │     ┌───────┴─────────────┴─────┬───────┘                          │
│           │     │                           │                                  │
│           ▼     ▼                           ▼                                  │
│   ┌──────────────────┐           ┌──────────────────┐                         │
│   │ NETWORK FORENSICS│           │  PEN TESTING     │                         │
│   │                  │           │                  │                         │
│   │  • Evidence      │           │  • Red Team      │                         │
│   │  • Analysis      │           │  • Blue Team     │                         │
│   │  • Investigation │           │  • Purple Team   │                         │
│   │  • Chain of      │           │  • Validation    │                         │
│   │    Custody       │           │                  │                         │
│   └──────────────────┘           └──────────────────┘                         │
│                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────┘

MASTER SECURITY OPERATIONS STRUCTURE

┌─────────────────────────────────────────────────────────────────────────────────┐
│              ABHAVTECH SECURITY OPERATIONS FRAMEWORK                             │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  FOUNDATION (Already Complete - From Phase 1)                                   │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  ✅ XDR Platform (SecureX, 8 ribbons, 5 playbooks)                              │
│  ✅ Duo Beyond (3,200 users, device trust, MFA)                                 │
│  ✅ FTD Firewalls (18 units, SGT-aware)                                         │
│  ✅ Umbrella SASE (DNS security, Cloud FW, DLP)                                 │
│  ✅ Splunk SIEM (100GB/day, MLTK anomaly detection)                             │
│  ✅ ISE 14-node (802.1X, TrustSec, pxGrid)                                      │
│  ✅ DNAC 2.3.7.x (Assurance, Deep Network Model)                                │
│  ✅ ThousandEyes (6 hub agents, path monitoring)                                │
│                                                                                  │
│  CONTINUOUS OPERATIONS (24x7)                                                   │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  Document 4A: Cybersecurity Framework                                           │
│  ├─► NIST CSF 2.0 Implementation (6 functions mapped)                           │
│  ├─► CIS Controls v8 (18 controls, IG2/IG3 maturity)                            │
│  ├─► MITRE ATT&CK Coverage (68% current → 80% target)                           │
│  ├─► SOC Operations (12 analysts, 3 shifts, follow-the-sun)                     │
│  ├─► Incident Response (8 automated playbooks)                                  │
│  ├─► Threat Hunting (Weekly, AI-enhanced)                                       │
│  └─► Compliance Reporting (PCI-DSS, SOC2, GDPR, ISO 27001)                      │
│                                                                                  │
│  FORENSICS INVESTIGATIONS (As Needed)                                           │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  Document 4B: Network Forensics                                                 │
│  ├─► Evidence Collection (PCAP, NetFlow, logs, configs)                         │
│  ├─► Analysis Methodology (Wireshark, Splunk, AMP Orbital)                      │
│  ├─► Real-World Scenarios (5 detailed investigations)                           │
│  │   ├─► Malware C2 Communication (10-step procedure)                           │
│  │   ├─► Data Exfiltration (8-step procedure)                                   │
│  │   ├─► Insider Threat - Rogue Device                                          │
│  │   ├─► Webex Toll Fraud ($12,000 investigation)                               │
│  │   └─► Wireless Attack - Rogue AP                                             │
│  ├─► Chain of Custody (Legal compliance, SHA-256 hashing)                       │
│  └─► AI-Enhanced Forensics (MLTK, DNAC, XDR timeline)                           │
│                                                                                  │
│  SECURITY VALIDATION (Scheduled)                                                │
│  ═══════════════════════════════════════════════════════════════════════════   │
│  Document 4C: Penetration Testing                                               │
│  ├─► Annual External Pen Test (2 weeks, full scope, Rapid7)                     │
│  ├─► Quarterly Internal Pen Test (Red Team, 3 engineers)                        │
│  ├─► Semi-Annual Wireless Pen Test (Evil twin, deauth attacks)                  │
│  ├─► Monthly Social Engineering (Phishing simulations)                          │
│  ├─► Purple Team Exercises (Quarterly, detection tuning)                        │
│  └─► Breach & Attack Simulation (Weekly, automated, Palo Alto BAS)              │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

DOCUMENT 4A: CYBERSECURITY FRAMEWORK & OPERATIONS

Chapter Structure

Chapter Title Sections Key Content
1 Executive Summary & Security Posture 4 Security stack, threat landscape, compliance
2 NIST Cybersecurity Framework 2.0 6 Govern, Identify, Protect, Detect, Respond, Recover
3 CIS Critical Security Controls v8 3 18 controls, IG2/IG3 maturity, gap analysis
4 MITRE ATT&CK Framework 4 14 tactics, 200+ techniques, Navigator heatmap
5 ISO 27001:2022 Controls 5 93 controls across 4 themes, evidence matrix
6 Security Operations Center (SOC) 6 24x7 operations, playbooks, escalation matrix
7 Threat Hunting Program 3 Weekly hunts, AI-enhanced scenarios, TI integration
8 Continuous Security Monitoring 3 AI observability, unified correlation, AgenticOps
9 Compliance Reporting & Audits 4 PCI-DSS, SOC2, GDPR, audit evidence repository
Appendix A-F 6 Tool matrix, crosswalk, checklists, runbooks

NIST CSF 2.0 IMPLEMENTATION MATRIX

Six Functions Overview

Function Subcategories Abhavtech Implementation Status
GOVERN (GV) 10 Risk management, oversight, policies ✅ Complete
IDENTIFY (ID) 8 Asset management, risk assessment, UEBA ✅ Complete
PROTECT (PR) 12 Identity (ISE+Duo), data security (TrustSec), encryption ✅ Complete
DETECT (DE) 8 Anomaly detection (MLTK), continuous monitoring (XDR) ✅ Complete
RESPOND (RS) 8 XDR playbooks, SOC 24x7, forensics procedures ✅ Complete
RECOVER (RC) 4 DR runbooks, backup (Veeam), business continuity ✅ Complete

GOVERN (GV) - Risk Management

Subcategory Abhavtech Control Evidence Location
GV.OC-01: Mission understood IT Strategy 2025-2027, supports 3,200 users, 40 sites Document 1 §1.1
GV.RM-01: Risk objectives Risk acceptance: Medium or below, quarterly reviews Security charter
GV.RM-02: Risk appetite Zero tolerance for critical risks (ransomware, breach) Risk policy
GV.RM-03: Supply chain risks Vendor segmentation (SGT 70-90), assessments Vendor matrix
GV.OV-01: Roles assigned CISO, Security Team (5), SOC (12), NetSec (8) Org chart

IDENTIFY (ID) - Asset Management & Risk

Subcategory Abhavtech Control Evidence Location
ID.AM-01: Physical devices DNAC device inventory (switches, routers, APs, 735 APs) DNAC 2.3.7.x
ID.AM-03: Network communication Virtual Networks (VN_CORPORATE, VN_SERVERS, etc.) SD-Access topology
ID.AM-05: Resources prioritized Tier 1: Finance (SGT 81), Mgmt (SGT 60), DC (SGT 80-83) Asset classification
ID.RA-01: Vulnerabilities Quarterly Tenable Nessus scans, 30-day critical patch SLA Vuln reports
ID.RA-02: Threat intelligence Talos feeds (XDR), CISA alerts, FS-ISAC TI integration
ID.RA-03: Internal threats UEBA baselines (Duo + Splunk MLTK), insider threat program UEBA dashboard

PROTECT (PR) - Identity & Data Security

Subcategory Abhavtech Control Evidence Location
PR.AA-01: Identities managed ISE 14-node cluster, Active Directory SSO, Duo MFA (3,200) Document 1 §4
PR.AA-03: Remote access Duo MFA, Umbrella ZTNA, device trust verification Document 1 §5
PR.AA-04: Least privilege TrustSec SGT micro-segmentation (15-20 SGTs, 30+ SGACLs) TrustSec policies
PR.DS-01: Data at rest AES-256 encryption (storage), BitLocker (endpoints) Encryption policy
PR.DS-02: Data in transit TLS 1.2+ (apps), IPsec (SD-WAN), MACsec (fabric) Crypto standards
PR.DS-05: Data leakage protection Umbrella DLP, FTD file inspection, Secure Email DLP DLP policies

DETECT (DE) - Anomalies & Continuous Monitoring

Subcategory Abhavtech Control Evidence Location
DE.AE-01: Baseline established 14-day baseline (MLTK), UEBA normal behavior learning Document 2 §2.2
DE.AE-02: Anomalous activity Splunk MLTK models, Cognition Engine, DNM AI engines
DE.CM-01: Networks monitored DNAC Assurance, vManage Analytics, ThousandEyes Document 2
DE.CM-04: Malicious code AMP for Endpoints, FTD AMP integration, Secure Email sandbox Threat Response
DE.CM-07: Unauthorized activity FTD IPS, Umbrella anomalous DNS, XDR behavioral analytics XDR alerts

RESPOND (RS) - Incident Management

Subcategory Abhavtech Control Evidence Location
RS.MA-01: IR plan executed XDR automated playbooks (PB-001 to PB-008), IR manual Document 1 §2.4
RS.MA-02: Incidents reported ServiceNow integration, automated ticket creation XDR→SNOW
RS.AN-03: Forensics performed Network forensics procedures (Document 4B below) Forensics SOP
RS.MI-01: Incidents contained CoA quarantine (ISE), IP block (FTD), domain block (Umbrella) Playbook actions

RECOVER (RC) - Recovery Planning

Subcategory Abhavtech Control Evidence Location
RC.RP-01: Recovery plan DR runbooks for critical systems (ISE, DNAC, vManage, Splunk) DR playbooks
RC.CO-03: Recovery comms Status page, Webex Teams updates during incidents Comms channels

CIS CRITICAL SECURITY CONTROLS V8

Implementation Groups (IG) Maturity

IG Level Description Abhavtech Target
IG1 Basic hygiene, essential controls Minimum baseline
IG2 Enterprise baseline, risk management ✅ Primary target (all controls)
IG3 Advanced, high-security environments ✅ Critical systems only (Finance, Mgmt, DC)

Controls Implementation Matrix

Control Description Abhavtech Implementation Maturity Gap
1 Inventory & Control of Enterprise Assets DNAC device inventory (735 APs, 200+ switches), ISE profiling (19K endpoints) ✅ IG2 None
2 Inventory & Control of Software Assets Splunk app inventory, DNAC application registry ✅ IG2 None
3 Data Protection SGT segmentation (Finance=SGT 81), DLP (Umbrella, FTD), encryption (MACsec, TLS) ✅ IG3 None
4 Secure Configuration DNAC templates, SD-WAN feature templates, CIS benchmarks ✅ IG2 None
5 Account Management ISE admin accounts, Duo MFA (all admin), CyberArk (secrets) ✅ IG3 None
6 Access Control Management TrustSec SGACLs (30+ rules), role-based ISE policies ✅ IG3 None
7 Continuous Vulnerability Management Quarterly Tenable scans, 30-day critical patch SLA ⚠️ IG1 Upgrade to IG2: 14-day SLA
8 Audit Log Management Splunk 100GB/day (retention: 90d hot, 1yr cold) ✅ IG2 None
9 Email & Web Browser Protections Cisco Secure Email (sandbox, DLP), Umbrella (DNS, URL filter) ✅ IG2 None
10 Malware Defenses AMP for Endpoints (3,200+ endpoints), FTD AMP integration ✅ IG2 None
11 Data Recovery Veeam backups (daily), 3-2-1 rule, DR testing (annual) ⚠️ IG1 Upgrade to IG2: Quarterly DR tests
12 Network Infrastructure Management 802.1X for management, SSH only, SNMP v3, TACACS+ AAA ✅ IG2 None
13 Network Monitoring & Defense FTD IPS, SD-WAN UTD, NetFlow (Splunk), ThousandEyes ✅ IG3 None
14 Security Awareness Training Quarterly phishing simulations, annual security training ⚠️ IG1 Upgrade to IG2: Monthly phishing
15 Service Provider Management Vendor segmentation (SGT 70-90), NDA + BAA agreements ✅ IG2 None
16 Application Software Security Code review for custom apps, Snyk vulnerability scanning ⚠️ IG1 Upgrade to IG2: SAST/DAST in CI/CD
17 Incident Response Management XDR automated playbooks, 24x7 SOC, tabletop exercises (quarterly) ✅ IG2 None
18 Penetration Testing Annual external pen test, quarterly internal assessments ⚠️ IG1 Upgrade to IG2: Monthly BAS + quarterly internal

Gap Remediation Roadmap

Control Current Maturity Target Maturity Action Required Timeline Owner
CIS 7 IG1 IG2 Implement continuous vuln scanning (Tenable.sc), reduce patch SLA from 30d to 14d Q2 2025 Security Team
CIS 11 IG1 IG2 Implement immutable backups (S3 Glacier), increase DR testing from annual to quarterly Q1 2025 IT Operations
CIS 14 IG1 IG2 Implement monthly phishing simulations (vs quarterly), add micro-training modules Q2 2025 Security Team
CIS 16 IG1 IG2 Implement SAST/DAST in CI/CD pipeline, mandatory code review for all commits Q3 2025 DevOps Team
CIS 18 IG1 IG2 Increase internal pen test frequency from annual to quarterly, implement monthly BAS (Palo Alto) Q2 2025 Security Team

MITRE ATT&CK FRAMEWORK MAPPING

Enterprise Matrix Coverage

Tactic ID Abhavtech Coverage Detection Capability Response Capability
Initial Access TA0001 80% Secure Email (phishing), Umbrella (malicious sites), XDR (exploit) Quarantine email, block domain, isolate endpoint
Execution TA0002 75% AMP behavioral detection, FTD IPS signatures Kill process, isolate endpoint
Persistence TA0003 70% AMP Orbital queries (registry, scheduled tasks), ISE rogue device Remove persistence, re-image endpoint
Privilege Escalation TA0004 65% UEBA anomalous privilege use, ISE admin account monitoring Lock account, alert admin
Defense Evasion TA0005 60% AMP file obfuscation detection, XDR multi-stage correlation Isolate endpoint, forensics
Credential Access TA0006 85% UEBA impossible travel, ISE failed auth spikes, Duo risk-based MFA Lock account, force password reset
Discovery TA0007 50% Network scanning detection (FTD IPS), port scan alerts Block scanner IP
Lateral Movement TA0008 90% SGT violation alerts, FTD flow analysis, ISE session anomalies CoA quarantine (SGT 999), block dest IP
Collection TA0009 55% DLP (Umbrella, Secure Email), unusual data access (UEBA) Block transfer, alert CISO
Exfiltration TA0010 75% NetFlow spike analysis (Splunk), Umbrella DNS tunneling, FTD large uploads Block destination, CoA session
Command & Control TA0011 85% Umbrella C2 domain block, XDR C2 correlation, FTD C2 signatures Block domain/IP, isolate endpoint
Impact TA0040 70% AMP ransomware behavioral, mass file encryption alerts Isolate endpoint, restore backup
Resource Development TA0042 30% External TI feeds (Talos), domain reputation monitoring Preemptive block
Reconnaissance TA0043 40% External: limited; Internal: port scan detection Block scanner

Overall Coverage: 68% (Target: 80% by EOY 2025)

Top 20 Techniques (Most Critical for Abhavtech)

Technique Name Detection Method Abhavtech Control Response Playbook
T1078 Valid Accounts ISE session logs, Duo anomalous auth, UEBA impossible travel Duo risk-based MFA, account lockout PB-002: Compromised-Credential
T1566.001 Phishing: Attachment Secure Email sandbox, AMP file reputation Secure Email quarantine, user reporting button PB-001: Malware-Containment
T1566.002 Phishing: Link Umbrella URL reputation, Secure Email link rewrite Umbrella block, email quarantine Manual triage
T1059 Command & Scripting AMP behavioral detection (PowerShell, cmd.exe), Orbital queries AMP kill process, endpoint isolation PB-001: Malware-Containment
T1105 Ingress Tool Transfer FTD file inspection, AMP file download monitoring FTD block, AMP quarantine file PB-001: Malware-Containment
T1021.001 Remote Services: RDP ISE RDP session logs, FTD flow logs, UEBA unusual RDP FTD block RDP from non-admin VLANs, MFA challenge PB-003: Lateral-Movement
T1003 OS Credential Dumping AMP Orbital query (lsass.exe access), behavioral detection Immediate password reset, endpoint forensics PB-002: Compromised-Credential
T1486 Data Encrypted for Impact AMP ransomware behavioral, mass file change alerts AMP isolation, network quarantine (SGT 999) PB-005: Ransomware-Response
T1090 Proxy Umbrella DNS proxy detection, FTD proxy connections Umbrella block domain, FTD block IP PB-001: Malware-Containment
T1071.001 Application Layer Protocol: Web Umbrella web filtering, FTD HTTP inspection FTD block URL, Umbrella category block Manual review
T1048 Exfiltration Over C2 NetFlow volume spike (Splunk), Umbrella DNS tunneling FTD block destination, CoA terminate session PB-004: Data-Exfiltration
T1018 Remote System Discovery FTD network scanning alerts, port scan detection FTD block scanner IP Manual investigation
T1055 Process Injection AMP behavioral detection, memory analysis AMP kill process, endpoint isolation PB-001: Malware-Containment
T1068 Exploitation for Privilege Escalation FTD IPS exploit signatures, AMP behavioral FTD block, patch vulnerable system Patch mgmt process
T1136 Create Account ISE new account alerts, AD account creation logs Auto-alert to admin, verify legitimacy Manual review
T1087 Account Discovery ISE LDAP query monitoring, unusual AD queries Rate limit queries, alert admin Manual investigation
T1082 System Information Discovery AMP Orbital queries, system profiling detection Log for forensics Passive logging
T1562.001 Impair Defenses: Disable Tools AMP service stop attempts, endpoint health monitoring AMP self-protection, alert SOC PB-001: Malware-Containment
T1219 Remote Access Software ISE TeamViewer/AnyDesk sessions, app control Block unapproved remote tools (SGT policy) Block + alert
T1027 Obfuscated Files/Information AMP file obfuscation detection, entropy analysis AMP quarantine file, sandbox analysis PB-001: Malware-Containment

ATT&CK Navigator Heatmap

Export Location: /opt/abhavtech/security/attack-navigator/abhavtech-coverage-2025.json

Color Code: - 🟢 Green (>80%): Full detection + automated response - 🟡 Yellow (50-80%): Partial detection or manual response - 🔴 Red (<50%): Limited/no detection

Gaps to Address (Red/Yellow Zones): 1. TA0042 Resource Development (30% coverage) → Enhance external TI feeds 2. TA0043 Reconnaissance (40% coverage) → Implement external monitoring (Shodan API) 3. TA0007 Discovery (50% coverage) → Tune FTD IPS for network scanning 4. TA0009 Collection (55% coverage) → Enhance DLP policies


SOC OPERATIONS (24x7)

SOC Organization

┌─────────────────────────────────────────────────────────────────────────────────┐
│                    ABHAVTECH SECURITY OPERATIONS CENTER                          │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  TEAM STRUCTURE:                                                                 │
│  ═══════════════════════════════════════════════════════════════════════════   │
│                                                                                  │
│       ┌──────────────────────┐                                                  │
│       │  Security Manager    │                                                  │
│       │  (Priya Sharma)      │                                                  │
│       └──────────┬───────────┘                                                  │
│                  │                                                               │
│       ┌──────────┴───────────┐                                                  │
│       │   SOC Lead           │                                                  │
│       │   (Raj Malhotra)     │                                                  │
│       └──────────┬───────────┘                                                  │
│                  │                                                               │
│       ┌──────────┴───────────────────────────────────┐                          │
│       │                                               │                          │
│  ┌────▼────┐  ┌────────────┐  ┌────────────┐  ┌─────▼──────┐                  │
│  │ APAC    │  │   EMEA     │  │  Americas  │  │ Threat     │                  │
│  │ Shift   │  │   Shift    │  │   Shift    │  │ Hunting    │                  │
│  │ 2 SOC   │  │   2 SOC    │  │   2 SOC    │  │ Team (2)   │                  │
│  │Analysts │  │  Analysts  │  │  Analysts  │  │            │                  │
│  └─────────┘  └────────────┘  └────────────┘  └────────────┘                  │
│  00:00-08:00  08:00-16:00      16:00-24:00     Weekly hunts                    │
│  Mumbai       London (remote)  Mumbai (remote) (Rotational)                    │
│                                                                                  │
│  TOOLS:                                                                          │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐         │
│  │   XDR    │  │  Splunk  │  │ServiceNow│  │  Webex   │  │   MISP   │         │
│  │(SecureX) │  │   ES     │  │  SecOps  │  │  Teams   │  │   (TI)   │         │
│  └──────────┘  └──────────┘  └──────────┘  └──────────┘  └──────────┘         │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

SOC Workflow (Daily Operations)

Time (IST) Activity Owner Tools
08:00 Shift handover (APAC → EMEA) SOC Lead Webex Teams, ServiceNow
08:15 Morning triage (review overnight alerts) EMEA Shift XDR, Splunk
09:00 Threat hunting (1 hour) Threat Hunting Team Splunk, XDR, ISE logs
10:00 Incident investigation (ongoing cases) EMEA Shift All tools
12:00 Lunch break (staggered) - -
13:00 Vulnerability review (Tenable scan results) Security Team Tenable.sc
14:00 Incident investigation (continued) EMEA Shift All tools
15:30 Shift handover (EMEA → Americas) SOC Lead Webex Teams, ServiceNow
16:00 Evening triage Americas Shift XDR, Splunk
20:00 Weekly reporting prep (Friday only) SOC Lead Splunk dashboards

Incident Response Playbooks

Playbook ID Name Trigger Automation Level Response Time MITRE Mapping
PB-001 Malware-Containment AMP detection + XDR C2 alert Fully automated <2 minutes T1059, T1105, T1055, T1027, T1562.001
PB-002 Compromised-Credential UEBA impossible travel + Duo anomaly Fully automated <2 minutes T1078, T1003
PB-003 Lateral-Movement FTD flow anomaly + ISE SGT violation Semi-automated (SOC approval) <15 minutes T1021.001, T1021.002
PB-004 Data-Exfiltration NetFlow spike + DLP alert Semi-automated (SOC approval) <15 minutes T1048, T1071.001
PB-005 Ransomware-Response AMP ransomware behavioral detection Fully automated <2 minutes T1486
PB-006 Impossible-Travel Duo geo-anomaly + ISE session Fully automated <2 minutes T1078
PB-007 Phishing-Response User-reported phishing email Manual (SOC investigation) <30 minutes T1566.001, T1566.002
PB-008 DDoS-Mitigation NetFlow volumetric spike Semi-automated (SOC approval) <15 minutes N/A (Impact)

Escalation Matrix

Severity Definition Response Time Escalation Path Examples
P1 - Critical Active attack, data breach, ransomware Immediate (<15 min) SOC → Security Manager → CISO → CEO (if breach) Ransomware outbreak, data exfiltration confirmed
P2 - High Confirmed security incident, high risk <1 hour SOC → Security Manager Compromised admin account, malware spreading
P3 - Medium Security event requiring investigation <4 hours SOC → SOC Lead UEBA alert, policy violation, failed MFA attempts
P4 - Low Informational, low risk <8 hours SOC Analyst (no escalation) Port scan detected, low-severity vuln scan finding

THREAT HUNTING PROGRAM

Threat Hunting Cadence

Frequency Duration Team Focus Methodology
Weekly 4 hours SOC Lead + 2 analysts (rotational) Hypothesis-driven MITRE ATT&CK-based scenarios
Monthly 1 day All security team Comprehensive hunt Multi-platform correlation
Quarterly 2 days External consultant + internal team Purple team exercise Red Team demonstrates, Blue Team tunes

AI-Enhanced Hunt Scenarios

Hunt Scenario 1: Lateral Movement via SMB (AI-Enhanced)

Hypothesis: Attacker compromised endpoint, attempting lateral movement via SMB (port 445).

Data Sources: NetFlow (vManage, Splunk), FTD flow logs, ISE session logs, AMP process execution

AI Enhancement: DNAC Deep Network Model flags anomalous east-west traffic patterns.

Splunk Query:

index=netflow dest_port=445 
| where src_ip!=dest_ip  # Exclude localhost
| stats dc(dest_ip) as unique_destinations, count by src_ip
| where unique_destinations > 10  # SMB to >10 different hosts
| where count > 50  # High connection volume
| sort -unique_destinations

Expected Benign Behavior: IT admin workstations may connect to 10-20 servers/day for management.

Suspicious Indicators: - Single endpoint connecting to 50+ unique IPs via SMB in <1 hour - Connections outside business hours (after 20:00 IST) - SMB connections from non-admin endpoints (not in IT admin SGT)

Response: Investigate endpoint with AMP Orbital, check for malware/tools (Mimikatz, PsExec).


Hunt Scenario 2: DNS Tunneling for C2 (AI-Enhanced)

Hypothesis: Malware using DNS tunneling for command & control (bypassing Umbrella web filtering).

Data Sources: Umbrella DNS logs (Splunk index=umbrella)

AI Enhancement: Splunk MLTK anomaly model flags unusual DNS query patterns.

Splunk Query:

index=umbrella sourcetype=dns
| eval query_length=len(query)
| where query_length > 50  # Long DNS queries (suspicious)
| stats count, avg(query_length) as avg_len by src_ip, query
| where count > 100  # High query volume to same domain
| sort -count

Expected Benign Behavior: Most DNS queries are <30 characters (e.g., google.com, salesforce.com).

Suspicious Indicators: - DNS queries >50 characters (e.g., aaabbbcccdddeeefffggghhhiiijjj.malware.com) - High query rate to same domain (>100/hour) - Base64-like patterns in DNS query (data exfiltration encoded in subdomain)

Response: Block domain (Umbrella), isolate endpoint (XDR playbook PB-001).


Hunt Scenario 3: Webex Toll Fraud (AI-Enhanced)

Hypothesis: Compromised Webex account making fraudulent international calls.

Data Sources: Webex CDRs (Control Hub), ThousandEyes voice quality metrics, ISE session logs

AI Enhancement: ThousandEyes AI flags abnormal call quality patterns (automated dialing).

Analysis: - Sequential international calls to high-risk countries (Nigeria, Somalia, Pakistan) - All calls after business hours - Poor call quality (MOS <2.0) suggesting automated dialing, not human conversation - No MFA authentication after initial session

Response: 1. Disable compromised account (Webex Control Hub) 2. Reset password, enforce MFA 3. Block international calling for shared accounts 4. Implement after-hours call restrictions


Threat Intelligence Integration

Source Type Integration Method Use Case Frequency
Talos Intelligence IP/domain/file hash reputation XDR native integration Real-time blocking (Umbrella, FTD, AMP) Real-time
FS-ISAC Financial services threat intel Manual IOC import (Splunk) Proactive threat hunting Weekly
CISA Alerts Government advisories Email alerts → manual review Patch prioritization As published
AlienVault OTX Community threat intel API integration (Splunk) IOC enrichment Daily
MISP Internal threat intel database API integration (XDR) Bidirectional IOC sharing Real-time

Threat Intel Workflow: 1. Receive IOC (IP, domain, hash) from intel source 2. Query Splunk for historical matches: index=* [IOC value] 3. If match found → trigger incident investigation 4. Add IOC to blocklists: Umbrella (domain), FTD (IP), AMP (hash) 5. Document in MISP threat intel database 6. Share with FS-ISAC community (financial services)


CONTINUOUS SECURITY MONITORING (AI-ENABLED)

AI Observability Platform Integration

┌─────────────────────────────────────────────────────────────────────────────────┐
│                    AI-ENABLED SECURITY MONITORING                                │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│   ┌──────────────────────────────────────────────────────────────────────┐      │
│   │                    AI ANALYTICS ENGINES                              │      │
│   │                                                                      │      │
│   │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐           │      │
│   │  │ Splunk   │  │ AppDyn   │  │  DNAC    │  │Thousand  │           │      │
│   │  │  MLTK    │  │Cognition │  │   DNM    │  │ Eyes AI  │           │      │
│   │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘           │      │
│   └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘      │
│           │             │             │             │                          │
│           └─────────────┴─────────────┴─────────────┘                          │
│                              │                                                  │
│                              ▼                                                  │
│   ┌──────────────────────────────────────────────────────────────────────┐     │
│   │             UNIFIED CORRELATION (XDR + Splunk)                       │     │
│   │                                                                      │     │
│   │  • Cross-platform anomaly correlation                               │     │
│   │  • Risk scoring (asset criticality × threat severity)               │     │
│   │  • Alert prioritization (reduce noise 500 → <100/day)               │     │
│   │  • Automated triage (SOAR integration)                              │     │
│   └──────────────────────────────────────────────────────────────────────┘     │
│                              │                                                  │
│                              ▼                                                  │
│   ┌──────────────────────────────────────────────────────────────────────┐     │
│   │                  AGENTICOPS WORKFLOWS                                │     │
│   │                                                                      │     │
│   │  WF-002: Malware-Containment (Auto mode)                            │     │
│   │  WF-006: Impossible-Travel-Response (Auto mode)                     │     │
│   │  WF-008: DDoS-Mitigation (Observe mode)                             │     │
│   └──────────────────────────────────────────────────────────────────────┘     │
│                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────┘

AI Engine Capabilities

AI Engine Location Focus Security Use Cases Output
Splunk MLTK Splunk Cloud Security anomaly detection Auth failures, NetFlow spikes, rare processes Alerts, risk scores, predictions
Cognition Engine AppDynamics SaaS Application RCA App-layer attacks, injection attempts Root cause, remediation steps
ThousandEyes AI Cloud WAN/SaaS path & voice quality DDoS detection (path degradation), toll fraud (MOS anomaly) Path recommendations, alerts
Deep Network Model Catalyst Center Network optimization Rogue devices, scanning activity, east-west anomalies Failure predictions, anomaly alerts
XDR Analytics Cisco XDR Cloud Threat correlation Multi-stage attacks, C2 beaconing, lateral movement Playbook triggers, incident timelines

Unified Dashboard Design

Executive Dashboard (CISO View): - Security posture score (0-100, current: 78) - Open incidents by severity (P1: 0, P2: 2, P3: 8, P4: 15) - MTTR trend (last 30 days) - Compliance status (PCI-DSS, SOC2, GDPR, ISO 27001)

SOC Dashboard (Analyst View): - Real-time alert queue (prioritized by risk score) - Incident investigation workspace - Threat hunting query builder - Playbook execution status

Engineering Dashboard (NetSec View): - Device health (DNAC, vManage) - Security policy effectiveness (FTD, Umbrella) - SGT violation trends - Vulnerability management status


DOCUMENT 4B: NETWORK FORENSICS (STEP-BY-STEP)

Chapter Structure

Chapter Title Sections Key Content
1 Network Forensics Overview 4 Legal requirements, team roles, tools inventory
2 Forensics Architecture 3 Evidence collection layer, storage (NAS, Splunk), topology
3 Evidence Collection Procedures 5 5 real-world scenarios (10-step detailed procedures)
4 Evidence Analysis Procedures 4 PCAP analysis, NetFlow, log correlation, memory forensics
5 Forensics Reporting 4 Evidence summary, timeline visualization, IOC documentation
6 AI-Enhanced Forensics 3 MLTK pattern detection, DNAC reconstruction, XDR automation
Appendix A-E 5 Tool reference, chain of custody forms, legal compliance

FORENSICS ARCHITECTURE

Evidence Collection Layer

┌─────────────────────────────────────────────────────────────────────────────────┐
│                    ABHAVTECH NETWORK FORENSICS ARCHITECTURE                      │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  ┌─────────────────────────────────────────────────────────────────────┐        │
│  │                   EVIDENCE COLLECTION LAYER                         │        │
│  │                                                                     │        │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐          │        │
│  │  │  Packet  │  │   Flow   │  │   Logs   │  │  Config  │          │        │
│  │  │  Capture │  │  Data    │  │  (Syslog)│  │  Backup  │          │        │
│  │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘          │        │
│  └───────┼─────────────┼─────────────┼─────────────┼─────────────────┘        │
│          │             │             │             │                           │
│  ┌───────┴─────────────┴─────────────┴─────────────┴─────────────────┐        │
│  │                     FORENSICS STORAGE                              │        │
│  │                                                                     │        │
│  │  Splunk Forensics Indexes:                                         │        │
│  │  ├─► forensics_network (NetFlow, FTD logs)                         │        │
│  │  ├─► forensics_endpoint (AMP, Orbital queries)                     │        │
│  │  ├─► forensics_identity (ISE, Duo logs)                            │        │
│  │  └─► Retention: 1yr hot, 3yr cold, 7yr archive (S3 Glacier)        │        │
│  │                                                                     │        │
│  │  PCAP Storage (NAS):                                                │        │
│  │  ├─► Location: /mnt/forensics-nas (100TB dedupe)                   │        │
│  │  ├─► Retention: 90d (triggered), 7d (full)                         │        │
│  │  └─► Access: Forensics team only (MFA required)                    │        │
│  │                                                                     │        │
│  │  Chain of Custody Database (PostgreSQL):                           │        │
│  │  └─► SHA-256 hashing, timestamps, access log                       │        │
│  └──────────────────────────────────────────────────────────────────┘         │
│                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────┘

Forensics Data Sources

Source Data Type Collector Retention Use Case
FTD Firewalls Full packet capture (PCAP), connection events, IPS alerts FMC, Wireshark 7d (full), 90d (triggered) Malware analysis, exfiltration investigation
ISE RADIUS logs, session details, CoA events, pxGrid messages pxGrid API, syslog 1 year (Splunk) User activity timeline, device profiling
SD-WAN Edges NetFlow, application visibility, UTD logs vManage API, syslog 90 days WAN traffic analysis, C2 detection
DNAC Device configs, client session logs, wireless RF data DNAC API, syslog 90 days Network topology changes, rogue AP detection
Umbrella DNS queries, proxy logs, firewall logs S3 API 90 days DNS tunneling, C2 domains, web traffic
AMP File hashes, process execution, network connections AMP API, Orbital 1 year Endpoint forensics, malware timeline
Splunk Correlated logs, search results, investigation cases Native 1yr hot, 7yr archive Central forensics repository
Webex Call quality metrics (ThousandEyes), CDRs API 90 days Voice fraud, toll fraud investigation

REAL-WORLD FORENSICS SCENARIOS (DETAILED)

SCENARIO 1: Malware C2 Communication (10-Step Procedure)

Incident Summary:

XDR Alert: Malware C2 Communication Detected
Time: 2025-01-19 10:02:15 IST
Source IP: 10.252.2.78
Destination IP: 117.38.XX.XXX
Domain: evil-malware-c2.darkweb
User: jane.smith@abhavtech.com
Device: ABHAV-LAPTOP-JS-0012
Severity: Critical (P1)

Step 1: Alert Received - Immediate Response

SOC Analyst (Sarah Kumar) receives XDR alert in SecureX dashboard.

Actions: 1. Open XDR incident: INC-2025-0119-001 2. Note timestamp: 10:02:15 IST (preserve for timeline) 3. Verify severity: Critical (immediate action required) 4. Initiate automated playbook: PB-001 (Malware-Containment)

Automated Playbook Actions (Executed in <2 minutes): - ✅ AMP: Isolate endpoint ABHAV-LAPTOP-JS-0012 - ✅ ISE CoA: Apply SGT 999 (Quarantine) to MAC 00:50:56:12:34:AB - ✅ FTD: Block destination IP 117.38.XX.XXX (all sites) - ✅ Umbrella: Block domain evil-malware-c2.darkweb - ✅ ServiceNow: Create incident ticket INC-2025-0119-001 - ✅ Webex Teams: Post alert to #security-operations room


Step 2: ISE Session Query (Identify Network Path)

Method 1: ISE GUI

ISE GUI → Context Visibility → Endpoints → Search IP: 10.252.2.78

Result:
- Username: jane.smith@abhavtech.com
- MAC: 00:50:56:12:34:AB
- Location: Mumbai-Floor2-East-SW01
- NAS IP: 10.252.1.50 (access switch)
- NAS Port: GigabitEthernet1/0/24
- SGT: 15 (Employees)
- Virtual Network: VN_CORPORATE
- Session Start: 2025-01-19 08:30:00 IST

Method 2: ISE pxGrid API (Python Script)

import requests
from requests.auth import HTTPBasicAuth

url = "https://ise-pan.abhavtech.com:8910/pxgrid/control/SessionDirectory"
payload = {"ipAddress": "10.252.2.78"}

response = requests.post(
    f"{url}/getSessionByIpAddress",
    json=payload,
    auth=HTTPBasicAuth("pxgrid-client", "SecurePassword123!"),
    verify="/opt/certs/ise-ca.pem"
)

print(response.json())

## Output:
## {
## "userName": "jane.smith@abhavtech.com",
## "ipAddress": "10.252.2.78",
## "macAddress": "00:50:56:12:34:AB",
## "securityGroup": "15",
## "nasIpAddress": "10.252.1.50",
## "nasPortId": "GigabitEthernet1/0/24",
## "authMethod": "802.1X (PEAP-MSCHAPv2)",
## "postureStatus": "Compliant",
## "startTimestamp": "2025-01-19T08:30:00Z"
## }


Step 3: DNAC Path Trace (Determine Firewall Path)

DNAC GUI → Assurance → Path Trace
Source: 10.252.2.78
Destination: 8.8.8.8 (test public IP)

Path Trace Result:
10.252.2.78 (endpoint) 
  → GigabitEthernet1/0/24 @ Mumbai-Floor2-East-SW01 (access switch)
  → GigabitEthernet1/0/1 @ Mumbai-Border-01 (border node)
  → GigabitEthernet1/1 @ FTD-Mumbai-DC-01 (inside interface)
  → GigabitEthernet1/2 @ FTD-Mumbai-DC-01 (outside interface)
  → Internet

Conclusion: Traffic egresses via FTD-Mumbai-DC-01

Step 4: FTD Packet Capture (Triggered PCAP)

Access FMC (Firewall Management Center)

Method 1: SSH
ssh admin@fmc.abhavtech.com

Method 2: GUI
https://fmc.abhavtech.com
FMC GUI → Devices → Device Management → FTD-Mumbai-DC-01 → Troubleshooting → Packet Capture

Configure Packet Capture:

Capture Name: forensics-malware-2025-01-19-001
Interface: inside (connected to Mumbai Border)

Capture Filter:
  Source IP: 10.252.2.78
  Source Port: any
  Destination IP: 117.38.XX.XXX
  Destination Port: any
  Protocol: any

Settings:
  Duration: 30 minutes (or until manually stopped)
  Max Size: 500 MB
  Buffer: Circular (overwrite oldest packets if full)

Action: Click "Start"

Monitor & Download:

## Monitor capture progress
FMC GUI → Troubleshooting → Packet Capture → View Progress

## After sufficient packets captured (or 30 minutes elapsed):
Click "Stop"

## Download PCAP file
Click "Download" → Save to local workstation

## File name: forensics-malware-2025-01-19-001.pcap (size: ~45 MB)


Step 5: Transfer Evidence to Forensics NAS (Chain of Custody)

## From forensics workstation:
scp admin@fmc.abhavtech.com:/var/common/capture/forensics-malware-2025-01-19-001.pcap \
    /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/

## Verify file integrity (generate SHA-256 hash)
cd /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/
sha256sum forensics-malware-2025-01-19-001.pcap > forensics-malware-2025-01-19-001.pcap.sha256

## Expected output:
## a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 forensics-malware-2025-01-19-001.pcap

## Set immutable flag (prevent tampering)
sudo chattr +i forensics-malware-2025-01-19-001.pcap

Document in Chain of Custody:

## Append to text log
echo "$(date -Iseconds)|forensics-malware-2025-01-19-001.pcap|SHA256:a1b2c3d4...|Sarah Kumar|INC-2025-0119-001|Collected from FTD-Mumbai-DC-01" \
    >> /mnt/forensics-nas/chain-of-custody.log

## Also update PostgreSQL database
psql -h forensics-db.abhavtech.com -U forensics_admin -d forensics_db

INSERT INTO evidence (
    case_id, 
    evidence_file, 
    file_hash, 
    collector, 
    collection_timestamp, 
    source_device,
    evidence_type,
    access_log
) VALUES (
    'INC-2025-0119-001',
    'forensics-malware-2025-01-19-001.pcap',
    'a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456',
    'Sarah Kumar',
    '2025-01-19 10:15:00+05:30',
    'FTD-Mumbai-DC-01',
    'PCAP',
    'Created'
);


Step 6: Endpoint Forensics (AMP Orbital Query)

Access AMP Console:

URL: https://console.amp.cisco.com
Navigate: Computers → Search: ABHAV-LAPTOP-JS-0012

Run Orbital Query (Forensics Snapshot):

AMP Console → Orbital → New Query

Query Name: Forensics-INC-2025-0119-001-Endpoint
Target: ABHAV-LAPTOP-JS-0012

Query Bundle: "Comprehensive Forensics Collection"
Includes:
  - Running processes (with command line arguments)
  - Network connections (established, listening)
  - Loaded DLLs/modules
  - Registry run keys (persistence check)
  - Recent file modifications (last 24 hours)
  - Scheduled tasks
  - Autoruns (startup programs)

Click "Run Query" → Wait for results (30-60 seconds)

Query Results:

{
  "hostname": "ABHAV-LAPTOP-JS-0012",
  "query_time": "2025-01-19T10:05:00Z",
  "results": {
    "running_processes": [
      {
        "name": "invoice-Q4-2024.exe",
        "pid": 4892,
        "cmdline": "C:\\Users\\jane.smith\\Downloads\\invoice-Q4-2024.exe",
        "parent": "outlook.exe",
        "start_time": "2025-01-19T10:00:45Z"
      },
      {
        "name": "powershell.exe",
        "pid": 5124,
        "cmdline": "powershell.exe -encodedCommand [base64_encoded_string]",
        "parent": "invoice-Q4-2024.exe",
        "start_time": "2025-01-19T10:01:00Z"
      }
    ],
    "network_connections": [
      {
        "local_address": "10.252.2.78:49872",
        "remote_address": "117.38.XX.XXX:443",
        "state": "ESTABLISHED",
        "pid": 5124,
        "process": "powershell.exe"
      }
    ],
    "registry_run_keys": [
      {
        "key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
        "value_name": "SystemUpdate",
        "value_data": "C:\\Users\\jane.smith\\AppData\\Local\\Temp\\update.exe",
        "modified": "2025-01-19T10:01:15Z"
      }
    ]
  }
}

Save Orbital Results:

## Download results as JSON
AMP Console  Orbital  Query Results  Download JSON

## Transfer to forensics NAS
scp orbital-query-results.json \
    /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/

## Generate hash
sha256sum orbital-query-results.json > orbital-query-results.json.sha256


Step 7: ISE Session Logs (User Activity Timeline)

Export ISE RADIUS Logs:

Method 1: ISE GUI Export

ISE GUI → Operations → RADIUS → Live Logs
Filter: 
  Username = jane.smith@abhavtech.com
  Time Range = Last 24 hours (2025-01-18 10:00 to 2025-01-19 11:00)

Export: CSV

Download: ise-radius-logs-janesmith-2025-01-19.csv (size: ~2 MB, 1,500 records)

Method 2: Splunk Export (Preferred for Large Datasets)

Splunk query:

index=ise sourcetype=radius User_Name="jane.smith@abhavtech.com" 
    earliest="2025-01-18T10:00:00" latest="2025-01-19T11:00:00"
| table _time, Calling_Station_Id, NAS_IP_Address, NAS_Port_Id, 
         Framed_IP_Address, Cisco_SGT, Result, Failure_Reason
| sort _time

Export: CSV (Splunk GUI → Export → CSV)

Save to: /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/ise-radius-logs.csv


Step 8: Umbrella DNS Logs (C2 Domain Activity)

Query Umbrella for DNS Queries:

Splunk query:

index=umbrella sourcetype=dns src_ip="10.252.2.78" 
    earliest="2025-01-19T09:00:00" latest="2025-01-19T11:00:00"
| table _time, query, query_type, response_code, category, threat_score
| sort _time

Key findings:
- 10:01:32: Query: evil-malware-c2.darkweb → Response: NXDOMAIN (blocked by Umbrella)
- Threat Score: 98/100 (Talos verdict: Malicious C2 server)
- Category: Command & Control, Malware Distribution
- Frequency: 15 queries in 30 minutes (C2 beaconing pattern)

Export: CSV
Save to: /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/umbrella-dns-logs.csv

Step 9: Email Logs (Phishing Source - How Malware Arrived)

Query Secure Email for Delivery Logs:

Secure Email Console → Message Tracking
Filter:
  Recipient: jane.smith@abhavtech.com
  Date: 2025-01-19
  Time: 08:00 - 10:00

Result: Suspicious email found
From: finance@abhavtech-suppliers[.]com (spoofed domain - note the dash)
Subject: URGENT: Q4 Invoice Payment Required
Attachment: invoice-Q4-2024.exe (malware sample)
Received: 2025-01-19 09:58:15 IST
Verdict: Clean (false negative - sandbox missed malware)

Action: Export message details
Click message → Export → EML format
Save: phishing-email-2025-01-19.eml

CRITICAL: Download attachment in isolated environment only

Calculate Attachment Hash:

## In isolated VM (no network)
sha256sum invoice-Q4-2024.exe
## Result: a1b2c3d4e5f6789012345678901234567890abcdef123456789012345678

## Save to forensics NAS (password-protected ZIP)
zip --encrypt /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/malware-samples.zip invoice-Q4-2024.exe
## Password: ForensicsTeam2025!


Step 10: Evidence Summary & Timeline Reconstruction

Timeline (Chronological Order):

09:58:15 - Phishing email received (invoice-Q4-2024.exe attachment)
10:00:30 - File downloaded by user (jane.smith@abhavtech.com)
10:00:45 - File executed (invoice-Q4-2024.exe)
10:01:00 - PowerShell spawned (encoded command - malicious script)
10:01:15 - Registry modification (persistence: HKCU\Run\SystemUpdate)
10:01:30 - FIRST C2 CONNECTION ESTABLISHED (117.38.XX.XXX:443)
10:02:00 - File encryption started (ransomware behavior - 247 files encrypted)
10:02:15 - XDR ALERT TRIGGERED (Malware C2 Communication Detected)
10:02:20 - Automated playbook executed (endpoint isolated, IP blocked)
10:02:35 - ServiceNow incident created (INC-2025-0119-001)
10:05:00 - SOC analyst (Sarah) begins investigation
10:30:00 - Incident contained, user credentials reset
11:00:00 - Endpoint re-imaged, investigation continues

Evidence Artifacts Collected: 1. ✅ PCAP file (45 MB) - FTD packet capture showing C2 communication 2. ✅ AMP Orbital query results (JSON) - Process execution, network connections 3. ✅ ISE RADIUS logs (CSV, 2 MB) - User authentication timeline 4. ✅ Umbrella DNS logs (CSV) - C2 domain queries, threat intelligence 5. ✅ Phishing email (EML) - Attack vector evidence 6. ✅ Malware sample (ZIP, password-protected) - invoice-Q4-2024.exe 7. ✅ Hash values (SHA-256) - All evidence files for integrity verification

All Evidence Stored:

/mnt/forensics-nas/cases/INC-2025-0119-001/
├── evidence/
│   ├── forensics-malware-2025-01-19-001.pcap (45 MB, SHA256: a1b2c3d4...)
│   ├── orbital-query-results.json (500 KB, SHA256: b2c3d4e5...)
│   ├── ise-radius-logs.csv (2 MB, SHA256: c3d4e5f6...)
│   ├── umbrella-dns-logs.csv (100 KB, SHA256: d4e5f6a7...)
│   ├── phishing-email-2025-01-19.eml (50 KB, SHA256: e5f6a7b8...)
│   └── malware-samples.zip (encrypted, 2 MB, SHA256: f6a7b8c9...)
├── analysis/
│   └── timeline-reconstruction.md (created by analyst)
└── reports/
    └── case-summary-INC-2025-0119-001.pdf (to be created)


SCENARIO 2: Data Exfiltration (8-Step Procedure)

[Similar detailed 8-step procedure for data exfiltration investigation]

SCENARIO 3: Insider Threat - Rogue Device

[Detailed procedure for rogue device investigation]

SCENARIO 4: Webex Toll Fraud ($12,000 Investigation)

[Detailed procedure for toll fraud investigation using CDRs, ThousandEyes, ISE]

SCENARIO 5: Wireless Attack - Rogue AP

[Detailed procedure for rogue AP investigation using DNAC]


PCAP ANALYSIS WITH WIRESHARK

Step-by-Step PCAP Analysis

Step 1: Open PCAP in Wireshark

wireshark /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/forensics-malware-2025-01-19-001.pcap

Step 2: Apply Display Filter (C2 Traffic Only)

Display Filter: ip.src == 10.252.2.78 && ip.dst == 117.38.XX.XXX

Result: 247 packets displayed (from total 15,892 packets in PCAP)

Step 3: Follow TCP Stream

Right-click any packet → Follow → TCP Stream

Stream content (TLS encrypted, but metadata visible):
- Client Hello (TLS 1.2 handshake)
- Server Hello
- Certificate Exchange
  - Certificate Subject: CN=api-update.cloudflare-cdn.com
  - Issuer: Self-signed (🚩 RED FLAG - not legitimate Cloudflare cert)
- Application Data (encrypted payload - cannot inspect)

Note: Fake Cloudflare domain used for C2 disguise

Step 4: Extract IOCs (Indicators of Compromise)

IOCs identified from PCAP:
- Destination IP: 117.38.XX.XXX
- Destination Port: 443 (HTTPS)
- Fake Domain: api-update.cloudflare-cdn[.]com
- TLS Certificate Fingerprint: SHA1:1a2b3c4d5e6f...
- HTTP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
- Connection Frequency: Every 2 minutes (C2 beaconing)

Step 5: Export IOCs to STIX Format (Threat Intelligence Sharing)

SecureX → Threat Response → Create Sighting
Title: TrickBot Ransomware Campaign (INC-2025-0119-001)
IOCs: 
  - IP: 117.38.XX.XXX
  - Domain: api-update.cloudflare-cdn[.]com
  - File Hash: a1b2c3d4e5f6789012345678901234567890abcdef123456789012345678
  - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Export: STIX 2.1 bundle → Save as stix-bundle-INC-2025-0119-001.json

Share with: FS-ISAC (financial services threat intel community)


AI-ENHANCED FORENSICS

MLTK Pattern Detection

Splunk MLTK Forensics Query:

## Find similar incidents (pattern matching)
index=forensics_* 
| search "C2 communication" OR "malware" OR "ransomware"
| timechart span=1h count by source_ip
| predict count algorithm=LLP future_timespan=24 holdback=0

DNAC Historical Path Reconstruction

DNAC GUI → Assurance → Path Trace → Historical Mode
Timestamp: 2025-01-19 10:01:30 (when C2 connection established)
Source: 10.252.2.78
Destination: 117.38.XX.XXX

Result: Shows exact network path at time of incident (historical replay)

XDR Automated Timeline Correlation

SecureX → Threat Response → Incident Timeline
Case: INC-2025-0119-001

Automated correlation shows:
- Email arrival (09:58:15) → Secure Email log
- File execution (10:00:45) → AMP telemetry
- C2 connection (10:01:30) → FTD flow log + Umbrella DNS
- Encryption start (10:02:00) → AMP behavioral alert
- XDR alert (10:02:15) → Auto-correlation of all above events

Timeline visualization: Exported as PDF for forensics report

DOCUMENT 4C: PENETRATION TESTING FRAMEWORK

Chapter Structure

Chapter Title Sections Key Content
1 Penetration Testing Overview 4 Testing philosophy, PTES methodology, team roles, frequency
2 Pre-Engagement 4 Scope definition, rules of engagement, legal authorization
3 SD-Access Penetration Testing 4 TrustSec SGT bypass, Rogue AP, 802.1X bypass, wireless attacks
4 SD-WAN Penetration Testing 3 vManage access, IPsec hijacking, OMP route injection
5 Webex Collaboration Testing 3 SIP trunk hijacking, meeting enumeration, toll fraud simulation
6 Zero Trust Validation 3 Stolen credentials, device trust bypass, UEBA detection
7 AI Platform Security Testing 3 Splunk, DNAC, XDR security validation
8 Social Engineering 3 Phishing campaigns, vishing, physical access
9 Reporting 4 Executive summary, technical findings, remediation, re-test
Appendix A-D 4 Tools reference, attack techniques, remediation tracking

PENETRATION TESTING SCHEDULE

Test Type Frequency Duration Scope Tester Output
External Pen Test Annual 2 weeks Internet-facing assets (FTD, VPN, Webex) Third-party (Rapid7) Executive + technical report
Internal Pen Test Quarterly 1 week Corporate network (SD-Access, SD-WAN, servers) Internal Red Team (3) Technical report + findings tracker
Web App Pen Test Per release 3-5 days Custom web applications Third-party + internal OWASP Top 10 report
Wireless Pen Test Semi-annual 2 days Corporate SSIDs (WPA3 validation) Internal Red Team Wireless security report
Social Engineering Quarterly 1 day Phishing simulations, vishing Internal Red Team User awareness metrics
BAS (Automated) Weekly Continuous All platforms (automated attacks) Palo Alto BAS platform Detection rate dashboard
Purple Team Quarterly 1 day Specific attack techniques (collaborative) Red Team + SOC Detection tuning report

SD-ACCESS PENETRATION TEST CASES

Test Case 1: TrustSec SGT Policy Bypass

Objective: Attempt to bypass SGT segmentation and access Finance servers (SGT 81) from Guest VLAN (SGT 40).

Pre-Test Setup:

Pen Tester Laptop:
- Connected to: Guest Wi-Fi (Corp-Guest SSID)
- Expected IP: 10.252.100.55/24 (Guest VLAN)
- Expected SGT: 40 (Guests)

Target:
- Finance server: 10.252.80.10
- SGT: 81 (Finance Servers)

Expected Result: Access BLOCKED by SGACL policy

Attack Vector 1: Direct Connection Attempt

## Step 1: Verify network assignment
ip addr show eth0
## Result: 10.252.100.55/24 (Guest VLAN assigned correctly)

## Step 2: Attempt ping to Finance server
ping 10.252.80.10
## Expected: Request timeout (SGACL blocks SGT 40 → SGT 81)
## Actual: Request timeout

## Step 3: Attempt TCP connection (port 3389 RDP)
telnet 10.252.80.10 3389
## Expected: Connection refused/timeout
## Actual: Connection timeout

## Conclusion: PASS - SGT policy enforced at network layer

Attack Vector 2: MAC Spoofing (802.1X Bypass Attempt)

## Objective: Spoof MAC of legitimate employee device to gain Employee SGT (15)

## Step 1: Change MAC address to known employee device
ifconfig eth0 down
macchanger -m 00:50:56:AA:BB:CC eth0  # Known employee MAC
ifconfig eth0 up

## Step 2: Disconnect and reconnect (trigger re-authentication)
dhclient -r eth0 && dhclient eth0

## Expected ISE behavior:
## - ISE detects duplicate MAC address
## - ISE applies profiling exception policy
## - Endpoint assigned SGT 999 (Quarantine) instead of SGT 15
## - Network access BLOCKED

## Actual: Endpoint quarantined, cannot communicate

## Conclusion: PASS - MAC spoofing detected and blocked by ISE

Attack Vector 3: ARP Spoofing (Layer 2 Attack)

## Objective: ARP spoof between Finance server and gateway

## Install Ettercap
apt install ettercap-graphical

## Launch ARP spoofing attack
ettercap -T -M arp:remote /10.252.80.10// /10.252.80.1//
## Target: Finance server (10.252.80.10)
## Gateway: Finance VLAN gateway (10.252.80.1)

## Expected: DHCP snooping + DAI blocks spoofed ARP packets

## Actual: Switch port err-disabled, ARP spoofing blocked

## Conclusion: PASS - ARP spoofing blocked by Layer 2 security

Attack Vector 4: VLAN Hopping (Double-Tagging)

## Objective: Hop from Guest VLAN to Corporate VLAN

## Install Yersinia
apt install yersinia

## Launch VLAN hopping attack
yersinia -I
## Select "802.1Q" protocol
## Configure double-tagging (outer: Guest VLAN 100, inner: Corp VLAN 10)

## Expected: Attack fails because SD-Access uses VXLAN (Layer 3 overlay), not VLANs

## Actual: No Layer 2 adjacency between VLANs, attack not applicable

## Conclusion: N/A - VLAN hopping not applicable in SD-Access fabric

Test Summary:

Attack Vector Result Observation
Direct connection ✅ BLOCKED SGACL enforced at fabric edge
MAC spoofing ✅ BLOCKED ISE detects duplicate MAC, applies quarantine
ARP spoofing ✅ BLOCKED DHCP snooping + DAI prevents ARP manipulation
VLAN hopping ✅ N/A SD-Access uses VXLAN, not traditional VLANs

Recommendation: SD-Access segmentation is effective. No remediation required.


Test Case 2: Rogue Access Point (Evil Twin Attack)

[Detailed test procedure for evil twin attack, certificate pinning validation, DNAC detection]

Test Case 3: 802.1X Authentication Bypass

[Detailed test procedure for 802.1X bypass attempts]

Test Case 4: Wireless Deauthentication Attack

[Detailed test procedure for deauth attack using aircrack-ng]


SD-WAN PENETRATION TEST CASES

Test Case 1: vManage Unauthorized Access

[Detailed test: Port scan, brute force, API exploitation]

Test Case 2: IPsec Tunnel Hijacking

[Detailed test: Packet injection, encryption downgrade attempts]

Test Case 3: OMP Route Injection

[Detailed test: Malicious route advertisement attempts]


WEBEX COLLABORATION TEST CASES

Test Case 1: SIP Trunk Hijacking

[Detailed test: SIP trunk authentication, toll fraud simulation]

Test Case 2: Meeting ID Enumeration

[Detailed test: Brute force meeting IDs, password bypass attempts]

Test Case 3: Toll Fraud Simulation

[Detailed test: Automated calling to international numbers]


ZERO TRUST VALIDATION

Test Case 1: Stolen Credentials + MFA Bypass

[Detailed test: Phishing simulation, MFA social engineering]

Test Case 2: Device Trust Bypass

[Detailed test: Jailbroken device, non-compliant device access attempts]

Test Case 3: UEBA Detection Validation

[Detailed test: Impossible travel, anomalous behavior triggering]


REPORTING & REMEDIATION

Penetration Test Report Template

ABHAVTECH PENETRATION TEST REPORT
Date: [Test Date]
Tester: [Red Team / External]
Scope: [Systems Tested]

EXECUTIVE SUMMARY
- Overall Security Posture: [Score 0-100]
- Critical Findings: [Count]
- High Findings: [Count]
- Medium/Low Findings: [Count]

TECHNICAL FINDINGS
[For each finding:]
- Finding ID: [e.g., PEN-2025-001]
- Severity: [Critical/High/Medium/Low]
- Affected System: [System name]
- Description: [Detailed description]
- Evidence: [Screenshots, commands, outputs]
- Remediation: [Step-by-step fix]
- Timeline: [Recommended fix date]

REMEDIATION RECOMMENDATIONS
[Prioritized action plan]

RE-TEST PROCEDURES
[How to verify fixes]

SUMMARY: MASTER REFERENCE CARD STATISTICS

Document Focus Size Chapters Scenarios/Test Cases Model
4A: Cybersecurity Frameworks, SOC, compliance ~40,000 words, 100 pages 9 8 incident playbooks, 5 hunt scenarios Sonnet 4.5
4B: Forensics Evidence collection, analysis ~50,000 words, 125 pages 6 5 real-world investigations (10-step detailed) Sonnet 4.5
4C: Pen Testing Attack simulation, validation ~35,000 words, 90 pages 9 15+ test cases across all platforms Sonnet 4.5
TOTAL Complete Security Operations ~125,000 words, 315 pages 24 chapters 28 scenarios/cases Sonnet 4.5

END OF MASTER REFERENCE CARD v1.0

Document Control: - Classification: Confidential - Internal Use Only - Distribution: Security Team, SOC, Network Engineering, Compliance - Next Review Date: July 2025 (6-month review cycle) - Approval Required: CISO, Security Manager, IT Director


This Master Reference Card provides comprehensive structure for Abhavtech's cybersecurity operations, forensics procedures, and penetration testing framework - all aligned with Cisco-centric AI-driven network infrastructure.