Master Reference Card¶
DOCUMENT STRUCTURE¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH SECURITY OPERATIONS & VALIDATION DOCUMENTS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ DOCUMENT 4A: CYBERSECURITY FRAMEWORK & OPERATIONS │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ • NIST CSF 2.0 Implementation (6 Functions) │
│ • CIS Critical Security Controls v8 (18 Controls) │
│ • MITRE ATT&CK Framework Mapping (200+ Techniques) │
│ • ISO 27001:2022 Controls (93 Controls) │
│ • SOC Procedures (24x7 Operations) │
│ • Threat Hunting Program (AI-Enhanced) │
│ • Continuous Security Monitoring │
│ • Model: Sonnet 4.5 │
│ • Size: ~40,000 words, 100 pages │
│ │
│ DOCUMENT 4B: NETWORK FORENSICS (STEP-BY-STEP) │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ • Forensics Architecture & Evidence Collection │
│ • 5 Real-World Investigation Scenarios (Detailed) │
│ - Malware C2 Communication (10 steps) │
│ - Data Exfiltration (8 steps) │
│ - Insider Threat (Rogue Device) │
│ - Webex Toll Fraud ($12K investigation) │
│ - Wireless Attack (Rogue AP) │
│ • PCAP Analysis with Wireshark (Filters, TCP Streams) │
│ • Chain of Custody Procedures (SHA-256, Legal Compliance) │
│ • AI-Enhanced Forensics (MLTK, DNAC, XDR) │
│ • Model: Sonnet 4.5 │
│ • Size: ~50,000 words, 125 pages │
│ │
│ DOCUMENT 4C: PENETRATION TESTING FRAMEWORK │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ • PTES Methodology (6 Phases) │
│ • 15+ Test Cases Across All Platforms: │
│ - SD-Access (TrustSec SGT bypass, Rogue AP, 802.1X) │
│ - SD-WAN (vManage access, IPsec hijacking, OMP injection) │
│ - Webex (SIP hijacking, Meeting enumeration, Toll fraud) │
│ - Zero Trust (Credential bypass, Device trust, UEBA) │
│ - AI Platforms (Splunk, DNAC, XDR security) │
│ • Social Engineering (Phishing, Vishing, Physical) │
│ • Red Team vs Blue Team Exercises │
│ • Purple Team Collaboration │
│ • Model: Sonnet 4.5 │
│ • Size: ~35,000 words, 90 pages │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
SECURITY OPERATIONS INTEGRATION MAP¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH SECURITY OPERATIONS INTEGRATION MAP │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ CYBERSECURITY FRAMEWORKS │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │NIST CSF │ │ CIS │ │ MITRE │ │ISO 27001 │ │ │
│ │ │ 2.0 │ │Controls │ │ ATT&CK │ │ :2022 │ │ │
│ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │
│ └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘ │
│ │ │ │ │ │
│ └─────────────┴─────────────┴─────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ SECURITY OPERATIONS CENTER (SOC) │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ XDR │ │ Splunk │ │ ISE │ │ DNAC │ │ │
│ │ │(SecureX) │ │ (SIEM) │ │(Identity)│ │(Network) │ │ │
│ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │
│ └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘ │
│ │ │ │ │ │
│ │ ┌───────┴─────────────┴─────┬───────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ NETWORK FORENSICS│ │ PEN TESTING │ │
│ │ │ │ │ │
│ │ • Evidence │ │ • Red Team │ │
│ │ • Analysis │ │ • Blue Team │ │
│ │ • Investigation │ │ • Purple Team │ │
│ │ • Chain of │ │ • Validation │ │
│ │ Custody │ │ │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
MASTER SECURITY OPERATIONS STRUCTURE¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH SECURITY OPERATIONS FRAMEWORK │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ FOUNDATION (Already Complete - From Phase 1) │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ ✅ XDR Platform (SecureX, 8 ribbons, 5 playbooks) │
│ ✅ Duo Beyond (3,200 users, device trust, MFA) │
│ ✅ FTD Firewalls (18 units, SGT-aware) │
│ ✅ Umbrella SASE (DNS security, Cloud FW, DLP) │
│ ✅ Splunk SIEM (100GB/day, MLTK anomaly detection) │
│ ✅ ISE 14-node (802.1X, TrustSec, pxGrid) │
│ ✅ DNAC 2.3.7.x (Assurance, Deep Network Model) │
│ ✅ ThousandEyes (6 hub agents, path monitoring) │
│ │
│ CONTINUOUS OPERATIONS (24x7) │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ Document 4A: Cybersecurity Framework │
│ ├─► NIST CSF 2.0 Implementation (6 functions mapped) │
│ ├─► CIS Controls v8 (18 controls, IG2/IG3 maturity) │
│ ├─► MITRE ATT&CK Coverage (68% current → 80% target) │
│ ├─► SOC Operations (12 analysts, 3 shifts, follow-the-sun) │
│ ├─► Incident Response (8 automated playbooks) │
│ ├─► Threat Hunting (Weekly, AI-enhanced) │
│ └─► Compliance Reporting (PCI-DSS, SOC2, GDPR, ISO 27001) │
│ │
│ FORENSICS INVESTIGATIONS (As Needed) │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ Document 4B: Network Forensics │
│ ├─► Evidence Collection (PCAP, NetFlow, logs, configs) │
│ ├─► Analysis Methodology (Wireshark, Splunk, AMP Orbital) │
│ ├─► Real-World Scenarios (5 detailed investigations) │
│ │ ├─► Malware C2 Communication (10-step procedure) │
│ │ ├─► Data Exfiltration (8-step procedure) │
│ │ ├─► Insider Threat - Rogue Device │
│ │ ├─► Webex Toll Fraud ($12,000 investigation) │
│ │ └─► Wireless Attack - Rogue AP │
│ ├─► Chain of Custody (Legal compliance, SHA-256 hashing) │
│ └─► AI-Enhanced Forensics (MLTK, DNAC, XDR timeline) │
│ │
│ SECURITY VALIDATION (Scheduled) │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ Document 4C: Penetration Testing │
│ ├─► Annual External Pen Test (2 weeks, full scope, Rapid7) │
│ ├─► Quarterly Internal Pen Test (Red Team, 3 engineers) │
│ ├─► Semi-Annual Wireless Pen Test (Evil twin, deauth attacks) │
│ ├─► Monthly Social Engineering (Phishing simulations) │
│ ├─► Purple Team Exercises (Quarterly, detection tuning) │
│ └─► Breach & Attack Simulation (Weekly, automated, Palo Alto BAS) │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
DOCUMENT 4A: CYBERSECURITY FRAMEWORK & OPERATIONS¶
Chapter Structure¶
| Chapter | Title | Sections | Key Content |
|---|---|---|---|
| 1 | Executive Summary & Security Posture | 4 | Security stack, threat landscape, compliance |
| 2 | NIST Cybersecurity Framework 2.0 | 6 | Govern, Identify, Protect, Detect, Respond, Recover |
| 3 | CIS Critical Security Controls v8 | 3 | 18 controls, IG2/IG3 maturity, gap analysis |
| 4 | MITRE ATT&CK Framework | 4 | 14 tactics, 200+ techniques, Navigator heatmap |
| 5 | ISO 27001:2022 Controls | 5 | 93 controls across 4 themes, evidence matrix |
| 6 | Security Operations Center (SOC) | 6 | 24x7 operations, playbooks, escalation matrix |
| 7 | Threat Hunting Program | 3 | Weekly hunts, AI-enhanced scenarios, TI integration |
| 8 | Continuous Security Monitoring | 3 | AI observability, unified correlation, AgenticOps |
| 9 | Compliance Reporting & Audits | 4 | PCI-DSS, SOC2, GDPR, audit evidence repository |
| Appendix | A-F | 6 | Tool matrix, crosswalk, checklists, runbooks |
NIST CSF 2.0 IMPLEMENTATION MATRIX¶
Six Functions Overview¶
| Function | Subcategories | Abhavtech Implementation | Status |
|---|---|---|---|
| GOVERN (GV) | 10 | Risk management, oversight, policies | ✅ Complete |
| IDENTIFY (ID) | 8 | Asset management, risk assessment, UEBA | ✅ Complete |
| PROTECT (PR) | 12 | Identity (ISE+Duo), data security (TrustSec), encryption | ✅ Complete |
| DETECT (DE) | 8 | Anomaly detection (MLTK), continuous monitoring (XDR) | ✅ Complete |
| RESPOND (RS) | 8 | XDR playbooks, SOC 24x7, forensics procedures | ✅ Complete |
| RECOVER (RC) | 4 | DR runbooks, backup (Veeam), business continuity | ✅ Complete |
GOVERN (GV) - Risk Management¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| GV.OC-01: Mission understood | IT Strategy 2025-2027, supports 3,200 users, 40 sites | Document 1 §1.1 |
| GV.RM-01: Risk objectives | Risk acceptance: Medium or below, quarterly reviews | Security charter |
| GV.RM-02: Risk appetite | Zero tolerance for critical risks (ransomware, breach) | Risk policy |
| GV.RM-03: Supply chain risks | Vendor segmentation (SGT 70-90), assessments | Vendor matrix |
| GV.OV-01: Roles assigned | CISO, Security Team (5), SOC (12), NetSec (8) | Org chart |
IDENTIFY (ID) - Asset Management & Risk¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| ID.AM-01: Physical devices | DNAC device inventory (switches, routers, APs, 735 APs) | DNAC 2.3.7.x |
| ID.AM-03: Network communication | Virtual Networks (VN_CORPORATE, VN_SERVERS, etc.) | SD-Access topology |
| ID.AM-05: Resources prioritized | Tier 1: Finance (SGT 81), Mgmt (SGT 60), DC (SGT 80-83) | Asset classification |
| ID.RA-01: Vulnerabilities | Quarterly Tenable Nessus scans, 30-day critical patch SLA | Vuln reports |
| ID.RA-02: Threat intelligence | Talos feeds (XDR), CISA alerts, FS-ISAC | TI integration |
| ID.RA-03: Internal threats | UEBA baselines (Duo + Splunk MLTK), insider threat program | UEBA dashboard |
PROTECT (PR) - Identity & Data Security¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| PR.AA-01: Identities managed | ISE 14-node cluster, Active Directory SSO, Duo MFA (3,200) | Document 1 §4 |
| PR.AA-03: Remote access | Duo MFA, Umbrella ZTNA, device trust verification | Document 1 §5 |
| PR.AA-04: Least privilege | TrustSec SGT micro-segmentation (15-20 SGTs, 30+ SGACLs) | TrustSec policies |
| PR.DS-01: Data at rest | AES-256 encryption (storage), BitLocker (endpoints) | Encryption policy |
| PR.DS-02: Data in transit | TLS 1.2+ (apps), IPsec (SD-WAN), MACsec (fabric) | Crypto standards |
| PR.DS-05: Data leakage protection | Umbrella DLP, FTD file inspection, Secure Email DLP | DLP policies |
DETECT (DE) - Anomalies & Continuous Monitoring¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| DE.AE-01: Baseline established | 14-day baseline (MLTK), UEBA normal behavior learning | Document 2 §2.2 |
| DE.AE-02: Anomalous activity | Splunk MLTK models, Cognition Engine, DNM | AI engines |
| DE.CM-01: Networks monitored | DNAC Assurance, vManage Analytics, ThousandEyes | Document 2 |
| DE.CM-04: Malicious code | AMP for Endpoints, FTD AMP integration, Secure Email sandbox | Threat Response |
| DE.CM-07: Unauthorized activity | FTD IPS, Umbrella anomalous DNS, XDR behavioral analytics | XDR alerts |
RESPOND (RS) - Incident Management¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| RS.MA-01: IR plan executed | XDR automated playbooks (PB-001 to PB-008), IR manual | Document 1 §2.4 |
| RS.MA-02: Incidents reported | ServiceNow integration, automated ticket creation | XDR→SNOW |
| RS.AN-03: Forensics performed | Network forensics procedures (Document 4B below) | Forensics SOP |
| RS.MI-01: Incidents contained | CoA quarantine (ISE), IP block (FTD), domain block (Umbrella) | Playbook actions |
RECOVER (RC) - Recovery Planning¶
| Subcategory | Abhavtech Control | Evidence Location |
|---|---|---|
| RC.RP-01: Recovery plan | DR runbooks for critical systems (ISE, DNAC, vManage, Splunk) | DR playbooks |
| RC.CO-03: Recovery comms | Status page, Webex Teams updates during incidents | Comms channels |
CIS CRITICAL SECURITY CONTROLS V8¶
Implementation Groups (IG) Maturity¶
| IG Level | Description | Abhavtech Target |
|---|---|---|
| IG1 | Basic hygiene, essential controls | Minimum baseline |
| IG2 | Enterprise baseline, risk management | ✅ Primary target (all controls) |
| IG3 | Advanced, high-security environments | ✅ Critical systems only (Finance, Mgmt, DC) |
Controls Implementation Matrix¶
| Control | Description | Abhavtech Implementation | Maturity | Gap |
|---|---|---|---|---|
| 1 | Inventory & Control of Enterprise Assets | DNAC device inventory (735 APs, 200+ switches), ISE profiling (19K endpoints) | ✅ IG2 | None |
| 2 | Inventory & Control of Software Assets | Splunk app inventory, DNAC application registry | ✅ IG2 | None |
| 3 | Data Protection | SGT segmentation (Finance=SGT 81), DLP (Umbrella, FTD), encryption (MACsec, TLS) | ✅ IG3 | None |
| 4 | Secure Configuration | DNAC templates, SD-WAN feature templates, CIS benchmarks | ✅ IG2 | None |
| 5 | Account Management | ISE admin accounts, Duo MFA (all admin), CyberArk (secrets) | ✅ IG3 | None |
| 6 | Access Control Management | TrustSec SGACLs (30+ rules), role-based ISE policies | ✅ IG3 | None |
| 7 | Continuous Vulnerability Management | Quarterly Tenable scans, 30-day critical patch SLA | ⚠️ IG1 | Upgrade to IG2: 14-day SLA |
| 8 | Audit Log Management | Splunk 100GB/day (retention: 90d hot, 1yr cold) | ✅ IG2 | None |
| 9 | Email & Web Browser Protections | Cisco Secure Email (sandbox, DLP), Umbrella (DNS, URL filter) | ✅ IG2 | None |
| 10 | Malware Defenses | AMP for Endpoints (3,200+ endpoints), FTD AMP integration | ✅ IG2 | None |
| 11 | Data Recovery | Veeam backups (daily), 3-2-1 rule, DR testing (annual) | ⚠️ IG1 | Upgrade to IG2: Quarterly DR tests |
| 12 | Network Infrastructure Management | 802.1X for management, SSH only, SNMP v3, TACACS+ AAA | ✅ IG2 | None |
| 13 | Network Monitoring & Defense | FTD IPS, SD-WAN UTD, NetFlow (Splunk), ThousandEyes | ✅ IG3 | None |
| 14 | Security Awareness Training | Quarterly phishing simulations, annual security training | ⚠️ IG1 | Upgrade to IG2: Monthly phishing |
| 15 | Service Provider Management | Vendor segmentation (SGT 70-90), NDA + BAA agreements | ✅ IG2 | None |
| 16 | Application Software Security | Code review for custom apps, Snyk vulnerability scanning | ⚠️ IG1 | Upgrade to IG2: SAST/DAST in CI/CD |
| 17 | Incident Response Management | XDR automated playbooks, 24x7 SOC, tabletop exercises (quarterly) | ✅ IG2 | None |
| 18 | Penetration Testing | Annual external pen test, quarterly internal assessments | ⚠️ IG1 | Upgrade to IG2: Monthly BAS + quarterly internal |
Gap Remediation Roadmap¶
| Control | Current Maturity | Target Maturity | Action Required | Timeline | Owner |
|---|---|---|---|---|---|
| CIS 7 | IG1 | IG2 | Implement continuous vuln scanning (Tenable.sc), reduce patch SLA from 30d to 14d | Q2 2025 | Security Team |
| CIS 11 | IG1 | IG2 | Implement immutable backups (S3 Glacier), increase DR testing from annual to quarterly | Q1 2025 | IT Operations |
| CIS 14 | IG1 | IG2 | Implement monthly phishing simulations (vs quarterly), add micro-training modules | Q2 2025 | Security Team |
| CIS 16 | IG1 | IG2 | Implement SAST/DAST in CI/CD pipeline, mandatory code review for all commits | Q3 2025 | DevOps Team |
| CIS 18 | IG1 | IG2 | Increase internal pen test frequency from annual to quarterly, implement monthly BAS (Palo Alto) | Q2 2025 | Security Team |
MITRE ATT&CK FRAMEWORK MAPPING¶
Enterprise Matrix Coverage¶
| Tactic | ID | Abhavtech Coverage | Detection Capability | Response Capability |
|---|---|---|---|---|
| Initial Access | TA0001 | 80% | Secure Email (phishing), Umbrella (malicious sites), XDR (exploit) | Quarantine email, block domain, isolate endpoint |
| Execution | TA0002 | 75% | AMP behavioral detection, FTD IPS signatures | Kill process, isolate endpoint |
| Persistence | TA0003 | 70% | AMP Orbital queries (registry, scheduled tasks), ISE rogue device | Remove persistence, re-image endpoint |
| Privilege Escalation | TA0004 | 65% | UEBA anomalous privilege use, ISE admin account monitoring | Lock account, alert admin |
| Defense Evasion | TA0005 | 60% | AMP file obfuscation detection, XDR multi-stage correlation | Isolate endpoint, forensics |
| Credential Access | TA0006 | 85% | UEBA impossible travel, ISE failed auth spikes, Duo risk-based MFA | Lock account, force password reset |
| Discovery | TA0007 | 50% | Network scanning detection (FTD IPS), port scan alerts | Block scanner IP |
| Lateral Movement | TA0008 | 90% | SGT violation alerts, FTD flow analysis, ISE session anomalies | CoA quarantine (SGT 999), block dest IP |
| Collection | TA0009 | 55% | DLP (Umbrella, Secure Email), unusual data access (UEBA) | Block transfer, alert CISO |
| Exfiltration | TA0010 | 75% | NetFlow spike analysis (Splunk), Umbrella DNS tunneling, FTD large uploads | Block destination, CoA session |
| Command & Control | TA0011 | 85% | Umbrella C2 domain block, XDR C2 correlation, FTD C2 signatures | Block domain/IP, isolate endpoint |
| Impact | TA0040 | 70% | AMP ransomware behavioral, mass file encryption alerts | Isolate endpoint, restore backup |
| Resource Development | TA0042 | 30% | External TI feeds (Talos), domain reputation monitoring | Preemptive block |
| Reconnaissance | TA0043 | 40% | External: limited; Internal: port scan detection | Block scanner |
Overall Coverage: 68% (Target: 80% by EOY 2025)
Top 20 Techniques (Most Critical for Abhavtech)¶
| Technique | Name | Detection Method | Abhavtech Control | Response Playbook |
|---|---|---|---|---|
| T1078 | Valid Accounts | ISE session logs, Duo anomalous auth, UEBA impossible travel | Duo risk-based MFA, account lockout | PB-002: Compromised-Credential |
| T1566.001 | Phishing: Attachment | Secure Email sandbox, AMP file reputation | Secure Email quarantine, user reporting button | PB-001: Malware-Containment |
| T1566.002 | Phishing: Link | Umbrella URL reputation, Secure Email link rewrite | Umbrella block, email quarantine | Manual triage |
| T1059 | Command & Scripting | AMP behavioral detection (PowerShell, cmd.exe), Orbital queries | AMP kill process, endpoint isolation | PB-001: Malware-Containment |
| T1105 | Ingress Tool Transfer | FTD file inspection, AMP file download monitoring | FTD block, AMP quarantine file | PB-001: Malware-Containment |
| T1021.001 | Remote Services: RDP | ISE RDP session logs, FTD flow logs, UEBA unusual RDP | FTD block RDP from non-admin VLANs, MFA challenge | PB-003: Lateral-Movement |
| T1003 | OS Credential Dumping | AMP Orbital query (lsass.exe access), behavioral detection | Immediate password reset, endpoint forensics | PB-002: Compromised-Credential |
| T1486 | Data Encrypted for Impact | AMP ransomware behavioral, mass file change alerts | AMP isolation, network quarantine (SGT 999) | PB-005: Ransomware-Response |
| T1090 | Proxy | Umbrella DNS proxy detection, FTD proxy connections | Umbrella block domain, FTD block IP | PB-001: Malware-Containment |
| T1071.001 | Application Layer Protocol: Web | Umbrella web filtering, FTD HTTP inspection | FTD block URL, Umbrella category block | Manual review |
| T1048 | Exfiltration Over C2 | NetFlow volume spike (Splunk), Umbrella DNS tunneling | FTD block destination, CoA terminate session | PB-004: Data-Exfiltration |
| T1018 | Remote System Discovery | FTD network scanning alerts, port scan detection | FTD block scanner IP | Manual investigation |
| T1055 | Process Injection | AMP behavioral detection, memory analysis | AMP kill process, endpoint isolation | PB-001: Malware-Containment |
| T1068 | Exploitation for Privilege Escalation | FTD IPS exploit signatures, AMP behavioral | FTD block, patch vulnerable system | Patch mgmt process |
| T1136 | Create Account | ISE new account alerts, AD account creation logs | Auto-alert to admin, verify legitimacy | Manual review |
| T1087 | Account Discovery | ISE LDAP query monitoring, unusual AD queries | Rate limit queries, alert admin | Manual investigation |
| T1082 | System Information Discovery | AMP Orbital queries, system profiling detection | Log for forensics | Passive logging |
| T1562.001 | Impair Defenses: Disable Tools | AMP service stop attempts, endpoint health monitoring | AMP self-protection, alert SOC | PB-001: Malware-Containment |
| T1219 | Remote Access Software | ISE TeamViewer/AnyDesk sessions, app control | Block unapproved remote tools (SGT policy) | Block + alert |
| T1027 | Obfuscated Files/Information | AMP file obfuscation detection, entropy analysis | AMP quarantine file, sandbox analysis | PB-001: Malware-Containment |
ATT&CK Navigator Heatmap¶
Export Location: /opt/abhavtech/security/attack-navigator/abhavtech-coverage-2025.json
Color Code: - 🟢 Green (>80%): Full detection + automated response - 🟡 Yellow (50-80%): Partial detection or manual response - 🔴 Red (<50%): Limited/no detection
Gaps to Address (Red/Yellow Zones): 1. TA0042 Resource Development (30% coverage) → Enhance external TI feeds 2. TA0043 Reconnaissance (40% coverage) → Implement external monitoring (Shodan API) 3. TA0007 Discovery (50% coverage) → Tune FTD IPS for network scanning 4. TA0009 Collection (55% coverage) → Enhance DLP policies
SOC OPERATIONS (24x7)¶
SOC Organization¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH SECURITY OPERATIONS CENTER │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ TEAM STRUCTURE: │
│ ═══════════════════════════════════════════════════════════════════════════ │
│ │
│ ┌──────────────────────┐ │
│ │ Security Manager │ │
│ │ (Priya Sharma) │ │
│ └──────────┬───────────┘ │
│ │ │
│ ┌──────────┴───────────┐ │
│ │ SOC Lead │ │
│ │ (Raj Malhotra) │ │
│ └──────────┬───────────┘ │
│ │ │
│ ┌──────────┴───────────────────────────────────┐ │
│ │ │ │
│ ┌────▼────┐ ┌────────────┐ ┌────────────┐ ┌─────▼──────┐ │
│ │ APAC │ │ EMEA │ │ Americas │ │ Threat │ │
│ │ Shift │ │ Shift │ │ Shift │ │ Hunting │ │
│ │ 2 SOC │ │ 2 SOC │ │ 2 SOC │ │ Team (2) │ │
│ │Analysts │ │ Analysts │ │ Analysts │ │ │ │
│ └─────────┘ └────────────┘ └────────────┘ └────────────┘ │
│ 00:00-08:00 08:00-16:00 16:00-24:00 Weekly hunts │
│ Mumbai London (remote) Mumbai (remote) (Rotational) │
│ │
│ TOOLS: │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ XDR │ │ Splunk │ │ServiceNow│ │ Webex │ │ MISP │ │
│ │(SecureX) │ │ ES │ │ SecOps │ │ Teams │ │ (TI) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
SOC Workflow (Daily Operations)¶
| Time (IST) | Activity | Owner | Tools |
|---|---|---|---|
| 08:00 | Shift handover (APAC → EMEA) | SOC Lead | Webex Teams, ServiceNow |
| 08:15 | Morning triage (review overnight alerts) | EMEA Shift | XDR, Splunk |
| 09:00 | Threat hunting (1 hour) | Threat Hunting Team | Splunk, XDR, ISE logs |
| 10:00 | Incident investigation (ongoing cases) | EMEA Shift | All tools |
| 12:00 | Lunch break (staggered) | - | - |
| 13:00 | Vulnerability review (Tenable scan results) | Security Team | Tenable.sc |
| 14:00 | Incident investigation (continued) | EMEA Shift | All tools |
| 15:30 | Shift handover (EMEA → Americas) | SOC Lead | Webex Teams, ServiceNow |
| 16:00 | Evening triage | Americas Shift | XDR, Splunk |
| 20:00 | Weekly reporting prep (Friday only) | SOC Lead | Splunk dashboards |
Incident Response Playbooks¶
| Playbook ID | Name | Trigger | Automation Level | Response Time | MITRE Mapping |
|---|---|---|---|---|---|
| PB-001 | Malware-Containment | AMP detection + XDR C2 alert | Fully automated | <2 minutes | T1059, T1105, T1055, T1027, T1562.001 |
| PB-002 | Compromised-Credential | UEBA impossible travel + Duo anomaly | Fully automated | <2 minutes | T1078, T1003 |
| PB-003 | Lateral-Movement | FTD flow anomaly + ISE SGT violation | Semi-automated (SOC approval) | <15 minutes | T1021.001, T1021.002 |
| PB-004 | Data-Exfiltration | NetFlow spike + DLP alert | Semi-automated (SOC approval) | <15 minutes | T1048, T1071.001 |
| PB-005 | Ransomware-Response | AMP ransomware behavioral detection | Fully automated | <2 minutes | T1486 |
| PB-006 | Impossible-Travel | Duo geo-anomaly + ISE session | Fully automated | <2 minutes | T1078 |
| PB-007 | Phishing-Response | User-reported phishing email | Manual (SOC investigation) | <30 minutes | T1566.001, T1566.002 |
| PB-008 | DDoS-Mitigation | NetFlow volumetric spike | Semi-automated (SOC approval) | <15 minutes | N/A (Impact) |
Escalation Matrix¶
| Severity | Definition | Response Time | Escalation Path | Examples |
|---|---|---|---|---|
| P1 - Critical | Active attack, data breach, ransomware | Immediate (<15 min) | SOC → Security Manager → CISO → CEO (if breach) | Ransomware outbreak, data exfiltration confirmed |
| P2 - High | Confirmed security incident, high risk | <1 hour | SOC → Security Manager | Compromised admin account, malware spreading |
| P3 - Medium | Security event requiring investigation | <4 hours | SOC → SOC Lead | UEBA alert, policy violation, failed MFA attempts |
| P4 - Low | Informational, low risk | <8 hours | SOC Analyst (no escalation) | Port scan detected, low-severity vuln scan finding |
THREAT HUNTING PROGRAM¶
Threat Hunting Cadence¶
| Frequency | Duration | Team | Focus | Methodology |
|---|---|---|---|---|
| Weekly | 4 hours | SOC Lead + 2 analysts (rotational) | Hypothesis-driven | MITRE ATT&CK-based scenarios |
| Monthly | 1 day | All security team | Comprehensive hunt | Multi-platform correlation |
| Quarterly | 2 days | External consultant + internal team | Purple team exercise | Red Team demonstrates, Blue Team tunes |
AI-Enhanced Hunt Scenarios¶
Hunt Scenario 1: Lateral Movement via SMB (AI-Enhanced)¶
Hypothesis: Attacker compromised endpoint, attempting lateral movement via SMB (port 445).
Data Sources: NetFlow (vManage, Splunk), FTD flow logs, ISE session logs, AMP process execution
AI Enhancement: DNAC Deep Network Model flags anomalous east-west traffic patterns.
Splunk Query:
index=netflow dest_port=445
| where src_ip!=dest_ip # Exclude localhost
| stats dc(dest_ip) as unique_destinations, count by src_ip
| where unique_destinations > 10 # SMB to >10 different hosts
| where count > 50 # High connection volume
| sort -unique_destinations
Expected Benign Behavior: IT admin workstations may connect to 10-20 servers/day for management.
Suspicious Indicators: - Single endpoint connecting to 50+ unique IPs via SMB in <1 hour - Connections outside business hours (after 20:00 IST) - SMB connections from non-admin endpoints (not in IT admin SGT)
Response: Investigate endpoint with AMP Orbital, check for malware/tools (Mimikatz, PsExec).
Hunt Scenario 2: DNS Tunneling for C2 (AI-Enhanced)¶
Hypothesis: Malware using DNS tunneling for command & control (bypassing Umbrella web filtering).
Data Sources: Umbrella DNS logs (Splunk index=umbrella)
AI Enhancement: Splunk MLTK anomaly model flags unusual DNS query patterns.
Splunk Query:
index=umbrella sourcetype=dns
| eval query_length=len(query)
| where query_length > 50 # Long DNS queries (suspicious)
| stats count, avg(query_length) as avg_len by src_ip, query
| where count > 100 # High query volume to same domain
| sort -count
Expected Benign Behavior: Most DNS queries are <30 characters (e.g., google.com, salesforce.com).
Suspicious Indicators: - DNS queries >50 characters (e.g., aaabbbcccdddeeefffggghhhiiijjj.malware.com) - High query rate to same domain (>100/hour) - Base64-like patterns in DNS query (data exfiltration encoded in subdomain)
Response: Block domain (Umbrella), isolate endpoint (XDR playbook PB-001).
Hunt Scenario 3: Webex Toll Fraud (AI-Enhanced)¶
Hypothesis: Compromised Webex account making fraudulent international calls.
Data Sources: Webex CDRs (Control Hub), ThousandEyes voice quality metrics, ISE session logs
AI Enhancement: ThousandEyes AI flags abnormal call quality patterns (automated dialing).
Analysis: - Sequential international calls to high-risk countries (Nigeria, Somalia, Pakistan) - All calls after business hours - Poor call quality (MOS <2.0) suggesting automated dialing, not human conversation - No MFA authentication after initial session
Response: 1. Disable compromised account (Webex Control Hub) 2. Reset password, enforce MFA 3. Block international calling for shared accounts 4. Implement after-hours call restrictions
Threat Intelligence Integration¶
| Source | Type | Integration Method | Use Case | Frequency |
|---|---|---|---|---|
| Talos Intelligence | IP/domain/file hash reputation | XDR native integration | Real-time blocking (Umbrella, FTD, AMP) | Real-time |
| FS-ISAC | Financial services threat intel | Manual IOC import (Splunk) | Proactive threat hunting | Weekly |
| CISA Alerts | Government advisories | Email alerts → manual review | Patch prioritization | As published |
| AlienVault OTX | Community threat intel | API integration (Splunk) | IOC enrichment | Daily |
| MISP | Internal threat intel database | API integration (XDR) | Bidirectional IOC sharing | Real-time |
Threat Intel Workflow:
1. Receive IOC (IP, domain, hash) from intel source
2. Query Splunk for historical matches: index=* [IOC value]
3. If match found → trigger incident investigation
4. Add IOC to blocklists: Umbrella (domain), FTD (IP), AMP (hash)
5. Document in MISP threat intel database
6. Share with FS-ISAC community (financial services)
CONTINUOUS SECURITY MONITORING (AI-ENABLED)¶
AI Observability Platform Integration¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ AI-ENABLED SECURITY MONITORING │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ AI ANALYTICS ENGINES │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Splunk │ │ AppDyn │ │ DNAC │ │Thousand │ │ │
│ │ │ MLTK │ │Cognition │ │ DNM │ │ Eyes AI │ │ │
│ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │
│ └───────┼─────────────┼─────────────┼─────────────┼──────────────────┘ │
│ │ │ │ │ │
│ └─────────────┴─────────────┴─────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ UNIFIED CORRELATION (XDR + Splunk) │ │
│ │ │ │
│ │ • Cross-platform anomaly correlation │ │
│ │ • Risk scoring (asset criticality × threat severity) │ │
│ │ • Alert prioritization (reduce noise 500 → <100/day) │ │
│ │ • Automated triage (SOAR integration) │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ AGENTICOPS WORKFLOWS │ │
│ │ │ │
│ │ WF-002: Malware-Containment (Auto mode) │ │
│ │ WF-006: Impossible-Travel-Response (Auto mode) │ │
│ │ WF-008: DDoS-Mitigation (Observe mode) │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
AI Engine Capabilities¶
| AI Engine | Location | Focus | Security Use Cases | Output |
|---|---|---|---|---|
| Splunk MLTK | Splunk Cloud | Security anomaly detection | Auth failures, NetFlow spikes, rare processes | Alerts, risk scores, predictions |
| Cognition Engine | AppDynamics SaaS | Application RCA | App-layer attacks, injection attempts | Root cause, remediation steps |
| ThousandEyes AI | Cloud | WAN/SaaS path & voice quality | DDoS detection (path degradation), toll fraud (MOS anomaly) | Path recommendations, alerts |
| Deep Network Model | Catalyst Center | Network optimization | Rogue devices, scanning activity, east-west anomalies | Failure predictions, anomaly alerts |
| XDR Analytics | Cisco XDR Cloud | Threat correlation | Multi-stage attacks, C2 beaconing, lateral movement | Playbook triggers, incident timelines |
Unified Dashboard Design¶
Executive Dashboard (CISO View): - Security posture score (0-100, current: 78) - Open incidents by severity (P1: 0, P2: 2, P3: 8, P4: 15) - MTTR trend (last 30 days) - Compliance status (PCI-DSS, SOC2, GDPR, ISO 27001)
SOC Dashboard (Analyst View): - Real-time alert queue (prioritized by risk score) - Incident investigation workspace - Threat hunting query builder - Playbook execution status
Engineering Dashboard (NetSec View): - Device health (DNAC, vManage) - Security policy effectiveness (FTD, Umbrella) - SGT violation trends - Vulnerability management status
DOCUMENT 4B: NETWORK FORENSICS (STEP-BY-STEP)¶
Chapter Structure¶
| Chapter | Title | Sections | Key Content |
|---|---|---|---|
| 1 | Network Forensics Overview | 4 | Legal requirements, team roles, tools inventory |
| 2 | Forensics Architecture | 3 | Evidence collection layer, storage (NAS, Splunk), topology |
| 3 | Evidence Collection Procedures | 5 | 5 real-world scenarios (10-step detailed procedures) |
| 4 | Evidence Analysis Procedures | 4 | PCAP analysis, NetFlow, log correlation, memory forensics |
| 5 | Forensics Reporting | 4 | Evidence summary, timeline visualization, IOC documentation |
| 6 | AI-Enhanced Forensics | 3 | MLTK pattern detection, DNAC reconstruction, XDR automation |
| Appendix | A-E | 5 | Tool reference, chain of custody forms, legal compliance |
FORENSICS ARCHITECTURE¶
Evidence Collection Layer¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH NETWORK FORENSICS ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ EVIDENCE COLLECTION LAYER │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Packet │ │ Flow │ │ Logs │ │ Config │ │ │
│ │ │ Capture │ │ Data │ │ (Syslog)│ │ Backup │ │ │
│ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │
│ └───────┼─────────────┼─────────────┼─────────────┼─────────────────┘ │
│ │ │ │ │ │
│ ┌───────┴─────────────┴─────────────┴─────────────┴─────────────────┐ │
│ │ FORENSICS STORAGE │ │
│ │ │ │
│ │ Splunk Forensics Indexes: │ │
│ │ ├─► forensics_network (NetFlow, FTD logs) │ │
│ │ ├─► forensics_endpoint (AMP, Orbital queries) │ │
│ │ ├─► forensics_identity (ISE, Duo logs) │ │
│ │ └─► Retention: 1yr hot, 3yr cold, 7yr archive (S3 Glacier) │ │
│ │ │ │
│ │ PCAP Storage (NAS): │ │
│ │ ├─► Location: /mnt/forensics-nas (100TB dedupe) │ │
│ │ ├─► Retention: 90d (triggered), 7d (full) │ │
│ │ └─► Access: Forensics team only (MFA required) │ │
│ │ │ │
│ │ Chain of Custody Database (PostgreSQL): │ │
│ │ └─► SHA-256 hashing, timestamps, access log │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
Forensics Data Sources¶
| Source | Data Type | Collector | Retention | Use Case |
|---|---|---|---|---|
| FTD Firewalls | Full packet capture (PCAP), connection events, IPS alerts | FMC, Wireshark | 7d (full), 90d (triggered) | Malware analysis, exfiltration investigation |
| ISE | RADIUS logs, session details, CoA events, pxGrid messages | pxGrid API, syslog | 1 year (Splunk) | User activity timeline, device profiling |
| SD-WAN Edges | NetFlow, application visibility, UTD logs | vManage API, syslog | 90 days | WAN traffic analysis, C2 detection |
| DNAC | Device configs, client session logs, wireless RF data | DNAC API, syslog | 90 days | Network topology changes, rogue AP detection |
| Umbrella | DNS queries, proxy logs, firewall logs | S3 API | 90 days | DNS tunneling, C2 domains, web traffic |
| AMP | File hashes, process execution, network connections | AMP API, Orbital | 1 year | Endpoint forensics, malware timeline |
| Splunk | Correlated logs, search results, investigation cases | Native | 1yr hot, 7yr archive | Central forensics repository |
| Webex | Call quality metrics (ThousandEyes), CDRs | API | 90 days | Voice fraud, toll fraud investigation |
REAL-WORLD FORENSICS SCENARIOS (DETAILED)¶
SCENARIO 1: Malware C2 Communication (10-Step Procedure)¶
Incident Summary:
XDR Alert: Malware C2 Communication Detected
Time: 2025-01-19 10:02:15 IST
Source IP: 10.252.2.78
Destination IP: 117.38.XX.XXX
Domain: evil-malware-c2.darkweb
User: jane.smith@abhavtech.com
Device: ABHAV-LAPTOP-JS-0012
Severity: Critical (P1)
Step 1: Alert Received - Immediate Response
SOC Analyst (Sarah Kumar) receives XDR alert in SecureX dashboard.
Actions: 1. Open XDR incident: INC-2025-0119-001 2. Note timestamp: 10:02:15 IST (preserve for timeline) 3. Verify severity: Critical (immediate action required) 4. Initiate automated playbook: PB-001 (Malware-Containment)
Automated Playbook Actions (Executed in <2 minutes): - ✅ AMP: Isolate endpoint ABHAV-LAPTOP-JS-0012 - ✅ ISE CoA: Apply SGT 999 (Quarantine) to MAC 00:50:56:12:34:AB - ✅ FTD: Block destination IP 117.38.XX.XXX (all sites) - ✅ Umbrella: Block domain evil-malware-c2.darkweb - ✅ ServiceNow: Create incident ticket INC-2025-0119-001 - ✅ Webex Teams: Post alert to #security-operations room
Step 2: ISE Session Query (Identify Network Path)
Method 1: ISE GUI
ISE GUI → Context Visibility → Endpoints → Search IP: 10.252.2.78
Result:
- Username: jane.smith@abhavtech.com
- MAC: 00:50:56:12:34:AB
- Location: Mumbai-Floor2-East-SW01
- NAS IP: 10.252.1.50 (access switch)
- NAS Port: GigabitEthernet1/0/24
- SGT: 15 (Employees)
- Virtual Network: VN_CORPORATE
- Session Start: 2025-01-19 08:30:00 IST
Method 2: ISE pxGrid API (Python Script)
import requests
from requests.auth import HTTPBasicAuth
url = "https://ise-pan.abhavtech.com:8910/pxgrid/control/SessionDirectory"
payload = {"ipAddress": "10.252.2.78"}
response = requests.post(
f"{url}/getSessionByIpAddress",
json=payload,
auth=HTTPBasicAuth("pxgrid-client", "SecurePassword123!"),
verify="/opt/certs/ise-ca.pem"
)
print(response.json())
## Output:
## {
## "userName": "jane.smith@abhavtech.com",
## "ipAddress": "10.252.2.78",
## "macAddress": "00:50:56:12:34:AB",
## "securityGroup": "15",
## "nasIpAddress": "10.252.1.50",
## "nasPortId": "GigabitEthernet1/0/24",
## "authMethod": "802.1X (PEAP-MSCHAPv2)",
## "postureStatus": "Compliant",
## "startTimestamp": "2025-01-19T08:30:00Z"
## }
Step 3: DNAC Path Trace (Determine Firewall Path)
DNAC GUI → Assurance → Path Trace
Source: 10.252.2.78
Destination: 8.8.8.8 (test public IP)
Path Trace Result:
10.252.2.78 (endpoint)
→ GigabitEthernet1/0/24 @ Mumbai-Floor2-East-SW01 (access switch)
→ GigabitEthernet1/0/1 @ Mumbai-Border-01 (border node)
→ GigabitEthernet1/1 @ FTD-Mumbai-DC-01 (inside interface)
→ GigabitEthernet1/2 @ FTD-Mumbai-DC-01 (outside interface)
→ Internet
Conclusion: Traffic egresses via FTD-Mumbai-DC-01
Step 4: FTD Packet Capture (Triggered PCAP)
Access FMC (Firewall Management Center)
Method 1: SSH
ssh admin@fmc.abhavtech.com
Method 2: GUI
https://fmc.abhavtech.com
FMC GUI → Devices → Device Management → FTD-Mumbai-DC-01 → Troubleshooting → Packet Capture
Configure Packet Capture:
Capture Name: forensics-malware-2025-01-19-001
Interface: inside (connected to Mumbai Border)
Capture Filter:
Source IP: 10.252.2.78
Source Port: any
Destination IP: 117.38.XX.XXX
Destination Port: any
Protocol: any
Settings:
Duration: 30 minutes (or until manually stopped)
Max Size: 500 MB
Buffer: Circular (overwrite oldest packets if full)
Action: Click "Start"
Monitor & Download:
## Monitor capture progress
FMC GUI → Troubleshooting → Packet Capture → View Progress
## After sufficient packets captured (or 30 minutes elapsed):
Click "Stop"
## Download PCAP file
Click "Download" → Save to local workstation
## File name: forensics-malware-2025-01-19-001.pcap (size: ~45 MB)
Step 5: Transfer Evidence to Forensics NAS (Chain of Custody)
## From forensics workstation:
scp admin@fmc.abhavtech.com:/var/common/capture/forensics-malware-2025-01-19-001.pcap \
/mnt/forensics-nas/cases/INC-2025-0119-001/evidence/
## Verify file integrity (generate SHA-256 hash)
cd /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/
sha256sum forensics-malware-2025-01-19-001.pcap > forensics-malware-2025-01-19-001.pcap.sha256
## Expected output:
## a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 forensics-malware-2025-01-19-001.pcap
## Set immutable flag (prevent tampering)
sudo chattr +i forensics-malware-2025-01-19-001.pcap
Document in Chain of Custody:
## Append to text log
echo "$(date -Iseconds)|forensics-malware-2025-01-19-001.pcap|SHA256:a1b2c3d4...|Sarah Kumar|INC-2025-0119-001|Collected from FTD-Mumbai-DC-01" \
>> /mnt/forensics-nas/chain-of-custody.log
## Also update PostgreSQL database
psql -h forensics-db.abhavtech.com -U forensics_admin -d forensics_db
INSERT INTO evidence (
case_id,
evidence_file,
file_hash,
collector,
collection_timestamp,
source_device,
evidence_type,
access_log
) VALUES (
'INC-2025-0119-001',
'forensics-malware-2025-01-19-001.pcap',
'a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456',
'Sarah Kumar',
'2025-01-19 10:15:00+05:30',
'FTD-Mumbai-DC-01',
'PCAP',
'Created'
);
Step 6: Endpoint Forensics (AMP Orbital Query)
Access AMP Console:
Run Orbital Query (Forensics Snapshot):
AMP Console → Orbital → New Query
Query Name: Forensics-INC-2025-0119-001-Endpoint
Target: ABHAV-LAPTOP-JS-0012
Query Bundle: "Comprehensive Forensics Collection"
Includes:
- Running processes (with command line arguments)
- Network connections (established, listening)
- Loaded DLLs/modules
- Registry run keys (persistence check)
- Recent file modifications (last 24 hours)
- Scheduled tasks
- Autoruns (startup programs)
Click "Run Query" → Wait for results (30-60 seconds)
Query Results:
{
"hostname": "ABHAV-LAPTOP-JS-0012",
"query_time": "2025-01-19T10:05:00Z",
"results": {
"running_processes": [
{
"name": "invoice-Q4-2024.exe",
"pid": 4892,
"cmdline": "C:\\Users\\jane.smith\\Downloads\\invoice-Q4-2024.exe",
"parent": "outlook.exe",
"start_time": "2025-01-19T10:00:45Z"
},
{
"name": "powershell.exe",
"pid": 5124,
"cmdline": "powershell.exe -encodedCommand [base64_encoded_string]",
"parent": "invoice-Q4-2024.exe",
"start_time": "2025-01-19T10:01:00Z"
}
],
"network_connections": [
{
"local_address": "10.252.2.78:49872",
"remote_address": "117.38.XX.XXX:443",
"state": "ESTABLISHED",
"pid": 5124,
"process": "powershell.exe"
}
],
"registry_run_keys": [
{
"key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"value_name": "SystemUpdate",
"value_data": "C:\\Users\\jane.smith\\AppData\\Local\\Temp\\update.exe",
"modified": "2025-01-19T10:01:15Z"
}
]
}
}
Save Orbital Results:
## Download results as JSON
AMP Console → Orbital → Query Results → Download JSON
## Transfer to forensics NAS
scp orbital-query-results.json \
/mnt/forensics-nas/cases/INC-2025-0119-001/evidence/
## Generate hash
sha256sum orbital-query-results.json > orbital-query-results.json.sha256
Step 7: ISE Session Logs (User Activity Timeline)
Export ISE RADIUS Logs:
Method 1: ISE GUI Export
ISE GUI → Operations → RADIUS → Live Logs
Filter:
Username = jane.smith@abhavtech.com
Time Range = Last 24 hours (2025-01-18 10:00 to 2025-01-19 11:00)
Export: CSV
Download: ise-radius-logs-janesmith-2025-01-19.csv (size: ~2 MB, 1,500 records)
Method 2: Splunk Export (Preferred for Large Datasets)
Splunk query:
index=ise sourcetype=radius User_Name="jane.smith@abhavtech.com"
earliest="2025-01-18T10:00:00" latest="2025-01-19T11:00:00"
| table _time, Calling_Station_Id, NAS_IP_Address, NAS_Port_Id,
Framed_IP_Address, Cisco_SGT, Result, Failure_Reason
| sort _time
Export: CSV (Splunk GUI → Export → CSV)
Save to: /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/ise-radius-logs.csv
Step 8: Umbrella DNS Logs (C2 Domain Activity)
Query Umbrella for DNS Queries:
Splunk query:
index=umbrella sourcetype=dns src_ip="10.252.2.78"
earliest="2025-01-19T09:00:00" latest="2025-01-19T11:00:00"
| table _time, query, query_type, response_code, category, threat_score
| sort _time
Key findings:
- 10:01:32: Query: evil-malware-c2.darkweb → Response: NXDOMAIN (blocked by Umbrella)
- Threat Score: 98/100 (Talos verdict: Malicious C2 server)
- Category: Command & Control, Malware Distribution
- Frequency: 15 queries in 30 minutes (C2 beaconing pattern)
Export: CSV
Save to: /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/umbrella-dns-logs.csv
Step 9: Email Logs (Phishing Source - How Malware Arrived)
Query Secure Email for Delivery Logs:
Secure Email Console → Message Tracking
Filter:
Recipient: jane.smith@abhavtech.com
Date: 2025-01-19
Time: 08:00 - 10:00
Result: Suspicious email found
From: finance@abhavtech-suppliers[.]com (spoofed domain - note the dash)
Subject: URGENT: Q4 Invoice Payment Required
Attachment: invoice-Q4-2024.exe (malware sample)
Received: 2025-01-19 09:58:15 IST
Verdict: Clean (false negative - sandbox missed malware)
Action: Export message details
Click message → Export → EML format
Save: phishing-email-2025-01-19.eml
CRITICAL: Download attachment in isolated environment only
Calculate Attachment Hash:
## In isolated VM (no network)
sha256sum invoice-Q4-2024.exe
## Result: a1b2c3d4e5f6789012345678901234567890abcdef123456789012345678
## Save to forensics NAS (password-protected ZIP)
zip --encrypt /mnt/forensics-nas/cases/INC-2025-0119-001/evidence/malware-samples.zip invoice-Q4-2024.exe
## Password: ForensicsTeam2025!
Step 10: Evidence Summary & Timeline Reconstruction
Timeline (Chronological Order):
09:58:15 - Phishing email received (invoice-Q4-2024.exe attachment)
10:00:30 - File downloaded by user (jane.smith@abhavtech.com)
10:00:45 - File executed (invoice-Q4-2024.exe)
10:01:00 - PowerShell spawned (encoded command - malicious script)
10:01:15 - Registry modification (persistence: HKCU\Run\SystemUpdate)
10:01:30 - FIRST C2 CONNECTION ESTABLISHED (117.38.XX.XXX:443)
10:02:00 - File encryption started (ransomware behavior - 247 files encrypted)
10:02:15 - XDR ALERT TRIGGERED (Malware C2 Communication Detected)
10:02:20 - Automated playbook executed (endpoint isolated, IP blocked)
10:02:35 - ServiceNow incident created (INC-2025-0119-001)
10:05:00 - SOC analyst (Sarah) begins investigation
10:30:00 - Incident contained, user credentials reset
11:00:00 - Endpoint re-imaged, investigation continues
Evidence Artifacts Collected: 1. ✅ PCAP file (45 MB) - FTD packet capture showing C2 communication 2. ✅ AMP Orbital query results (JSON) - Process execution, network connections 3. ✅ ISE RADIUS logs (CSV, 2 MB) - User authentication timeline 4. ✅ Umbrella DNS logs (CSV) - C2 domain queries, threat intelligence 5. ✅ Phishing email (EML) - Attack vector evidence 6. ✅ Malware sample (ZIP, password-protected) - invoice-Q4-2024.exe 7. ✅ Hash values (SHA-256) - All evidence files for integrity verification
All Evidence Stored:
/mnt/forensics-nas/cases/INC-2025-0119-001/
├── evidence/
│ ├── forensics-malware-2025-01-19-001.pcap (45 MB, SHA256: a1b2c3d4...)
│ ├── orbital-query-results.json (500 KB, SHA256: b2c3d4e5...)
│ ├── ise-radius-logs.csv (2 MB, SHA256: c3d4e5f6...)
│ ├── umbrella-dns-logs.csv (100 KB, SHA256: d4e5f6a7...)
│ ├── phishing-email-2025-01-19.eml (50 KB, SHA256: e5f6a7b8...)
│ └── malware-samples.zip (encrypted, 2 MB, SHA256: f6a7b8c9...)
├── analysis/
│ └── timeline-reconstruction.md (created by analyst)
└── reports/
└── case-summary-INC-2025-0119-001.pdf (to be created)
SCENARIO 2: Data Exfiltration (8-Step Procedure)¶
[Similar detailed 8-step procedure for data exfiltration investigation]
SCENARIO 3: Insider Threat - Rogue Device¶
[Detailed procedure for rogue device investigation]
SCENARIO 4: Webex Toll Fraud ($12,000 Investigation)¶
[Detailed procedure for toll fraud investigation using CDRs, ThousandEyes, ISE]
SCENARIO 5: Wireless Attack - Rogue AP¶
[Detailed procedure for rogue AP investigation using DNAC]
PCAP ANALYSIS WITH WIRESHARK¶
Step-by-Step PCAP Analysis¶
Step 1: Open PCAP in Wireshark
Step 2: Apply Display Filter (C2 Traffic Only)
Display Filter: ip.src == 10.252.2.78 && ip.dst == 117.38.XX.XXX
Result: 247 packets displayed (from total 15,892 packets in PCAP)
Step 3: Follow TCP Stream
Right-click any packet → Follow → TCP Stream
Stream content (TLS encrypted, but metadata visible):
- Client Hello (TLS 1.2 handshake)
- Server Hello
- Certificate Exchange
- Certificate Subject: CN=api-update.cloudflare-cdn.com
- Issuer: Self-signed (🚩 RED FLAG - not legitimate Cloudflare cert)
- Application Data (encrypted payload - cannot inspect)
Note: Fake Cloudflare domain used for C2 disguise
Step 4: Extract IOCs (Indicators of Compromise)
IOCs identified from PCAP:
- Destination IP: 117.38.XX.XXX
- Destination Port: 443 (HTTPS)
- Fake Domain: api-update.cloudflare-cdn[.]com
- TLS Certificate Fingerprint: SHA1:1a2b3c4d5e6f...
- HTTP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
- Connection Frequency: Every 2 minutes (C2 beaconing)
Step 5: Export IOCs to STIX Format (Threat Intelligence Sharing)
SecureX → Threat Response → Create Sighting
Title: TrickBot Ransomware Campaign (INC-2025-0119-001)
IOCs:
- IP: 117.38.XX.XXX
- Domain: api-update.cloudflare-cdn[.]com
- File Hash: a1b2c3d4e5f6789012345678901234567890abcdef123456789012345678
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Export: STIX 2.1 bundle → Save as stix-bundle-INC-2025-0119-001.json
Share with: FS-ISAC (financial services threat intel community)
AI-ENHANCED FORENSICS¶
MLTK Pattern Detection¶
Splunk MLTK Forensics Query:
## Find similar incidents (pattern matching)
index=forensics_*
| search "C2 communication" OR "malware" OR "ransomware"
| timechart span=1h count by source_ip
| predict count algorithm=LLP future_timespan=24 holdback=0
DNAC Historical Path Reconstruction¶
DNAC GUI → Assurance → Path Trace → Historical Mode
Timestamp: 2025-01-19 10:01:30 (when C2 connection established)
Source: 10.252.2.78
Destination: 117.38.XX.XXX
Result: Shows exact network path at time of incident (historical replay)
XDR Automated Timeline Correlation¶
SecureX → Threat Response → Incident Timeline
Case: INC-2025-0119-001
Automated correlation shows:
- Email arrival (09:58:15) → Secure Email log
- File execution (10:00:45) → AMP telemetry
- C2 connection (10:01:30) → FTD flow log + Umbrella DNS
- Encryption start (10:02:00) → AMP behavioral alert
- XDR alert (10:02:15) → Auto-correlation of all above events
Timeline visualization: Exported as PDF for forensics report
DOCUMENT 4C: PENETRATION TESTING FRAMEWORK¶
Chapter Structure¶
| Chapter | Title | Sections | Key Content |
|---|---|---|---|
| 1 | Penetration Testing Overview | 4 | Testing philosophy, PTES methodology, team roles, frequency |
| 2 | Pre-Engagement | 4 | Scope definition, rules of engagement, legal authorization |
| 3 | SD-Access Penetration Testing | 4 | TrustSec SGT bypass, Rogue AP, 802.1X bypass, wireless attacks |
| 4 | SD-WAN Penetration Testing | 3 | vManage access, IPsec hijacking, OMP route injection |
| 5 | Webex Collaboration Testing | 3 | SIP trunk hijacking, meeting enumeration, toll fraud simulation |
| 6 | Zero Trust Validation | 3 | Stolen credentials, device trust bypass, UEBA detection |
| 7 | AI Platform Security Testing | 3 | Splunk, DNAC, XDR security validation |
| 8 | Social Engineering | 3 | Phishing campaigns, vishing, physical access |
| 9 | Reporting | 4 | Executive summary, technical findings, remediation, re-test |
| Appendix | A-D | 4 | Tools reference, attack techniques, remediation tracking |
PENETRATION TESTING SCHEDULE¶
| Test Type | Frequency | Duration | Scope | Tester | Output |
|---|---|---|---|---|---|
| External Pen Test | Annual | 2 weeks | Internet-facing assets (FTD, VPN, Webex) | Third-party (Rapid7) | Executive + technical report |
| Internal Pen Test | Quarterly | 1 week | Corporate network (SD-Access, SD-WAN, servers) | Internal Red Team (3) | Technical report + findings tracker |
| Web App Pen Test | Per release | 3-5 days | Custom web applications | Third-party + internal | OWASP Top 10 report |
| Wireless Pen Test | Semi-annual | 2 days | Corporate SSIDs (WPA3 validation) | Internal Red Team | Wireless security report |
| Social Engineering | Quarterly | 1 day | Phishing simulations, vishing | Internal Red Team | User awareness metrics |
| BAS (Automated) | Weekly | Continuous | All platforms (automated attacks) | Palo Alto BAS platform | Detection rate dashboard |
| Purple Team | Quarterly | 1 day | Specific attack techniques (collaborative) | Red Team + SOC | Detection tuning report |
SD-ACCESS PENETRATION TEST CASES¶
Test Case 1: TrustSec SGT Policy Bypass¶
Objective: Attempt to bypass SGT segmentation and access Finance servers (SGT 81) from Guest VLAN (SGT 40).
Pre-Test Setup:
Pen Tester Laptop:
- Connected to: Guest Wi-Fi (Corp-Guest SSID)
- Expected IP: 10.252.100.55/24 (Guest VLAN)
- Expected SGT: 40 (Guests)
Target:
- Finance server: 10.252.80.10
- SGT: 81 (Finance Servers)
Expected Result: Access BLOCKED by SGACL policy
Attack Vector 1: Direct Connection Attempt
## Step 1: Verify network assignment
ip addr show eth0
## Result: 10.252.100.55/24 (Guest VLAN assigned correctly)
## Step 2: Attempt ping to Finance server
ping 10.252.80.10
## Expected: Request timeout (SGACL blocks SGT 40 → SGT 81)
## Actual: Request timeout
## Step 3: Attempt TCP connection (port 3389 RDP)
telnet 10.252.80.10 3389
## Expected: Connection refused/timeout
## Actual: Connection timeout
## Conclusion: PASS - SGT policy enforced at network layer
Attack Vector 2: MAC Spoofing (802.1X Bypass Attempt)
## Objective: Spoof MAC of legitimate employee device to gain Employee SGT (15)
## Step 1: Change MAC address to known employee device
ifconfig eth0 down
macchanger -m 00:50:56:AA:BB:CC eth0 # Known employee MAC
ifconfig eth0 up
## Step 2: Disconnect and reconnect (trigger re-authentication)
dhclient -r eth0 && dhclient eth0
## Expected ISE behavior:
## - ISE detects duplicate MAC address
## - ISE applies profiling exception policy
## - Endpoint assigned SGT 999 (Quarantine) instead of SGT 15
## - Network access BLOCKED
## Actual: Endpoint quarantined, cannot communicate
## Conclusion: PASS - MAC spoofing detected and blocked by ISE
Attack Vector 3: ARP Spoofing (Layer 2 Attack)
## Objective: ARP spoof between Finance server and gateway
## Install Ettercap
apt install ettercap-graphical
## Launch ARP spoofing attack
ettercap -T -M arp:remote /10.252.80.10// /10.252.80.1//
## Target: Finance server (10.252.80.10)
## Gateway: Finance VLAN gateway (10.252.80.1)
## Expected: DHCP snooping + DAI blocks spoofed ARP packets
## Actual: Switch port err-disabled, ARP spoofing blocked
## Conclusion: PASS - ARP spoofing blocked by Layer 2 security
Attack Vector 4: VLAN Hopping (Double-Tagging)
## Objective: Hop from Guest VLAN to Corporate VLAN
## Install Yersinia
apt install yersinia
## Launch VLAN hopping attack
yersinia -I
## Select "802.1Q" protocol
## Configure double-tagging (outer: Guest VLAN 100, inner: Corp VLAN 10)
## Expected: Attack fails because SD-Access uses VXLAN (Layer 3 overlay), not VLANs
## Actual: No Layer 2 adjacency between VLANs, attack not applicable
## Conclusion: N/A - VLAN hopping not applicable in SD-Access fabric
Test Summary:
| Attack Vector | Result | Observation |
|---|---|---|
| Direct connection | ✅ BLOCKED | SGACL enforced at fabric edge |
| MAC spoofing | ✅ BLOCKED | ISE detects duplicate MAC, applies quarantine |
| ARP spoofing | ✅ BLOCKED | DHCP snooping + DAI prevents ARP manipulation |
| VLAN hopping | ✅ N/A | SD-Access uses VXLAN, not traditional VLANs |
Recommendation: SD-Access segmentation is effective. No remediation required.
Test Case 2: Rogue Access Point (Evil Twin Attack)¶
[Detailed test procedure for evil twin attack, certificate pinning validation, DNAC detection]
Test Case 3: 802.1X Authentication Bypass¶
[Detailed test procedure for 802.1X bypass attempts]
Test Case 4: Wireless Deauthentication Attack¶
[Detailed test procedure for deauth attack using aircrack-ng]
SD-WAN PENETRATION TEST CASES¶
Test Case 1: vManage Unauthorized Access¶
[Detailed test: Port scan, brute force, API exploitation]
Test Case 2: IPsec Tunnel Hijacking¶
[Detailed test: Packet injection, encryption downgrade attempts]
Test Case 3: OMP Route Injection¶
[Detailed test: Malicious route advertisement attempts]
WEBEX COLLABORATION TEST CASES¶
Test Case 1: SIP Trunk Hijacking¶
[Detailed test: SIP trunk authentication, toll fraud simulation]
Test Case 2: Meeting ID Enumeration¶
[Detailed test: Brute force meeting IDs, password bypass attempts]
Test Case 3: Toll Fraud Simulation¶
[Detailed test: Automated calling to international numbers]
ZERO TRUST VALIDATION¶
Test Case 1: Stolen Credentials + MFA Bypass¶
[Detailed test: Phishing simulation, MFA social engineering]
Test Case 2: Device Trust Bypass¶
[Detailed test: Jailbroken device, non-compliant device access attempts]
Test Case 3: UEBA Detection Validation¶
[Detailed test: Impossible travel, anomalous behavior triggering]
REPORTING & REMEDIATION¶
Penetration Test Report Template¶
ABHAVTECH PENETRATION TEST REPORT
Date: [Test Date]
Tester: [Red Team / External]
Scope: [Systems Tested]
EXECUTIVE SUMMARY
- Overall Security Posture: [Score 0-100]
- Critical Findings: [Count]
- High Findings: [Count]
- Medium/Low Findings: [Count]
TECHNICAL FINDINGS
[For each finding:]
- Finding ID: [e.g., PEN-2025-001]
- Severity: [Critical/High/Medium/Low]
- Affected System: [System name]
- Description: [Detailed description]
- Evidence: [Screenshots, commands, outputs]
- Remediation: [Step-by-step fix]
- Timeline: [Recommended fix date]
REMEDIATION RECOMMENDATIONS
[Prioritized action plan]
RE-TEST PROCEDURES
[How to verify fixes]
SUMMARY: MASTER REFERENCE CARD STATISTICS¶
| Document | Focus | Size | Chapters | Scenarios/Test Cases | Model |
|---|---|---|---|---|---|
| 4A: Cybersecurity | Frameworks, SOC, compliance | ~40,000 words, 100 pages | 9 | 8 incident playbooks, 5 hunt scenarios | Sonnet 4.5 |
| 4B: Forensics | Evidence collection, analysis | ~50,000 words, 125 pages | 6 | 5 real-world investigations (10-step detailed) | Sonnet 4.5 |
| 4C: Pen Testing | Attack simulation, validation | ~35,000 words, 90 pages | 9 | 15+ test cases across all platforms | Sonnet 4.5 |
| TOTAL | Complete Security Operations | ~125,000 words, 315 pages | 24 chapters | 28 scenarios/cases | Sonnet 4.5 |
END OF MASTER REFERENCE CARD v1.0
Document Control: - Classification: Confidential - Internal Use Only - Distribution: Security Team, SOC, Network Engineering, Compliance - Next Review Date: July 2025 (6-month review cycle) - Approval Required: CISO, Security Manager, IT Director
This Master Reference Card provides comprehensive structure for Abhavtech's cybersecurity operations, forensics procedures, and penetration testing framework - all aligned with Cisco-centric AI-driven network infrastructure.