• Purpose: Ensure comprehensive monitoring of all sensitive groups with diverse rule sets.

• Check the List: Review all group types to confirm monitoring coverage.

• Approve or Update: Identify and mark sensitive groups for enhanced monitoring. 

• Why Important: Cyray’s SIEM system relies on it, facilitating broader monitoring.

Quick Guide:

Set Privilege groups to sensitive monitoring

Detailed Guide:

Overview

The purpose of this guide is to present an explanation of the term “monitoring privileged groups”, and explain how to customise sensitive groups according to your organization’s preferences.

Privileged groups typically include users or accounts that have elevated permissions, granting them access to sensitive systems, data, or administrative functionalities.

Examples of such groups are:

• Administrators: Users with administrative privileges on systems, databases, or applications.

• Root Users: On Unix-based systems, the root user has the highest level of administrative access.

• Domain Administrators: In Windows Active Directory environments, these users have extensive control over the domain and its resources.

• Database Administrators (DBAs): Users with elevated privileges on databases, often capable of managing database configurations, schemas, and security settings.

• Network Administrators: Users with control over network infrastructure and configurations.

• Service Accounts: Accounts used by applications or services to interact with other systems, often with elevated privileges.

• C-level Executives: Top-level executives with access to sensitive business information.

• Security Administrators: Users responsible for managing security-related aspects of the organization's IT infrastructure.

• VIP Users: Users of high importance role or public figures, managers, CEO, CTO

that might be used as a significant target for an attacker.

Objectives

• Ensure thorough surveillance of all sensitive groups by employing diverse rule sets to cover changes that could precipitate various types of attacks, thereby achieving comprehensive protection.

Actions

Privileged Groups

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Enrichment & Inventory/Groups/Privileged Groups Inventory

Please review your entity's report and send it to him so that he can check whether all the sensitive groups are monitored on the system.

To add groups to monitoring you need to add the group as it appears in entities AD

To the following list:

/All Active Lists/Mobula/Enrichment & Inventory/Groups/Monitoring Groups

App

Generate a report of Privileged Groups using the Mobula Application and inform your SOC Team / Platform Manager if all of your sensitive groups are listed in the report.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Privileged Groups

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Privileged Groups 

4. Task Update

5. Choose the status and click save.

Recommendations

Include monitoring for all privileged groups, starting with default ones and extending to the most critical groups essential for organizational functioning.

What is the importance of Monitoring Privileged Groups?

• Security: Privileged accounts are attractive targets for attackers. Monitoring their activities helps detect suspicious behaviour or potential unauthorized access.

• Compliance: Many industry regulations (e.g., PCI DSS, HIPAA) require organizations to monitor and audit privileged access for compliance purposes.

• Incident Response: In the event of a security incident or data breach, monitoring privileged groups can provide valuable insights into the attack vectors and help with incident response efforts.

Conclusion

In conclusion, ensuring comprehensive monitoring of privileged groups is paramount for maintaining the security posture of any organization. By reviewing and customizing sensitive group settings, organizations can proactively identify and respond to potential security threats. Cyray’s SIEM system relies on this meticulous monitoring to facilitate broader threat detection and provide robust protection against various forms of attacks. By following the guidelines outlined in this document, organizations can enhance their security posture and safeguard sensitive systems, data, and resources from unauthorized access or malicious activities.

Monitoring Groups and Users 

Introduction

A honeypot user is a decoy account created to attract and detect unauthorized access or malicious activity within your network. This technique is used to gather information about potential attackers and their methods, providing valuable insights into security threats.

Objectives

• Detect unauthorized access attempts.

• Identify potential security vulnerabilities.

• Gather intelligence on attacker behavior and techniques.

• Enhance overall network security by proactively monitoring for malicious activity.

Setup Process

1. Planning

• Define Objectives: Clearly outline what you aim to achieve with the honeypot user (e.g., detecting unauthorized access, gathering threat intelligence).

• Select the Environment: Decide where the honeypot user will be placed (e.g., specific servers, directories, or applications).

2. Creation

• User Account Details: Create the honeypot user with realistic and enticing attributes.

  • Username: Choose a username that appears legitimate but interesting enough to attract attention (e.g., admin_backup, finance_reports).

  • Password: Use a weak or commonly guessed password to make the account more attractive to attackers.

• Access Permissions: Assign permissions that are realistic for the type of user being mimicked, but ensure they do not grant critical access that could harm the network.

• Profile Details: Fill out profile information to make the user appear authentic (e.g., email address, job title, department).

3. Deployment

• Placement: Position the honeypot user in strategic locations within the network where unauthorized access is likely to occur.

• Integration: Ensure the honeypot user is integrated with existing monitoring and logging systems.

4. Monitoring

• Logging: Enable detailed logging for all activities related to the honeypot user.

  • Log login attempts, successful logins, access to sensitive files or directories, and any changes made by the honeypot user.

• Alerts: Set up alerts for any suspicious activity involving the honeypot user.

  • Unusual login times, multiple failed login attempts, or access to high-value resources should trigger immediate alerts.

5. Analysis

• Data Collection: Regularly collect and analyze data from the honeypot user.

  • Identify patterns in access attempts and behavior.

• Threat Intelligence: Use the gathered data to understand attacker methods and tools.

• Reporting: Generate regular reports summarizing findings from the honeypot user activity.

Best Practices

• Isolation: Ensure the honeypot user is isolated from critical systems to prevent any potential damage if the account is compromised.

• Realism: Make the honeypot user as realistic as possible to effectively attract attackers.

• Regular Updates: Update the honeypot user profile periodically to maintain its attractiveness and relevance.

• Legal Considerations: Be aware of legal and ethical considerations when deploying honeypot users. Ensure compliance with local laws and regulations.

Monitoring and Response

• Continuous Monitoring: Continuously monitor the honeypot user for any signs of unauthorized access or malicious activity.

• Incident Response: Have a clear incident response plan in place for when malicious activity is detected.

  • Contain and analyze the threat.

  • Take appropriate actions to mitigate risks and prevent future incidents.

Feedback and Improvement

• Review and Refine: Regularly review the effectiveness of the honeypot user and refine the setup based on gathered intelligence and evolving threats.

• Community Collaboration: Share insights and findings with the broader security community to contribute to collective knowledge and defense strategies.

Conclusion

Creating a honeypot user is an effective strategy to enhance network security by detecting unauthorized access and gathering valuable threat intelligence. By following best practices and continuously monitoring and analyzing the honeypot user, organizations can proactively defend against malicious activities and improve their overall security posture.

• Purpose: Ensure comprehensive monitoring of all VIP groups with diverse rule sets.

• Check the List: Review VIP groups to confirm monitoring coverage.

• Approve or Update: Identify and mark VIP groups for enhanced monitoring. 

• Why Important: Cyray’s SIEM system relies on it, facilitating broader monitoring.

Quick Guide:

Set VIP groups to sensitive monitoring

Detailed Guide:

Overview

VIP groups typically consist of individuals who have high influence, access to sensitive information, or significant responsibilities. This group might include top executives, board members, key decision-makers, or individuals with access to critical resources.

The importance of highly monitoring those groups is important as the same for VIP users.

Define your organization VIP groups and implement them into Cyray’s system by Mobula app or by ESM in order to sensitively monitor them for suspicious activity.

You can choose to add groups to several options at the same time.

Objectives

• Ensure thorough surveillance of all VIP groups by employing diverse rule sets to cover changes that could precipitate various types of attacks, thereby achieving comprehensive protection.

Actions

VIP Groups

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula DEV/VIP Groups Inventory

Please review your entity's report and send it to him so that he can check whether all the VIP groups are monitored on the system.

App

Generate a report of Privileged Groups using the Mobula Application and inform your SOC Team / Platform Manager if all of your sensitive groups are listed in the report.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. VIP Groups

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. VIP Groups 

4. Task Update

5. Choose the status and click save.

Recommendations

Include monitoring for all VIP groups, starting with default ones and extending to the most critical groups essential for organizational functioning such as executives, board members, key decision-makers, or individuals with access to critical resources.

What is the importance of VIP Groups?

• Security: VIP accounts are attractive targets for attackers. Monitoring their activities helps detect suspicious behaviour or potential unauthorized access.

• Compliance: Many industry regulations (e.g., PCI DSS, HIPAA) require organizations to monitor and audit VIP access for compliance purposes.

• Incident Response: In the event of a security incident or data breach, monitoring VIP groups can provide valuable insights into the attack vectors and help with incident response efforts.

Conclusion

In conclusion, robust monitoring of VIP groups is essential for maintaining the security and integrity of organizational systems and data. By carefully reviewing and identifying VIP groups for enhanced monitoring, organizations can proactively detect and respond to potential security threats. Cyray’s SIEM system relies on this meticulous monitoring to facilitate broader threat detection and ensure comprehensive protection against various forms of attacks. By following the guidelines outlined in this document and implementing diverse rule sets, organizations can strengthen their security posture and safeguard sensitive information from unauthorized access or malicious activities.