I Wayan Pio Pratama,

M.Kom.

Imagine
Security is about preparation. Imagine yourself takes an math
exam. You prepare not only physical but also mentality to get along
the exam. You prepare some tools like pencil, eraser, and pen.
Prepare with some concepts and materials. You could also prepare
by doing light physical exercise to refresh your body. Cybersecurity
is nothing different.

1. Definition
The practice of confidentiality, integrity, and
availability information (CIA) by protecting
networks, devices, people, and data from
unauthorize access or criminal exploitation.

2. Cybersecurity Analyst
• Protecting Computer and Network System
Responsibility
• Installing prevention software
• Conduction periodic security audit
I Wayan Pio Pratama,
M.Kom.

Question
This practice will help the student to remember what we have
learned step by step.

1. Please explain what is security and try to

define it!
2. What is the responsibility of cybersecurity ?
I Wayan Pio Pratama,
M.Kom.

Cybersecurity
Reasons
There must a motive why does the surge of cybersecurity happen!

• The rapid development of digitalization :

Mobile Banking, e-commerce, electornic
data interchange (EDI)
• Decentralization server require many
human resources but couldn’t be provided
• Single vendor to multiple vendor
• Weak law regulation and enforcement
• System Complexity
• Lack of network security
• Malicious software or missused of it
I Wayan Pio Pratama,
M.Kom.

Terms and
Concepts
There are many terms and concepts related to cybersecurity. Being
familiar with them will give us better skills to identify the threats
that can harm organizations and people alike. A security analyst
focus on monitoring networks for breaches. They also help to
develop strategies to secure organization and research IT security
trends to remain alert and informed about potential threats.
Additionally, an anlyst works to prevent incidents.

Key Concepts
• Compliance
• Security frameworks
• Security controls
• Security posture
• Threat actor
• Internal threat
• Network security
• Cloud security
• Programming
I Wayan Pio Pratama,
M.Kom.

Question
This practice will help the student to remember what we have
learned step by step. This practice also let the student pro active to
find what is the meaning of key concepts in cybersecurity

1. Explain the key concepts that a security

analyst must know!.
I Wayan Pio Pratama,
M.Kom.

Question
This practice require student to do find information without material
provided. This will train them to be active searching for information
independently.

1. Please find cybersecurity classification!

2. Find the characteristic of intruder and
explain the phase of hacker!
I Wayan Pio Pratama,
M.Kom.

End of Part 1
By the end of this part the students are expected to understand the
concept of cybersecurity and know the formal definition of
cybersecurity. The student also be able to explain the the
responsibility of security analyst and know the terms and key
concept of cybersecurity. Student also learn the motive behind the
surge of security problem and the threat actors in cybersecurity
world.

1. Please explain what you have learn so far ?

I Wayan Pio Pratama,
M.Kom.
Key Concept
is the process of adhering to internal standards
and external regulations and enables
organizations to avoid fines and security
are guidelines used for building plans to help breaches
mitigate risks and threats to data and privacy.
is an organization’s ability to manage its
defense of critical assets and data and
react to change.
is any person or group who presents a security is any person or group who presents a security
risk. This risk can relate to computers, risk. This risk can relate to computers,
applications, networks, and data applications, networks, and data

is any person or group who presents a security is a process that can be used to create a
risk. This risk can relate to computers, specific set of instructions for a computer to
applications, networks, and data execute tasks

is the practice of keeping an organization's

is the process of ensuring that assets stored in network infrastructure secure from
the cloud are properly configured, or set up unauthorized access.
correctly, and access to those assets is limited
to authorized users.
I Wayan Pio Pratama,
M.Kom.
Cybersecurity Professionals
•Skills
Transferable skills :
Communication, Problem Solving, Time Management, Growth Mindset,
Diverse Perspectives

•Technical skills :
Programming Languages, Security Information and Event
Management (SIEM Tools), Intrusion Detection Systems (IDSs), Threat
Landscape, Knowledge, Incident Response
Common Attacks and Their Effectiveness
Phising Why Social Engineering Effective ?
• BEC • Authority
• Spear Phising • Intimidation
• Whaling • Consensus/Social Proof
• Vishing • Scarcity
• Smishing • Familiarity
• Trust
Malware
• Urgency
• Virus
• Worm
• Ransomware
• Spyware

Social Engineering
• Social Media Phising
• Watering Hole Attack
• USB Baiting
• Physical Social Engineering
CISSP (Certified Information Systems Security
Professional)
CISSP has defined eight domains to organize the work of security professionals. (2022)
Threat Actor Type
• Advanced persistent threats
 Damaging critical infrastructure, such as the power grid and natural resources
 Gaining access to intellectual property, such as trade secrets or patents
• Insider threats
 Sabotage
 Corruption
 Espionage
 Unauthorized data access or leaks
• Hacktivists
 Demonstrations
 Propaganda
 Social change campaigns
 Fame

Hacker
A hacker is any person who uses computers to gain access to computer systems, networks, or data.
They can be beginner or advanced technology professionals who use their skills for a variety of
reasons. There are three main categories of hackers:
• Authorized hackers are also called ethical hackers.
• Semi-authorized hackers are considered researchers.
• Unauthorized hackers are also called unethical hackers.
Security Frameworks, PII & SPII
Security frameworks are guidelines used for building plans to help mitigate risks and threats to
data and privacy
Purpose of Security Frameworks
1. Protecting PII
2. Securing financial information
3. Identifying security weaknesses
4. Managing operational risks
5. Aligning security with business goals
How controls, frameworks, and compliance are
related
Organization :
• The Federal Energy Regulatory
Commission - North American Electric
Reliability Corporation (FERC-NERC)
• The National Institute of Standards
and Technology (NIST)
• Center for Internet Security (CIS®)
• International Organization for
Standardization (ISO)
• System and Organizations Controls
(SOC)
• Payment Card Industry Data Security
Standard (PCI DSS)
• The Health Insurance Portability and
Accountability Act (HIPAA)
• The Federal Risk and Authorization
Management Program (FedRAMP®)
• General Data Protection Regulation
(GDPR)
Ethical concepts that guide cybersecurity decisions
United States standpoint on counterattacks
In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer
Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among
others. You can only defend. The act of counterattacking in the U.S. is perceived as an act of
vigilantism. A vigilante is a person who is not a member of law enforcement who decides to stop a
crime on their own. And because threat actors are criminals, counterattacks can lead to further
escalation of the attack, which can cause even more damage and harm. Lastly, if the threat actor
in question is a state-sponsored hacktivist, a counterattack can lead to serious international
implications. A hacktivist is a person who uses hacking to achieve a political goal. The political goal
may be to promote social change or civil disobedience

International standpoint on counterattacks

The International Court of Justice (ICJ), which updates its guidance regularly, states that a person
or group can counterattack if:
• The counterattack will only affect the party that attacked first.
• The counterattack is a direct communication asking the initial attacker to stop.
• The counterattack does not escalate the situation.
• The counterattack effects can be reversed.
Organizations typically do not counterattack because the above scenarios and parameters are
hard to measure. There is a lot of uncertainty dictating what is and is not lawful, and at times
negative outcomes are very difficult to control. Counterattack actions generally lead to a worse
outcome, especially when you are not an experienced professional in the field.
Ethical principles and methodologies
• Confidentiality means that only authorized users can access specific assets or data.
Confidentiality as it relates to professional ethics means that there needs to be a high level of
respect for privacy to safeguard private assets and data.
• Privacy protection means safeguarding personal information from unauthorized use.
Personally identifiable information (PII) and sensitive personally identifiable information (SPII)
are types of personal data that can cause people harm if they are stolen. PII data is any
information used to infer an individual's identity, like their name and phone number. SPII data is
a specific type of PII that falls under stricter handling guidelines, including social security
numbers and credit card numbers. To effectively safeguard PII and SPII data, security
professionals hold an ethical obligation to secure private information, identify security
vulnerabilities, manage organizational risks, and align security with business goals.
• Laws are rules that are recognized by a community and enforced by a governing entity. As a
security professional, you will have an ethical obligation to protect your organization, its
internal infrastructure, and the people involved with the organization. To do this:
 You must remain unbiased and conduct your work honestly, responsibly, and with the highest
respect for the law.
 Be transparent and just, and rely on evidence.
 Ensure that you are consistently invested in the work you are doing, so you can
appropriately and ethically address issues that arise.
 Stay informed and strive to advance your skills, so you can contribute to the betterment of
the cyber landscape.
TOOLS

• Security information and event management (SIEM) tools

• Network protocol analyzers (packet sniffers)
• Playbooks
SKILLS
Programming
Automation is the use of technology to reduce human and manual effort in performing common
and repetitive tasks. (Programming Language and SQL)

Operating System (OS)

An operating system is the interface between computer hardware and the user (Linux with A
command-line interface is a text-based user interface that uses commands to interact with the
computer)

Web vulnerability
A web vulnerability is a unique flaw in a web application that a threat actor could exploit by using
malicious code or behavior, to allow unauthorized access, data theft, and malware deployment.
Open Web Application Security Project (OWASP) Top 10

Antivirus software
Antivirus software is a software program used to prevent, detect, and eliminate malware and
viruses.

Intrusion detection system

An intrusion detection system (IDS) is an application that monitors system activity and alerts on
possible intrusions.
SKILLS (Cont...)
Encryption
Encryption makes data unreadable and difficult to decode for an unauthorized user; its main goal
is to ensure confidentiality of private data.

Penetration Testing
Penetration testing, also called pen testing, is the act of participating in a simulated attack that
helps identify vulnerabilities in systems, networks, websites, applications, and processes.
Network
A group of connected devices

To connect we can use cable or wareless. IP/Mac Address unique address to locate each others.
Type Of Networks :
• LAN (Local Area Network)
• WAN (Wide Area Network)

I Wayan Pio Pratama, M.Kom.

Tool to Create Network
• Hub • Switch

• Router • Modem

I Wayan Pio Pratama, M.Kom.

Network Architecture

I Wayan Pio Pratama, M.Kom.

Network Communication
TCP/IP & OSI MODEL
Both the TCP/IP and OSI models are conceptual models that help network professionals visualize
network processes and protocols in regards to data transmission between two or more systems.

For more information, visit aka.ms/staysafeonline

Sources: U.S. Department of Justice, How to Protect your Networks from Ransomware;
Anti-Phishing Working Group, Phising Activity Trends Report, Q4 2015;
Verizon, Data Breach Investigations Report, 2015
Network Communication Detail
• Network Access Layer
The network access layer, sometimes called the data link layer, deals with the creation of data
packets and their transmission across a network. This layer corresponds to the physical hardware
involved in network transmission. Hubs, modems, cables, and wiring are all considered part of
this layer. The address resolution protocol (ARP) is part of the network access layer. Since MAC
addresses are used to identify hosts on the same physical network, ARP is needed to map IP
addresses to MAC addresses for local network communication.

• Internet Layer
The internet layer, sometimes referred to as the network layer, is responsible for ensuring the
delivery to the destination host, which potentially resides on a different network. It ensures IP
addresses are attached to data packets to indicate the location of the sender and receiver. The
internet layer also determines which protocol is responsible for delivering the data packets and
ensures the delivery to the destination host. Here are some of the common protocols that operate
at the internet layer:

 Internet Protocol (IP). IP sends the data packets to the correct destination and relies on the
Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the
corresponding service. IP packets allow communication between two networks. They are
routed from the sending network to the receiving network. TCP in particular retransmits any
data that is lost or corrupt.
 Internet Control Message Protocol (ICMP). The ICMP shares error information and status
updates of data packets. This is useful for detecting and troubleshooting network errors. The
ICMP reports information about packets that were dropped or that disappeared in transit,
issues with network connectivity, and packets redirected to other routers.

I Wayan Pio Pratama, M.Kom.

Network Communication Detail (Cont...)
• Transport Layer
The transport layer is responsible for delivering data between two systems or networks and
includes protocols to control the flow of traffic across a network. TCP and UDP are the two
transport protocols that occur at this layer.
 Transmission Control Protocol
The Transmission Control Protocol (TCP) is an internet communication protocol that allows two
devices to form a connection and stream data. It ensures that data is reliably transmitted to
the destination service. TCP contains the port number of the intended destination service,
which resides in the TCP header of a TCP/IP packet.
 User Datagram Protocol
The User Datagram Protocol (UDP) is a connectionless protocol that does not establish a
connection between devices before transmissions. It is used by applications that are not
concerned with the reliability of the transmission. Data sent over UDP is not tracked as
extensively as data sent using TCP. Because UDP does not establish network connections, it is
used mostly for performance sensitive applications that operate in real time, such as video
streaming.

• Application Layer
The application layer in the TCP/IP model is similar to the application, presentation, and
session layers of the OSI model. The application layer is responsible for making network
requests or responding to requests. This layer defines which internet services and applications
any user can access. Protocols in the application layer determine how the data packets will
interact with receiving devices. Some common protocols used on this layer are:
 Hypertext transfer protocol (HTTP)
 Simple mail transfer protocol (SMTP)
 Secure shell (SSH)
 File transfer protocol (FTP)
For  more Domain name system
information, visit(DNS)aka.ms/staysafeonline

Sources: U.S.Application layer
Department of Justice, How toprotocols relyfrom
Protect your Networks onRansomware;
underlying layers to transfer the data across the
Anti-Phishingnetwork.
Working Group, Phising Activity Trends Report, Q4 2015;
Verizon, Data Breach Investigations Report, 2015
OSI MODEL DETAIL
• Physical Layer
As the name suggests, the physical layer corresponds to the physical hardware involved in
network transmission. Hubs, modems, and the cables and wiring that connect them are all
considered part of the physical layer. To travel across an ethernet or coaxial cable, a data
packet needs to be translated into a stream of 0s and 1s. The stream of 0s and 1s are sent
across the physical wiring and cables, received, and then passed on to higher levels of the OSI
model.

• Data Link Layer

The data link layer organizes sending and receiving data packets within a single network. The
data link layer is home to switches on the local network and network interface cards on local
devices.
Protocols like network control protocol (NCP), high-level data link control (HDLC), and
synchronous data link control protocol (SDLC) are used at the data link layer.

• Network Layer
The network layer oversees receiving the frames from the data link layer (layer 2) and delivers
them to the intended destination. The intended destination can be found based on the address
that resides in the frame of the data packets. Data packets allow communication between two
networks. These packets include IP addresses that tell routers where to send them. They are
routed from the sending network to the receiving network.

• Transport Layer
The transport layer is responsible for delivering data between devices. This layer also handles
the speed of data transfer, flow of the transfer, and breaking data down into smaller segments
to make them easier to transport. Segmentation is the process of dividing up a large data
transmission into smaller pieces that can be processed by the receiving system. These
For segments
more information,need to bevisit reassembled at their destination so they can be processed at the session
aka.ms/staysafeonline
layer
Sources: (layerof5).
U.S. Department The
Justice, speed
How to and
Protect your ratefrom
Networks ofRansomware;
the transmission also has to match the connection speed
of the destination system. TCP and UDP are transport layer protocols.
Anti-Phishing Working Group, Phising Activity Trends
Verizon, Data Breach Investigations Report, 2015
Report, Q4 2015;
OSI MODEL DETAIL (Cont...)
• Session Layer
A session describes when a connection is established between two devices. An open session
allows the devices to communicate with each other. Session layer protocols keep the session
open while data is being transferred and terminate the session once the transmission is
complete.
The session layer is also responsible for activities such as authentication, reconnection, and
setting checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that
the transmission picks up at the last session checkpoint when the connection resumes.
Sessions include a request and response between applications. Functions in the session layer
respond to requests for service from processes in the presentation layer (layer 6) and send
requests for services to the transport layer (layer 4).

• Presentation Layer
Functions at the presentation layer involve data translation and encryption for the network.
This layer adds to and replaces data with formats that can be understood by applications
(layer 7) on both sending and receiving systems. Formats at the user end may be different
from those of the receiving system. Processes at the presentation layer require the use of a
standardized format.
Some formatting functions that occur at layer 6 include encryption, compression, and
confirmation that the character code set can be interpreted on the receiving system. One
example of encryption that takes place at this layer is SSL, which encrypts data between web
servers and browsers as part of websites with HTTPS.

• Application Layer
The application layer includes processes that directly involve the everyday user. This layer
includes all of the networking protocols that software applications use to connect a user to the
internet. This characteristic is the identifying feature of the application layer—user connection
For to morethe internet
information, via applications and requests.
visit aka.ms/staysafeonline
An
Sources: U.S. example of a How
Department of Justice, type of communication
to Protect that happens at the application layer is using a web
your Networks from Ransomware;
browser. The internet browser uses HTTP or HTTPS to send and receive information from the
Anti-Phishing Working Group, Phising Activity Trends
Verizon, Data Breach Investigations Report, 2015
Report, Q4 2015;

website server. The email application uses simple mail transfer protocol (SMTP) to send and
Components of network layer communication

For more information, visit aka.ms/staysafeonline

Sources: U.S. Department of Justice, How to Protect your Networks from Ransomware;
Anti-Phishing Working Group, Phising Activity Trends Report, Q4 2015;
Verizon, Data Breach Investigations Report, 2015
Components of network layer communication Detail
There are 13 fields within the header of an IPv4 packet:
Version (VER): This 4 bit component tells receiving devices what protocol the packet is
using. The packet used in the illustration above is an IPv4 packet.

IP Header Length (HLEN or IHL): HLEN is the packet’s header length. This value
indicates where the packet header ends and the data segment begins.

Type of Service (ToS): Routers prioritize packets for delivery to maintain quality of
service on the network. The ToS field provides the router with this information.

Total Length: This field communicates the total length of the entire IP packet, including
the header and data. The maximum size of an IPv4 packet is 65,535 bytes.

Identification: IPv4 packets can be up to 65, 535 bytes, but most networks have a
smaller limit. In these cases, the packets are divided, or fragmented, into smaller IP
packets. The identification field provides a unique identifier for all the fragments of the
original IP packet so that they can be reassembled once they reach their destination.

For more information, visit aka.ms/staysafeonline

Sources: U.S. Department of Justice, How to Protect your Networks from Ransomware;
Anti-Phishing Working Group, Phising Activity Trends Report, Q4 2015;
Verizon, Data Breach Investigations Report, 2015
Components of network layer communication Detail
Flags: This field provides the routing device with more information about whether the
original packet has been fragmented and if there are more fragments in transit.

Fragmentation Offset: The fragment offset field tells routing devices where in the
original packet the fragment belongs.

Time to Live (TTL): TTL prevents data packets from being forwarded by routers
indefinitely. It contains a counter that is set by the source. The counter is decremented by
one as it passes through each router along its path. When the TTL counter reaches zero,
the router currently holding the packet will discard the packet and return an ICMP Time
Exceeded error message to the sender.

Protocol: The protocol field tells the receiving device which protocol will be used for the
data portion of the packet.

Header Checksum: The header checksum field contains a checksum that can be used to
detect corruption of the IP header in transit. Corrupted packets are discarded.

Source IP Address: The source IP address is the IPv4 address of the sending device.

Destination IP Address: The destination IP address is the IPv4 address of the

destination device.

Options: The options field allows for security options to be applied to the packet if the
HLEN value is greater than five. The field communicates these options to the routing
devices.
For more information, visit aka.ms/staysafeonline
Sources: U.S. Department of Justice, How to Protect your Networks from Ransomware;
Anti-Phishing Working Group, Phising Activity Trends Report, Q4 2015;
Verizon, Data Breach Investigations Report, 2015
Network components, devices, and diagrams
Cloud computing refers to the practice of using remote servers, applications, and
network services that are hosted on the internet instead of at a physical location owned by
the company.

A cloud service provider (CSP) is a company that offers cloud computing services. These
companies own large data centers in locations around the globe that house millions of servers.

CSPs provide three main categories of services:

• Software as a service (SaaS) refers to software suites operated by the CSP that a company
can use remotely without hosting the software.
• Infrastructure as a service (IaaS) refers to the use of virtual computer components offered
by the CSP.
• Platform as a service (PaaS) refers to tools that application developers can use to design
custom applications for their company.

Benefit :
• Reliability
• Cost
• Scalability

I Wayan Pio Pratama, M.Kom.

SIEM (SECURITY INFORMATION AND EVENT
SIEM (Security Information and Event Management) tools are systems that
MANAGEMENT)
collect, analyze, and correlate data from various sources across an
organization's IT infrastructure to provide real-time insights into security
threats and events. They are capable of identifying and responding to
potential security incidents through centralized monitoring, logging, and
analysis of network traffic, applications, servers, and other components.

I Wayan Pio Pratama, M.Kom.

D
a
How to do Experiment ?
The problem is that we normally doesn’t have adequate resources to do the
experiment.
In real scenario we will need to have more than one PC to try the concept.
We also need to have the right Operating System (OS) for convenient.
That’s why we need to do another approach by utilizing virtual machine. One
of them is by installing docker desktop in our personal machine.

WEF
(Windows
Event
Forwarding)
Log Event
Management

Indexing Dashboard / UI
Database

I Wayan Pio Pratama, M.Kom.

D
a
How to do Experiment ?
Some tools have indexing database and dashboard by default some are not.
Some tools has capability to be integrated with wide variety of indexing
database and dashboard. In this class we’ll stick to use “wazuh” and
“elastic search” and “kibana”. The combination of those tools is to
monitoring log/activity and preserve the CIA principal is called SIEM tools.
Wazuh
Agent

Wazuh manager work Other tools (elastic search, kibana, and

great in linux OS wazuh agent) can be run in all platforms

I Wayan Pio Pratama, M.Kom.

D
a
Architecture For Experiment

node/server/cluster
Master
Wazuh Manager + elastic search +
kibana + wazuh agent installed in the Wazuh Agent
same node/machine

All tools are installed in the same machine so it means the machine
become the master/manager/storage/interface and also become the
agen for itself.
Not really happen in real scenario.

Client to monitoring/client node

I Wayan Pio Pratama, M.Kom.

Architecture Single Node

node/server/cluster
Master
Wazuh Manager + elastic search +
kibana installed in the same
node/machine

If the machine fail then all

is down

Wazuh Agent 1 Wazuh Agent 2 Wazuh Agent n

Client to monitoring/client node

I Wayan Pio Pratama, M.Kom.

Architecture Multi Node

node/server/cluster
Master
Wazuh Manager No SQL DB
Dashboard UI

Better but some tool may

be dependant but some
independent tools would be
run without problem

Wazuh Agent 1 Wazuh Agent 2 Wazuh Agent n

Client to monitoring/client node

I Wayan Pio Pratama, M.Kom.

Architecture Multi Node 2

If one down then we have

backup to keep the system
more persistence.

But this architecture add

complexity in configuration
Load Balancer

Load Balancer

Wazuh Agent 1 Wazuh Agent 2 Wazuh Agent n

I Wayan Pio Pratama, M.Kom.

Experiment Problems
We normally only have one PC and only one OS installed in it. Alternative
solutions :
1. Install dual boot (Only be able to have 2 OS in single machine maybe
more, but require more resource, hard to configure and hard to switch
back and forth during experiment)
2. Virtualization (we have two options here : Virtualbox/Vmware or
Containerization
In this through
occasion we will Docker)
use Docker.
3. Buy More Machine If You Have Budget

I Wayan Pio Pratama, M.Kom.

Understanding Docker
But docker originally built in Linux OS and other than that docker will use its
host OS for their foundation.
To solve this we need to install WSL (Windows Subsystem for Linux) to let
docker run in windows OS.

Docker Container Docker Container Docker Container

WSL

I Wayan Pio Pratama, M.Kom.

Understanding Docker 2

We can create docker image from base docker file. You can override it by
writing your own Dockerfile or install anything in the container and build
your own image after that.

You can get based docker image from Docker Hub repository.
https://hub.docker.com/

I Wayan Pio Pratama, M.Kom.

Understanding Docker 2

We can create docker image from base docker file. You can override it by
writing your own Dockerfile or install anything in the container and build
your own image after that.

You can get based docker image from Docker Hub repository.
https://hub.docker.com/

I Wayan Pio Pratama, M.Kom.

Install WSL

Access this for earlier version :

https://learn.microsoft.com/en-us/windows/wsl/install-manual
If you fulfill all of the prerequisites then run this command in
Powershell/CMD with administrator.
wsl --install
or through windows feature

Check
installation
O
R

I Wayan Pio Pratama, M.Kom.

Install Docker Desktop – Step 1 Prerequisites

Detail access here : https://docs.docker.com/desktop/install/windows-install/

I Wayan Pio Pratama, M.Kom.

Install Docker Desktop – Step 2 Installer

Detail access here : https://docs.docker.com/desktop/install/windows-install/

I Wayan Pio Pratama, M.Kom.

Install Docker Desktop UI – After Installation

I Wayan Pio Pratama, M.Kom.

Access Docker in CMD

After images downloaded using “docker pull” command from docker hub repository then it will be store in (for
windows OS):

Local repository (in our machine)

Checked images in your local

Check all containers that you have

I Wayan Pio Pratama, M.Kom.

Access Docker in CMD
Running images to be docker container

Docker images - Check what images we have locally

Docker run pp-ubuntu - Create container using image with name pp-ubuntu
Docker ps –a – Check if the container successfully created. (You can see the status
is exit and command is /bin/bash)

The status exit directly after the container start because no process in the foreground
of ubuntu after we run it. So we have no option to use the container again. Even if you
try to use “docker start <containerid>” it will stop directly after it. For images that
run in the foreground like “nginx” as example, do “docker run <image_name>” will
not stop the container directly, but it will attach your terminal. So you need to open
another terminal to interact. The solution is add “-d” in your docker run command
(“docker run -d <image_name>”).

For image like this I recommend to build the container using “docker run -it pp-
ubuntu”. As information : we cannot update command for existing container. The
Ionly
Wayan Pio is
option Pratama, M.Kom.
to create another container with the command we want using docker
run and remove unsed docker container with command “docker rm
<containerid>”.
Access Docker in CMD
Running images to be docker container
You can stop the container using “docker stop <containerid>” and run it again
using “docker start <containerid>”. For any docker is still running then you can go
into its interactive mode by using “docker exec -it <containerid>”.

To exit from interative mode you can type “exit” then press enter. We also be able
to inspect the container to see its configuration especially volume and network. To
do that execute “docker inspect <containerid>”.

We also be able to see any network config in the docker and its volume by “docker
network ls” and “docker volume ls”. So does createa and remove network or
volume using
• “docker network create <network_name>”
• “docker network rm<network_name>”
• “docker volume create <volume_name>”
• “docker volume rm <volume_name>”

I Wayan Pio Pratama, M.Kom.

Location in host machine (for windows) : \\wsl.localhost\docker-desktop\mnt\docker-desktop-disk\data\docker\volumes
Change in Docker
If we install something in docker container and stop the container we will
lose the app we have installed. So to stop this we need to commit out
docker into a new image using “docker commit <containerid>
<new_image_name>”. Then we need to create new container based on
the image we just created. We also be able to remove the images that we
are not using anymore using “docker rmi <image_name>”.

In term of file we can utilize volume to keep it exist even when we

removed the container.

Network is used to make the container can be accessed in between

container (the same machine), overlay let the container to communicate in
different machine, and to access host network. (by default the network is
bridge, this will let container in the same host can communicate)
Disadvantages of Docker
Docker containers are designed to be lightweight, isolated environments that share
the host's kernel but run their own user-space processes.

• No systemd (systemctl)

Let’s say you want to run multiple service in a real ubuntu you will need to have
systemd to manage the service. But container normally running only single
application for example web service or database service only (so typically you
don’t need system for container in docker).

Systemd will be beneficial when you have to run multi service for example redis and
nginx on the same linux machine (full linux).

In order to get full linux system in docker container you have to do several
steps:
1. Run docker container (docker run –it –name=pp-ubuntu-systemd ubuntu-
image)
2. Sudo apt-get install -y systemd systemd-sysv
3. Commit ubuntu container then recreate it with option in step 3, 4, and 5
4. Mount your container with -v /sys/fs/cgroup:/sys/fs/cgroup:ro (ro: readonly)
5. Create temporary file system using tmpfs for /run and /run/lock
6. /sbin/init the main process of system
docker run --privileged --name my-systemd-container -d ` --tmpfs /run --
You /run/lock
tmpfs can pull ` -vthe image from my docker
/sys/fs/cgroup:/sys/fs/cgroup:rw hub repo
(docker pull piopratama/pp-
` pp-ubuntu-
systemd /sbin/init
ubuntu-systemd) and skip step 1 and 2 then just run bellow command :
Docker Network

To let windows host

machine access bridge
then we need to do
mapping port when we
create the container in
example. docker run -p
<host_port>:<containe
r_port> [other
command optional]
<image_name>

Bridg Set to the same docker

network
Host Set to the same IP, but be
aware of port conflict
e

Network
overlay
and
need to
create
docker
swarm
Docker File
We can automate the process of pulling image, build container, and settings
through code that is saved in a file called “Dockerfile”.

You need to go to location of your dockerfile and myscript.sh reside.

docker build --build-arg VERSION=1.2.3 -t myapp:1.2.3 .

I Wayan Pio Pratama, M.Kom.

Docker Compose
A docker-compose.yml file is used to define and configure your services, networks, and
volumes. Here are the most common configuration options.

I Wayan Pio Pratama, M.Kom.

Docker Compose Example
Here is example how to build docker container and setup using docker compose. (be aware of tab
in yml file)
version: "3.8" # Specify the version of the Compose file format

services:
web:
image: nginx:latest
ports:
- "8080:80" # Map port 80 in the container to port 8080 on
the host
environment:
- NGINX_ENV=production
volumes:
- ./webdata:/usr/share/nginx/html # Mount host directory to
container
networks:
- frontend
depends_on:
- db

db:
image: postgres:13
environment:
POSTGRES_USER: myuser
POSTGRES_PASSWORD: mypassword
volumes:
- dbdata:/var/lib/postgresql/data
networks:
- backend

networks:
frontend:
backend:

volumes:
dbdata:
I Wayan Pio Pratama, M.Kom.
Wazuh Installation using Docker Compose (Single
Docker compose is a tool for defining and running multi-container
Node)
applications.
Step 1. Pull docker compose file. (Make sure you have installed git).
Type this in the terminal/cmd/powershell :
git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.0

Step 2. go to the docker compose project and go to single node and

open docker-compose.yml.

Step 3. If you are using dns then add

environment.

Step 4.
Execute this for ssl/tls certificate : docker-compose -f generate-indexer-
certs.yml run --rm generator

Step 5. docker-compose up –d

Step 6. Check if wazuh indexer, manager, and dashboard are running

(docker ps –a). Then access https://localhost then username : admin,
password: SecretPassword (that was the default credential)
I Wayan Pio Pratama, M.Kom.
Ubuntu Preparation before Wazuh Agent
Normally ubuntu in docker container doesn’t have some tools such as (all
the process here require internet connection) :
• apt-get update
• apt-get upgrade
• Sudo (apt install sudo)
• Vim (Text Editor – sudo apt-get install vim)
• Iputils-ping (Ping – sudo apt-get install iputils-ping)
• ifconfig (IP check – sudo apt-get install net-tools)
• Curl (download – sudo apt-get install curl)
• Wget (download – sudo apt-get install wget)
Before execute all the command above please do :
• apt-get install (to update package metadata in /etc/apt/sources.list/ (ubuntu
official repo) and /etc/apt/sources.list.d/ (handle third party library such as wazuh)).
• apt-get upgrade (to download and install new update package in the
Yourepository)
also need to know how to start, stop, restart, and status check of the
service. Normally in real ubuntu we will use “systemctl” command but as
ubuntu container doesn’t have that command then we can use :
<service_path>/<service_name> start|stop|restart|status

After all the installation you probably want to commit the container into a
new image so that you can use it for another tasks. (tools like suod, vim,
iputils-ping, net-tools, and curl is really useful in ubuntu).

I Wayan Pio Pratama, M.Kom.

Ubuntu Preparation 2 before Wazuh Agent
To use ubuntu you also need to get familiar with some command such as :

• ls -la (to check all document exist in a directory)

• cd .. (go backward)
• cd <directory> (go to directory)
• cd / (go to root directory)
• cat <file> (show the content of the file)
• find <path>/<file> (search for file)
• mv <old> <new> (move/rename file)
• rm <file> (remove file)
• cp <source> <destination> (copy file)
• chown user:user <file> (change file ownership)
• chmod <permission> <file> (change file permission)
• tail –f <file> (commonly used for monitoring log files in real-time)
• cat /path/to/<file> | tail -n 100 (show last 100 content in the file)
• man <command> (show command manual)
• grep ‘text’ <file> (find string ‘text’ in the file)
• sudo <command> (run command as super user)
• ps aux (get current process running)
• df (show disk space)
• du (show disk usage)
• tar <option | -czvf> <file in format tar> (extract)
• touch <file> (create a file)
• mkdir <name> (create directory)
I Wayan Pio Pratama, M.Kom.
 Ubuntu Preparation 3 before Wazuh Agent

• ACL will give us flexibility to manage user permission across different user and group.
• Normally we will lock root account and limit the sudo command for specific user
• Use “su - username” and input password to login to a different user
• Use “ls -la” to show who own a file or directory
• Use “whoami” to show what user is currently in use
• Own a file/dir doesn’t directly mean you have the permission. Own a file means you have the right to manage the permission
• Bash (Bourne-Again SHell) the default shell in ubuntu. When you see sign : # (root), $ (non root)

I Wayan Pio Pratama, M.Kom.

Wazuh Agent Installation
We need to install Wazuh agent in the monitoring node/machine. We also need to configure it to
point the wazuh manager where the wazuh agent need to send the log. We also need to
configure what the agent can monitor in the machine (directory/file we want wazuh agent
to look at).
We will install it under our Ubuntu container.
https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-li
nux.html
Step 1.
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-
ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Step 2.
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable
main" | tee –a /etc/apt/sources.list.d/wazuh.list

Step 3.
apt-get update

Step 4.
WAZUH_MANAGER=“IP/domain of wazuh manager" apt-get install wazuh-agent

Step 5.
/var/ossec/bin/wazuh-control start.

I Wayan Pio Pratama, M.Kom.

Wazuh Agent Installation
We need to install Wazuh agent in the monitoring node/machine. We also need to configure it to
point the wazuh manager where the wazuh agent need to send the log. We also need to
configure what the agent can monitor in the machine (directory/file we want wazuh agent
to look at).
We will install it under our Ubuntu container.
https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-li
nux.html
Step 1.
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-
ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Step 2.
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable
main" | tee –a /etc/apt/sources.list.d/wazuh.list

Step 3.
apt-get update

Step 4. (Enrollment process)

WAZUH_MANAGER=“IP/domain of wazuh manager" apt-get install wazuh-agent

Step 5.
/var/ossec/bin/wazuh-control start.

I Wayan Pio Pratama, M.Kom.

Wazuh Agent Life Cycle
After successful enrollment, the Wazuh manager stores information about the
Wazuh agent and its connection status until it is deleted by a user.

https://documentation.wazuh.com/curre
nt/user-manual/agent/index.html

Detail documentation can be accessed in

the link above.

I Wayan Pio Pratama, M.Kom.

Wazuh FIM (File Integration Management)
File Integrity Monitoring (FIM) is a security technique that monitors and detects changes in the
integrity of files and directories
Key Features of FIM:
1. Monitors Changes in Files/Directories: FIM detects when a file is created, modified, or
deleted.
2. Tracks Attribute Changes: Monitors changes in file metadata, such as permissions,
ownership, and timestamps.
3. Real-Time Monitoring: Can be configured to detect changes in real time, immediately alerting
on file changes.
4. Compliance and Security: Helps meet regulatory compliance requirements (e.g., PCI DSS,
HIPAA) by ensuring that critical files remain unaltered and secure.
FIM config file in Ubuntu : /var/ossec/etc/ossec.conf

To configure this :
1. Open the file using text editor (in this case we are using vim)
2. Backup ossec.conf in case you did something wrong using “cp ossec.conf
ossec.conf.bak”
3. Edit ossec.conf frequency to monitoring it every minute
(<frequency>60</frequency>)
4. Restart the agent using “var/ossec/bin/wazuh-control restart”
5. Check agen status using “var/ossec/bin/wazuh-control status”
6. Create a file in monitoring directory e.g “echo "This is new content" >>
newfile.txt”
7. Check log in “sudo tail -f /var/ossec/logs/ossec.log” in real time or “sudo
tail –n 100 /var/ossec/logs/ossec.log” to get last 100 logs only
8. Move to dashboard and look if something change in FIM menu for specific agent

I Wayan Pio Pratama, M.Kom.

Wazuh FIM (File Integration Management) 2

Agent
Database

Event Queue

Wazuh
Agent
FIM syscheck

Agent logs
global config
Wazuh
Manager

I Wayan Pio Pratama, M.Kom.

Wazuh Manager Configuration File Understanding

I Wayan Pio Pratama, M.Kom.

Wazuh Manager Configuration File Understanding 2

I Wayan Pio Pratama, M.Kom.

Suricata Physical vs Container
To monitor network traffic with Suricata on both Docker and physical devices, there are key differences
and requirements. On a physical device, promiscuous mode must be enabled on the network
interface to capture all network traffic. Additionally, network TAP or port mirroring on a managed
switch is required to duplicate traffic to the monitoring device, as unmanaged switches lack port
mirroring. Alternatively, inline mode (placing Suricata as a gateway) or using a hub (for testing) can
capture broadcast traffic, although hubs are less efficient and secure. All devices should ideally be on
the same network to monitor relevant traffic. In Docker, granting --cap-add=NET_ADMIN to the
Suricata container provides sufficient network control for monitoring, as Docker’s bridge network
allows containers within the same network to observe each other's traffic without additional setup. To
run Suricata on Docker with the necessary capabilities, use PowerShell and run:

Assume you are using pp-ubuntu-systemd image.

docker run --privileged --name suricata `

--network=single-node_default `
--cap-add=NET_ADMIN `
-d `
--tmpfs /run `
--tmpfs /run/lock `
-v /sys/fs/cgroup:/sys/fs/cgroup:rw `
pp-ubuntu-systemd /sbin/init
Network Tap
You need to install this before suricata Device
sudo apt install software-properties-common.

Port
Mirroring
I Wayan Pio Pratama, M.Kom.
 Wazuh Integrate with IDS
Wazuh lack capability to monitoring network or
doing
Intrussion Detection System (IDS).
So we need to integrate it with IDS such as
Suricata or
Zeek.

Source :
https://documentation.wazuh.com/current/proof-
of-concept-guide/integrate-network-ids-suricata.
html

Suricata can reside in dedicated machine or in the same machine where Wazuh
Manager or Agent installed

I Wayan Pio Pratama, M.Kom.

Suricata Help Command
Monitoring fast.log file :
tail -f /var/log/suricata/fast.log

Verify Rule Loading:

suricata -T -c /etc/suricata/suricata.yaml

Suricata Restart and Status Check:

sudo systemctl restart suricata (or if you don’t have systemctl service suricata restart)
sudo systemctl status suricata (or if you don’t have systemctl service suricata status)

Suricata Log Location:

/var/log/suricata

Suricata Rule and Config:

etc/suricata/suricata.yaml (for config)
etc/suricata/suricata/rules/ (rules file location)

To try you can create custom.rules in etc/suricata/rules/

alert icmp any any -> any any (msg:"ICMP Test Alert"; sid:1000001; rev:1;)

Then try ping –c 4 8.8.8.8

This will record the log in fast.log Alert : This specifies that Suricata should generate an alert when this rule is matched.

Icmp : Specifies the protocol to match, which is ICMP (used by ping and other
diagnostic tools)

Any any -> any any : This part of the rule means it will match ICMP packets from any IP
address and port going to any IP address and port, thus catching both incoming and
outgoing ICMP traffic.

I Wayan Pio Pratama, M.Kom.

Suricata Rules

I Wayan Pio Pratama, M.Kom.

Suricata Rules Option

I Wayan Pio Pratama, M.Kom.

Suricata Rules Example
You can add these rules in custom.rules:
alert icmp any any -> any any (msg:"ICMP Test Alert"; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:"HTTP GET Request Detected"; content:"GET"; sid:1000002; rev:1;)
alert tcp any any -> any 443 (msg:"HTTPS Traffic Detected"; sid:1000003; rev:1;)

Ensure to set this in suricata.yaml

rule-files:
- custom.rules

Remember to restart suricata and the rules loaded successfully.

For now we only monitoring a device but if you want to monitor

whole network then you can specified across subnet like this :
172.20.0.0/16 (put this kind of stuff in your suricata.yaml ->
HOME_NET)

I Wayan Pio Pratama, M.Kom.

Wazuh Integrate with IDS

I Wayan Pio Pratama, M.Kom.

PRIVILAGE ACCESS MANAGEMENT (PAM)
Is identity security solution that helps protect organizations against cyberthreats by monitoring,
detecting, and preventing unauthorized privileged access to critical resources.

Two primary use cases are:

1. preventing credential theft
2. achieving compliance.

How ?

1. Provide just-in-time access to critical resources

2. Allow secure remote access using encrypted gateways in lieu of passwords
3. Monitor privileged sessions to support investigative audits
4. Analyze unusual privileged activity that might be harmful to your organization
5. Capture privileged account events for compliance audits
6. Generate reports on privileged user access and activity
7. Protect DevOps with integrated password security

PAM vs PIM ?
CASE PRIVILAGE ACCESS MANAGEMENT

SERVE
Developer R Administrat
or

Suppor Vendor
t
Imagine the server installed with mysql database and many users (Developer, Administrator,
Support, Vendor) with credential can access it.

How could you audit this ?

Or you have multiple applications then it will embrace security hole if you had to maintain all
of it differently.
So, it is better to have one gate to go in every apps.

I Wayan Pio Pratama, M.Kom.

CASE WITHOUT PRIVILAGE ACCESS MANAGEMENT

MYSQL
Developer Administrat
or

Suppor Vendor
t
We can create static user for vendor in example with mysql feature. But how to track the
vendor using the credential ?, how to audit ?, what if the contract end but you as someone
who responsible forget to remove the access ?

I Wayan Pio Pratama, M.Kom.

CASE WITHOUT PRIVILAGE ACCESS MANAGEMENT
1. Install mysql-client
2. Connect to Mysql Server
3. Create DB (CREATE DATABASE vendor_db;)
4. Create User (CREATE USER 'vendor_user'@'%'
MYSQL IDENTIFIED BY 'vendorpassword’;)
Administrat 5. GRANT SELECT ON vendor_db.* TO
or 'vendor_user'@'%’;
6. FLUSH PRIVILEGES;

1. Install mysql-client
2. mysql -h mysql-server -u vendor_user –p
Vendor 3. Try to SELECT, UPDATE, INSERT, etc and see the effect

1. docker network create mysql-network

2. docker run --name mysql-server --network mysql-network -e
MYSQL_ROOT_PASSWORD=rootpassword -d mysql
3. docker run --name admin-ubuntu --network mysql-network -it ubuntu bash
4. docker run --name vendor-ubuntu --network mysql-network -it ubuntu bash

We have created three containers (all in the same network : mysql-network)

I Wayan Pio Pratama, M.Kom.

CASE WITH PRIVILAGE ACCESS MANAGEMENT
One open source product for PAM
is :
VAULT CORPS

MYSQL
Administrat
or

Vendor

PAM

I Wayan Pio Pratama, M.Kom.