5.8 Identify these elements used for server profiling
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What is Server Profiling?
Server profiling is the process of collecting detailed information about a server to understand how it normally behaves. This helps security analysts detect abnormal or suspicious activity.
One important part of server profiling is identifying:
- Who is logged in
- What accounts are running services
2. Logged-in Users
What are Logged-in Users?
Logged-in users are user accounts that are currently accessing the server, either:
- Locally (direct login to the system)
- Remotely (via SSH, RDP, etc.)
Key Points to Understand
- Each user has a unique account identity
- Users may have different permission levels
- Some users may be active, others may be idle but still logged in
Types of Logged-in Users
- Interactive Users
- Directly logged into the system
- Using a terminal or remote session
- Remote Users
- Accessing the server over the network
- Common protocols:
- SSH (Linux)
- RDP (Windows)
- Privileged Users
- Have elevated permissions
- Examples:
- Administrator (Windows)
- Root (Linux)
Why Logged-in Users Matter in Server Profiling
Monitoring logged-in users helps to:
- Identify unauthorized access
- Detect unexpected user sessions
- Track privileged account usage
- Understand normal user behavior patterns
Important Data to Collect
When profiling logged-in users, collect:
- Username
- Login time
- Source IP address
- Session type (local or remote)
- Privilege level
- Session duration
Normal vs Abnormal Behavior
Normal Behavior
- Known users log in during expected times
- Sessions originate from trusted IP addresses
- Privileged accounts are used only when required
Abnormal Behavior
- Unknown users appear
- Logins at unusual times
- Multiple simultaneous logins for one account
- Privileged accounts used frequently or unexpectedly
3. Service Accounts
What are Service Accounts?
Service accounts are special accounts used by applications or services to run automatically.
They are not used by humans for interactive login.
Key Characteristics
- Used by system processes and services
- Often run in the background
- Have specific permissions only for their task
- Typically configured to:
- Start automatically
- Run continuously
Examples of Service Accounts in IT Systems
- Web server service account (runs web services)
- Database service account (runs database processes)
- Backup service account (performs automated backups)
Why Service Accounts Matter in Server Profiling
Service accounts are critical because:
- They often have high privileges
- They run continuously
- They can be targets for attackers
Monitoring them helps:
- Detect misuse of service accounts
- Identify unauthorized services running
- Ensure services operate normally
Important Data to Collect
When profiling service accounts, collect:
- Account name
- Associated service or process
- Permissions and privileges
- Whether login is interactive or non-interactive
- Process ID (PID)
- Start time of service
Normal vs Abnormal Behavior
Normal Behavior
- Service accounts run specific, expected services
- No interactive login activity
- Stable and consistent operation
Abnormal Behavior
- Service account used for login
- Unexpected services running under the account
- Sudden privilege changes
- Unusual process activity
4. Key Differences: Logged-in Users vs Service Accounts
| Feature | Logged-in Users | Service Accounts |
|---|---|---|
| Used by humans | Yes | No |
| Interactive login | Yes | No (normally) |
| Purpose | Access system | Run services |
| Activity pattern | Variable | Consistent |
| Security risk | Unauthorized access | Privilege misuse |
5. Security Importance in CyberOps
Understanding logged-in users and service accounts helps analysts to:
Detect Threats
- Unauthorized access attempts
- Compromised accounts
- Lateral movement inside a network
Improve Monitoring
- Establish baseline behavior
- Track user and service activity
Incident Response
- Identify affected accounts quickly
- Limit attacker access
6. Common Monitoring Tools/Commands (Conceptual)
(Security analysts should know the purpose, not commands in detail)
- Tools that list active users
- Tools that show running processes and their owners
- Log files that record authentication events
- Monitoring systems that track account behavior
7. Best Practices for Exam
Remember these key points:
- Logged-in users = human access to the server
- Service accounts = non-human accounts running services
- Both must be monitored for normal vs abnormal behavior
- Service accounts should not be used for login
- Privileged accounts must be closely monitored
- Profiling includes:
- Identity
- Activity
- Permissions
- Behavior patterns
8. Summary
- Server profiling includes identifying logged-in users and service accounts
- Logged-in users represent who is accessing the system
- Service accounts represent what is running on the system
- Both are critical for:
- Security monitoring
- Threat detection
- Maintaining normal system behavior
