SECURITY INFORMATION AND EVENT MANAGEMENT

What is cyber security?

Cyber /IT security is the technique of protecting computers, networks, programs and data
from unauthorized access or attacks that are aimed for exploitation.

Eg:Flipkart database contains customer information

What is SOC(security operation centrer)?

Soc is a dedicated site where enterprise information

systems(websites,applications,databases,datacenters,servers,networks,desktop and other
endpoints ) are monitored,assessed,defended.

SOC is operational in the live environment, the team will have to carry out its mission and
will have to react to incidents. This is the phase where the SOC has the opportunity to show
the value it provides the business with when an incident arises, a ticket is opened and a
case will be investigated. Many parts of the team will be involved, maybe someone external
to the SOC (part of the same organization or even a third-party actor) will be concerned,
depending on the nature, extent and the severity of the incident. Different levels of
escalations, leading possibly to the CSIRT, could be put in place and the team must
collaborate leveraging all the available tools and procedures until the closure of the case.
What is SIEM(security information and event management)?

It is a tool/technology supports threat detection and historical analysis of security events

through real time collection of events from various data/log sources.

Security information and event management (SIEM) systems is an approach to get a

centralized view of the information coming out of multiple defense mechanisms, end user
devices, applications and servers of the organization in most understandable and standard
format. It serves multiple purposes like auditing, reporting, log retention, incident response
and most importantly real-time monitoring which provides a capability to alert at the
initial stages of cyber-attacks to your organization. In Summary, it will show what you want
to see. Hence, to get most out of it, it should be managed properly.

It is a set of technologies for

● Log data collection

● Correlation
● Aggregation
● Normalization
● Retention
● Analysis and workflow
We need SIEM to move from being reactive to being proactive interms of our security
approach.

Imp Siem tools

HPE arcsight 6.9 version

IBM Qradar 7.3.1

Mcafee Nitro 9.6

Splunk
RSA Envision and so on

SIEM is implemented via software, systems, appliances, or some combination of these

items. There are, generally speaking, six main attributes of an SIEM system:

Retention: Storing data for long periods so that decisions can be made off of more
complete data sets.
Dashboards: Used to analyze (and visualize) data in an attempt to recognize patterns
or target activity or data that does not fit into a normal pattern.

Correlation: Sorts data into packets that are meaningful, similar and share common
traits. The goal is to turn data into useful information.

Alerting: When data is gathered or identified that trigger certain responses - such as
alerts or potential security problems - SIEM tools can activate certain protocols to alert
users, like notifications sent to the dashboard, an automated email or text message.

Data Aggregation: Data can be gathered from any number of sites once SIEM is
introduced, including servers, networks, databases, software and email systems. The
aggregator also serves as a consolidating resource before data is sent to be correlated
or retained.

Compliance: Protocols in a SIEM can be established that automatically collect data

necessary for compliance with company, organizational or government policies.
Terminology: Tier 1: Security analyst

Tier 2: Senior Analyst and Shift-Leader

Tier 3: Regional Analyst who performs higher order analysis and quality assurance
(QA) with respect to the activity derived from Tiers 1 and 2, among other activities
including hunting

Event: Any observable occurrence in a system or network

Alert: An event (or collection of events) that is or has the potential to be a cyber
security incident

Incident: An occurrence that potentially jeopardizes the confidentiality, integrity, or

availability of an information system or the information the system processes, stores, or
transmits. A cyber security incident is an incident in which there has been, or there is
the imminent potential for, a violation of security policies, acceptable use policies, or
standard security practices.

Monitor: Process by which analysts receive and observe cyber security events and
alerts from technical and non-technical sources.
Triage: Process of validating an alert through the analysis of data.
Incident Type: Incidents can be classified as malicious code, misuse, denial of service,
attempted access or successful unauthorized access.
Threat Type: Threats are internal or external to the organization and are done
intentionally or unintentionally
Incident Severity: The degree to which the incident impacts the organization, the
likelihood of recovery, and the level of response necessary
Incident Scope: The level to which users, assets, data, and/or member firms are
impacted.
True Positive: Outcome of security event analysis indicating that a defined risk is
intercepted
True Negative: Outcome of security event analysis indicating the presence of a normal
transaction
False Positive: Outcome of security event analysis indicating a false alarm
False Negative: Outcome of security event analysis indicating the possible presence of
an undefined risk.
Detection Time: Time at which the observation of an event took place
Alerting Time: Time at which the observation of an event is reported into the SIEM,
email, or hotline system
Acknowledgement Time: Time at which the analyst picks up an alert

Security Technical Terms:

Legitimate (Genuine)
Compromise (Hacked)
Mitigation (To reduce effect)
Remediation (To prevent)
Containment (Controlling)
Eradication (Removal)
Exploit (Attack)
Bypass (Skip)

Self-Description:
This is XXXXXXXXXX, has done graduation on XXXXXXXXXX and having XXyears of
experience in security operations center (SOC) as an information security analyst in
XXXXXXXXXXX.

As an Analyst, I am responsible for monitoring and protecting the network by

using the tools like,
Qrdar or Arcsight -SIEM tool- which is being integrated with all the security devices to
collect the event logs from the security devices.

Palo-Alto or Sourcefire -IPS - This has been configured in inline mode on the network.
It monitors the entire network for suspicious traffic by analyzing or comparing the
event data with pre-configured and pre-determined attack patterns or signatures.
Bluecoat or Cisco WSA - web proxy - This monitors all the web traffic and correlates
the traffic in real time by tapping into the Cisco Talos security intelligence.

McAfee or Cisco ESA - email security - This protects against ransomware, business
email compromise, spoofing, and phishing. It uses advanced threat intelligence and a
multilayered approach to protect inbound messages and sensitive outbound data.

McAfee ePO - endpoint protection - This runs daily scans in the network. If any of the
systems detected with infections should be reviewed by SOC and will necessary steps to
mitigate the detected issue.
 Antivirus – McAfee

Websence or Symantec – DLP

Service Now – Ticketing Tool.

Essential roles and responsibilities:

We are actively involved in monitoring Arcsight console in order to identify any

potential security breaches across the network by monitoring Active Channels and
Dashboards.

Active channels provide live streaming of event data; through the Active Channels we
monitor firewall logs, Sourcefire IPS logs, McAfee ePO logs and Cisco WSA logs.

Dashboards provide the summary of the event data, through which we can quickly
identify and investigate if any abnormal logs reported.

Monitoring the Arcsight smart connectors. If any of the connector goes down, we are
taking the responsibility to create a ticket and assign to NSO team.

We are also responsible for monitoring SOC mailbox, where it has been forwarded with
suspicious/ spam/ phishing emails by the employees whenever they receive any
suspicious email. SOC analyzes such emails with the help of online tools like
virustotal.com, urlquery.net, mxtoolbox.com, mal wr.com etc and blocking the domains
and attachments at ESA & WSA level.

If any potential security incident identified while monitoring the security devices
then immediately will create a security incident response plan (SIRP):

Mainly there are 6 phases involved in Preparing security incident response plan (SIRP)

INCIDENT LIFE CYCLE

There are 6 Phases in incident life cycle .

The incident response phases are:

Preparation

Identification

Containment

Eradication

Recovery
Lessons Learned

1. Preparation

incident response planning, and in the end, the most crucial phase to protect your business.
Part of this phase includes:
Ensure employees are properly trained regarding their incident response roles and
responsibilities in the event of data breach Develop incident response drill scenarios and
regularly conduct mock data breaches to evaluate incident response plan.

Ensure that all aspects of your incident response plan (training, execution, hardware and
software resources, etc.) are approved and funded in advance

Your response plan should be well documented, thoroughly explaining everyone’s roles
and responsibilities. Then the plan must be tested in order to assure that your employees
will perform as they were trained. The more prepared your employees are, the less likely
they’ll make critical mistakes.

2. Identification

This is the process where you determine whether you’ve been breached. A breach, or
incident, could originate from many different areas.
It’s important to discover the breach quickly, where it’s coming from, and what it has
affected.

3. Containment
When a breach is first discovered, your initial instinct may be to securely delete everything
so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be
destroying valuable evidence that you need to determine where the breach started and
devise a plan to prevent it from happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business.
If you can, disconnect affected devices from the Internet. Have short-term and long-term
containment strategies ready. It’s also good to have a redundant system back-up to help
restore business operations. That way, any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access
protocols (requiring mandatory multi-factor authentication), change all user and
administrative access credentials and harden all passwords.

4. Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the
breach. This means all malware should be securely removed, systems should again be
hardened and patched, and updates should be applied.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any
trace of malware or security issues remain in your systems, you may still be losing valuable
data, and your liability could increase.

5. Recovery
This is the process of restoring and returning affected systems and devices back into your
business environment. During this time, it’s important to get your systems and business
operations up and running again without the fear of another breach.

6. Lessons Learned

Once the investigation is complete, hold an after-action meeting with all Incident Response
Team members and discuss what you’ve learned from the data breach. This is where you
will analyze and document everything about the breach. Determine what worked well in
your response plan, and where there were some holes. Lessons learned from both mock
and real events will help strengthen your systems against the future attacks.

Networking Concepts

NIC(network interface card)

It enables computers to connect to network.it turns data into electrical signals that can
be transmitted over network.
MAC(media access control)address

Every NIC card having hardware address that’s known as mac .

It is a string of six sets 2 digits or characters separated by colons

Eg: 00:0a:83:ab:cf:67

IP(internet protocol) address

It is a logical address used to communicate with other devices.It is a value of 32
bits/4 octates.

Eg:192.145.2.3

Range- 2^32 IPv4, 2^128 IPv6

Possibility of ip add 4.3 billion

Everyday internet using computers more than 10 billion

Assigning same ip address to 2 computers is not possible ip conflict happens,so ip add

devided into 2 types

1.Public ip address

2.Private ip address
*Classes of public ip address and range

Class A 0.0.0.0-126.255.255.255

Class B 128.0.0.0-191.255.255.255
Class C 192.0.0.0-223.255.255.255

Class D 224.0.0.0-239.255.255.255

Class E 240.0.0.0-255

*Classes of private ip address

Class A 10.0.0.0-10.255.255.255

Class B 172.16.0.0-172.31.255.255

Class C 192.168.0.0-192.168.255.255

Difference between public and private ip add

Public ip add Private ip add
Ip add issued by ISP Issued by router for the host within its area
Non routable
Routable worldwide Unregistered
Registered /Paid

NETWORK DEVICES

SWITCH:

A network switch connects devices together on a single computer network. A switch is

also called switching hub, bridging hub, or MAC bridge.

Switches use MAC addresses to forward data to the correct destination.

A switch is considered a Layer 2 device, operating at the data link layer; switches use
packet switching to receive, process and forward data.

Note: http://www.diffen.com/difference/Router_vs_Switch ( for the differences

between the Switch & router).

HUB:

Network hubs — also called repeaters-are even less advanced that switches.

While a hub broadcasts the same data to all its ports, a network switch forwards data
only to those devices that the data is intended for.

Network hubs do not manage any traffic coming through them; they only broadcast —
or repeat — packets from an incoming port to all other ports.

PACKET:

A packet is the unit of data that is routed between an origin and a destination on the
Internet.

It turns out that everything you do on the Internet involves packets. For example, every
Web page that you receive comes as a series of packets, and every e-mail you send
leaves as a series of packets. Networks that ship data around in small packets are
called packet switched networks.

ROUTER
A router is hardware device designed to receive,analyze and move incoming data packets
to another network. It determines the best way for a packet to be forwarded to its
destination.

NAT(network address translation) is a method of remapping one IP address space into

another by modifying network address information in IP header of packets while they are
in transmit across a traffic routing device(router).

Computer Network:
A network is defined as a group of two or more computer systems linked together.

local-area networks (LANs)

wide-area networks (WANs)

metropolitan-area networks MANs)

LAN vs. WAN:

LAN, which stands for local area network, and WAN, which stands for wide area
network, are two types of networks that allow for interconnectivity between
computers.
 LANs are for smaller, more localized networking — in a home, business, school, etc. —
EX: Switches and Hubs

WANs cover larger areas, such as cities, and even allow computers in different nations
to connect. LANs are typically faster and more secure than WANs, but WANs enable
more widespread connectivity.

EX: Routers Reference: http://www.diffen.com/difference/LAN_vs_WAN

SUBBNETTING:

The practice of dividing a larger network into two or more smaller networks is called
subnetting.

Encoding,Encryption and Hashing

Encoding: Encoding converts the data in a desired format required for exchange between
different systems. This doesn’t convert it into a secret data, but usable data. It can be
further decoded through the same tools when necessary.

Hashing: This serves for maintaining the integrity of a message or data. This way if any day
it is hampered or changed, you will get to know.

Encryption: Encryption ensures that the data is secure and one needs a digital verification
code or image in order to open or access it.

Encryption:

Symmetric encryption:
 Asymmetric encryption:

OSI Concepts

OSI(open system interconnection)

There are 7 layers

Application layer: it is a interaction between computer and users
PDU(protocol data unit)-user data

It provides set of protocols to enable computers to transfer the data.

eg:http,ftp,smtp

Presentation layer:It formats the data(presenting data in required format).

Encryption/Decryption,Encoding/Decoding,Compression/Decompression takes place here.

PDU:formatted data

Session layer:It establish,maintain and terminate session(connection) between two

communicating hosts.

eg:3 way handshaking

PDU:formatted data

Transport layer:it does reliable data transport through network.it maintains proper
delivery and error correction of data.it gives port number.

Eg:TCP,UDP

PDU:segments

Network layer: it does routing(transmitting packet over the best path to exact
destination).it give ip address to packet

Eg:router PDU:packets
Data link layer: Reliable transfer of data across physical layer.switching(redirects packet to
exact system)takes place here.it gives MAC address.

Eg:switch PDU:frames

Physical layer:It converts raw bits to electrical signals vice versa.

Eg:cable, wifi

PORTS AND PROTOCOL

Ports: ports are physical numbers use by tcp/ip to identify what services/application
should handle data received by system. Tcp having 65536(0-65535) ports.
0-1023 are well known ports

Protocols: a protocol is a set of rules and guidelines for communicating data .

Well known ports and protocols

SSH(secure shell) 22

SCP(secure copy protocol) 22

SSL(secure socket layer) 22

TLS(transport layer security) 22

IPsec(internet protocol security) 500

HTTP(hypertext transfer protocol) 80

HTTPS(hypertext transfer protocol secure) 443

FTP(file transfer protocol) 20&21

SNMP(simple network management protocol) 161

DNS(domain name system) 53

DHCP(dyanamic host configuration protocol) 67&68

LDAP(leightweight directory access protocol) 389

RDP(remote desktop protocol) 3389

SMPT(simple mail transfer protocol) 25

POP3(post office protocol) 110

IMAP(internet message access protocol) 143

MS SQL(Microsoft server) 1433

Kerberose(mutual authentication) 88

Syslog 514

SMB(server message block) 445

HORIZONTAL SCAN VS VERTICAL SCAN:

A horizontal scan is described as scan against a group of IPs for a single port

A Vertical scan is described as a single IP being scanned for multiple ports.

TCP/IP Header or Packet Header

Source port destination port

Sequence number
Acknowledgement number
Flags window size
Checksum urgent pointer
Source ip
Destination ip
Data

Flags

Reserved Reserved urgent Acknowledge push reset synchronize Finish

TCP FLAGS:

ACK – indicates that the Acknowledgment field is significant

PSH – Push function

RST – Reset the connection (Seen on rejected connections)

SYN – Synchronize sequence numbers (Seen on new connections)

FIN – No more data from sender (Seen after a connection is closed)

TCP 3 way handshaking

To start tcp session, the client sends a SYN packet and the server responds with SYN ACK
packet,and the client completes the third part of handshake with ACK packet, at this point
connection is established.

After completion of transmission of data client sends the FIN packet and server reply back
with ACK, at this point connection is terminated.
Difference Between TCP & UDP
TCP(transmission control protocol)
1.Connection oriented
2.Segment sequencing takes place
3.Acknowledge the segments
4.slow process
5.segment retransmission
Eg:HTTP,SMTP
NETWORK ARCHITECTUURE
UDP(user datagram protocol)
1.connectionless
2.NO sequencing
3.No acknowledgement
4.fast process
5.No retransmission
Eg:live audio & video streaming(skype call)
Server LAN

Active Directory

An active directory is a service that provided by Microsoft that stores information

about items on a network so the information can be easily made available to specific users
through logon process and network administrators. It provides central authentication and
authorization services for windows based computers.

Application server

It is a program that handles all application operations between users and

organization’s backend business applications or databases.

To maintain employ database(HRMS) and customer database(CRM) appserver is required.

File server

File server is computer responsible for central storage and management of data files so that
other computer on the same network can access files.

Exchange server

A popular email messaging system from Microsoft that runs on windows server. The server
side is Microsoft exchange server and feautered client program is Microsoft outlook.
DNS(domain name system)

It resolves domain names to ip addresses. It works like phonebook.

DNS Working

1. Browser checks www.google.com web request in its cache memory, if it won’t find
send it to the resolver server.
2. Resolver is basically ISP(internet service provider),when it receives query it checks
into its cache memory, if it can’t find ip address sends it to next level i.e root server.
3. Root server is top or the root of dns hierarchy, 13 sets of these root servers placed
around the world,each set having own unique ip address. If it is not going to know
where the ip address but it know where to direct resolver to help it to find ip. It
direct resolver to TLD for the .com domain.
4. TLD stores the address information for the top level domains. Such as .com .net .org
.in etc. Even it is not going to know the ip address so it directs resolver to
authoritative name server.
5. Authoritative name server is responsible for everything knowing about the domain
which includes ip address. it receives the query for resolver and respond with ip
address for yahoo.com and once resolver receives ip add ,stores it in its cache
memory in case of another query for yahoo.com, it doesn’t need go for all steps
again.

DHCP( Dynamic Host Configuration protocol)

The DHCP is controlled by a DHCP server that dynamically distributes

network configuration parameters such as IP address for interfacer and server.
DORA-discover ,offer, request,acknowledgement
“The process of assigning the ip address by the DHCP server is also known as
DORA”.
1.Client makes a UDP broadcast to the server about DHCP discovery.
2.DHCP offers to the client.
3.In response to the offer,client requests the server
4.server responds ip address/DNS information along with acknowledgement

Ports:

Client-Side port: 68

Server-side port :67

Antivirus
● It is an application install to protect computer from malware
● Works on signatures(database of known malware file)
● Stops/cleans/delete malware excecution
● Actions of AV :Clean/delete/quarantine files after malware detection.
● We can set exclusion on AV
● There are 2 types scanning
 1.On access-real time scanning(automatically)
2.On demand-scheduled/manual scan
Antivirus software detects and removes malware, such as viruses, Trojans,
and worms. Signature-based antivirus software detects known malware
based on signature definitions. Heuristic-based software detects previously
unknown malware based on behavior.
Vendor: Symantec,McAfee
Use Cases
1.Malware outbreak(same malware found in ‘n’ systems)
2.Multiple Viruses in single system
3.AV services are stopped
4.Trojan_ghost_CnC

MALWARE ANALYSIS:

Malware analysis is the study or process of determining the functionality, origin and
potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit,
or backdoor

Malware or malicious software is any computer software intended to harm the host
operating system or to steal sensitive data from users, organizations or companies.
Malware may include software that gathers user information without permission.

MALWARE ANALYSIS TYPES:

Static Analysis: Basic static analysis examines malware without viewing the actual
code or instructions. It employs different tools and techniques to quickly determine
whether a file is malicious or not, provide information about its functionality and collect
technical indicators to produce simple signatures. Technical indicators gathered with
basic static analysis can include file name, MD5 checksums or hashes, file type, file size
and recognition by antivirus detection tools.

Dynamic Analysis: Basic dynamic analysis actually runs malware to observe its
behavior, understand its functionality and identify technical indicators which can be
used in detection signatures. Technical indicators revealed with basic dynamic analysis
can include domain names, IP addresses, file path locations, registry keys, additional
files located on the system or network.
In short Static VS Dynamic: In Short: Static analysis examines malware without
actually running it by different tools and techniques. Dynamic analysis (also known as
behavior analysis) executes malware in a controlled and monitored environment to
observe its behavior.
 HTTP RESPONSE CODES:

404 Not Found. ...

403 Forbidden. ...

500 Internal Server Error. ...

503 Service Unavailable. ...

504 Gateway Timeout. ...

Firewall
● It does allow/block any traffic
● It is ip and port filtering device
● It works on ACL(access control list) rules
● It has implicit deny rule by default
zone to zone src ip dest ip port action
INT EXT 10.1.1.1 53.3.3.4 80/443 deny/allow/drop
● It does stateful Inspection
● It works at layer 3 and layer 4
● It is inline with traffic
A Firewall is a device (or software feature) designed to control the flow of traffic into
and out of a network to prevent network attacks.
 Vendor:Cisco ASA ,Symantec,Juniper,Fortigate

USE CASES

1.Too many connections denied/allowed

2.Traffic from suspicious Country

3.Firewall Configuration Changes

4.Too many VPN access failures

5.Bad ip communication

IPS/IDS(intrusion prevention/detection system)

● It perfoms deep packet inspection

● It works at layer 3 and layer 4
● It works on signatures(network pattern)
● It is deployed in IDS mode(learning mode)
● Sits inline with traffic
IDS, NIDS & HIDS:

1. IDS; An intrusion detection system (IDS) is a device or software application that

monitors a network or systems for malicious activity or policy violations
2. HIDS: A system that monitors important operating system files is an example of a
HIDS.
3. NIDS: a system that analyzes incoming network traffic is an example of a NIDS.

IPS, HIPS & NIPS:

1. IPS: An intrusion prevention system (IPS) is a device or software application that

monitors/Prevents a network or systems for malicious activity or policy violations
2. HIPS: A system that monitors important operating system files is an example of a
HIPS.
3. NIPS: a system that analyzes incoming network traffic is an example of a NIPS

Vendor :Palo Alto

Use cases
 1.High severity attack on several machines

2.Too many attacks from a single public ip

Proxy(web security)

● It scans traffic only on port 80/443

● It works on layer 3 and above
● It has antivirus moule(whenever downloading file from website)
● It allows/block websites/contents
● It does NATing(hide internal ip)
● It has web categories (eg: sports,education,search engine,adult etc)
Vendor: Forcepoint, F5 Networks

A proxy server is a server (a computer system or an application) that acts as an

intermediary for requests from clients seeking resources from other servers.

FORWARD PROXY (PROXY) :

A forward proxy provides proxy services to a client or a group of clients. Oftentimes,

these clients belong to a common internal network like the one shown below.

Reverse proxy:
As its name implies, a reverse proxy does the exact opposite of what a forward proxy
does. While a forward proxy proxies in behalf of clients (or requesting hosts), a reverse
proxy proxies in behalf of servers. A reverse proxy accepts requests from external
clients on behalf of servers stationed behind it just like what the figure below
illustrates.
HONEY POTS:

A honeypot is a form of trap security specialists use to detect hacking attacks or collect
malware samples.

Use cases

1.Too many http requests from a user/machine

2.Too many requests to blocked/malicious websites

WAF (Web Application Firewall):

Web application firewalls help keep your servers safe from hackers by scanning activity
and identifying probes and attacks.

A web application firewall is an otherwise traditional firewall appliance that also

performs typical duties handled by multiple systems, including content filtering, spam
filtering, intrusion detection and antivirus. Web application firewalls are typically used
to protect web servers that are accessible from the Internet.
DMZ:

Demilitarized zone (DMZ) is a computer or subnetwork that sits between a trusted

internal network and an untrusted external network, usually the public Internet.

External-facing servers, resources and services are located in the DMZ so they are
accessible from the Internet but the rest of the internal LAN remains unreachable.

Email Security Solution

● It scans only SMTP(port 25) traffic

● It has spam(unwanted email) filtering rules
● It does file filtering(based on size,name,type)
● Blacklisting/whitelisting sender/receiver domain
● It has AV module
● It quarantine the mails
Vendor:Forcepoint,F5 Networks

Use cases
1.Too many mails from /to a user
2.Too many large attachments
3.Sudden increase in spam mails

ZERO DAY VULNERABILITIES:

A security vulnerability is a weakness/security hole in a product which not known to

vendor.

ZERO DAY ATTACK/ EXPLOIT:

A security vulnerability is a weakness/security hole in a product which not known to

vendor that allows attacker to exploit it.

SYSLOG:
 Syslog is a way for network devices to send event messages to a logging server – usually
known as a Syslog server. The Syslog protocol is supported by a wide range of devices
and can be used to log different types of events. For example, a router might send
messages about users logging on to console sessions, while a web-server might log
access-denied events.

Most network equipment, like routers and switches, can send Syslog messages. Not only
that, but *nix servers also have the ability to generate Syslog data, as do most firewalls,
some printers, and even web-servers like Apache. Windows-based servers don’t
support Syslog natively, but a large number of third-party tools make it easy to collect
Windows Event Log or IIS data and forward it to a Syslog server.

Syslog port number: 514

Understanding Malware and its Types

Malware includes a wide range of software that has malicious intent. Malware is not
software that you would knowingly purchase or download and install. Instead, it is
installed onto your system through devious means. Infected systems give various
symptoms, such as running slower, starting unknown processes, sending out email without
user action, random reboots, and more.
You might hear people use the term virus to describe all types of malware, but that isn’t
accurate. A virus is a specific type of malware, and malware includes many other types of
malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware,
and more.

Viruses
A virus is a set of malicious code that attaches itself to a host application. The host
application must be executed to run, and the malicious code executes when the host
application is executed. The virus tries to replicate by finding other host applications to
infect with the malicious code. At some point, the virus activates and delivers its payload.
Typically, the payload of a virus is damaging. It may delete files, cause random reboots, join
the computer to a botnet, or enable backdoors that attackers can use to access systems
remotely.
Worms

A worm is self-replicating malware that travels throughout a network without the

assistance of a
host application or user interaction. A worm resides in memory and is able to use different
transport protocols to travel over the network. One of the significant problems caused by
worms is that they consume network bandwidth. Worms can replicate themselves
hundreds of times and spread to all the systems in the network. Each infected system tries
to locate and infect other systems on the network, and network performance can slow to a
crawl.

Logic Bombs

A logic bomb is a string of code embedded into an application or script that will execute in
response to an event. The event may be a specific date or time, when a user launches a
specific
program, or any event the programmer decides on.

A logic bomb executes in response to an event, such as when a specific application is

executed or a specific time arrives.

Backdoors

A backdoorprovides another way of accessing a system, similar to how a backdoor in a

house
provides another method of entry. Malware such as Trojans often install backdoors on
systems to
bypass normal authentication methods.
Application developers often code backdoors into applications, but this practice is not
recommended. For example, an application developer might create a backdoor within an
application intended for maintenance purposes. However, if attackers discover the
backdoor, they can use it to access the application.

Trojan

A Trojan appears to be something useful but includes a malicious component, such as

installing a backdoor on a user’s system. Many Trojans are delivered via drive-by
downloads. They can also infect systems from rogueware, pirated software, games, or
infected USB drives.

Botnets

A botnet combines the words robot and network. It includes multiple computers that act as
software robots and function together in a network (such as the Internet), often for
malicious
purposes. The computers in a botnet are called zombies and they will do the bidding of
whoever
controls the botnet.
Bot herders are criminals who manage botnets. They attempt to infect as many computers
as
possible and control them through one or more servers running command-and-control
software. The infected computers periodically check in with the command-and-control
servers, receive direction, and then go to work. The user is often unaware of the activity.
Most computers join a botnet through malware infection. For example, a user could
download
pirated software with a Trojan or click a malicious link, resulting in a drive-by download.
The malware then joins the system to a botnet.

Some of the instructions sent by the command-and-control servers include:

● Send spam.
● Launch a distributed denial-of-service attack.
● Download additional malware, adware, or spyware such as keyloggers.
Rootkits

A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact
that
the system has been infected or compromised by malicious code. A user may suspect
something is wrong, but antivirus scans and other checks may indicate everything is fine
because the rootkit hides its running processes to avoid detection.
In addition to modifying the internal operating system processes, rootkits often modify
system
files such as the Registry. In some cases, the rootkit modifies system access, such as
removing users’ administrative access.
Rootkits have system-level access to systems. This is sometimes called root-level access, or
kernel-level access, indicating that they have the same level of access as the operating
system.

Spyware
Spywareis software installed on users’ systems without their awareness or consent. Its
purpose
is often to monitor the user’s computer and the user’s activity. Spyware takes some level of
controlover the user’s computer to learn information and sends this information to a third
party. If spyware can access a user’s private data, it results in a loss of confidentiality.
Some examples of spyware activity are changing a user’s home page, redirecting web
browsers,
and installing additional software, such as search engines. In some situations, these
changes can slow a system down, resulting in poorer performance.

Adware

When adware first emerged, its intent was usually to learn a user’s habits for the
purpose of targeted advertising. As the practice of gathering information on users became
more malicious, morepeople began to call it spyware. However, some traditional adware
still exists.
A common type of adware is pop-ups. For example, while you are visiting a site, another
browser window appears, or pops up, with an advertisement. These pop-up windows
aren’t
malicious, but they are annoying.
Sometimes pop-ups can be helpful. As a legitimate example, my online bank has interest-
rate
information that I can view. When I click on this link, it pops up another
anothe window showing
the interestrate information without taking me away from the current page I’m viewing.

Ransomware

Ransomware is a type of malware that prevents or limits users

from accessing their system, either by locking the system's screen
or by locking the users' files unless a ransom is paid. More modern
ransomware families, collectively categorized as crypto crypto-
ransomware, encrypt certain file types on infected systems and
forces users to pay the ransom through certain online payment methods to get ge a decrypt
key.

Well known attacks

Dos attack

A denial of service is an attack intended to make a computer’s resources or services

unavailable to users. In the other words ,it prevents a server from operating or responding
to normal requests.dos attack come from single attacker.

syn flood attack

It is a common dos attack used against servers on the internet,it disrupts the TCP
handshake process and can prevent legitimate client from connecting, In syn flood attack
handshake by sending the ACK packet. Additionally ,the
,attacker never completes the handshake
attacker sends a barrage of SYN packets,leaving the server with multiple half-open
half
connections.
DDOS attack

A denial-of-service (DoS) attack is an attack from one attacker against one target. A
distributed
denial-of-service (DDoS) attack is an attack from two or more computers against a single
target.
DDoS attacks often include sustained, abnormally high network traffic on the network
interface card of the attacked computer. Other system resource usage (such as the
processor and memory usage) will also be abnormally high. The goal of both is to prevent
legitimate users from accessing services on the target computer. Many DoS and DDoS
attacks attempt to consume resources on the target computer. For example, a SYN
(synchronize) flood attack consumes memory resources by flooding a system with half-
open connections.

Brute Force Attacks

A brute force attack attempts to guess all possible character combinations.it is a trial and
error method.in this multiple login failures amy be followed by successful login. One of the
best
protections against offline brute force attacks is to use complex passwords.
Account lockout policies (also covered in Chapter 1) are effective against online brute force
attacks.

ARP(ADDRESS RESOLUTION PROTOCOL)

The MAC address is the physical address, or hardwareaddress, assigned to the network
interface card (NIC). ARP resolves the IP addresses of systems to their hardware address
and stores the result in an area of memory known as the ARP cache.
TCP/IP uses the IP address to get a packet to a destination network. Once the packet
arrives on the destination network, it uses the MAC address to get it to the correct host.
ARP uses two primary messages:
ARP request. The ARP request broadcasts the IP address and essentially asks, “Who has
this
IP address?”
ARP reply. The computer with the IP address in the ARP request responds with its
MACaddress. The computer that sent the ARP request caches the MAC address for the IP. In
manyoperating systems, all computers that hear the ARP reply also cache the MAC address.

ARP Poisoning Attack

Address Resolution Protocol (ARP) poisoning is an attack that misleads computers or

switches about the actual MAC address of a system.

Zero-Day Attacks

A zero-day attack is one that exploits an undocumented vulnerability. Many times, the
vendor isn’t aware of the issue. At some point, the vendor learns of the vulnerability and
begins to write and test a patch to eliminate it. However, until the vendor releases the
patch, the vulnerability is still a zero-day vulnerability.

Buffer Overflows and Buffer Overflow Attacks

A buffer overflow occurs when an application receives more input, or different input, than it
expects. The result is an error that exposes system memory that would otherwise be
protected and inaccessible. Normally, an application will have access only to a specific area
of memory, called a buffer. The buffer overflow allows access to memory locations beyond
the application’s buffer, enabling an attacker to write malicious code into this area of
memory.
As an example, an application may be expecting to receive a string of 15 characters for a
username. If input validation is not used and it receives more than 15 characters, it can
cause a buffer overflow and expose system memory.

Buffer overflows occur when an application receives more data than it can handle, or
receives unexpected data that exposes system memory. Buffer overflow attacks often
include NOP instructions (such as x90) followed by malicious code. When successful, the
attack causes the system to execute the malicious code. Input validation helps prevent
buffer overflow attacks.

SQL Injection Attack

SQL is the structure query language which maintain data base of application like user name
, password, and permission.

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
application’s database server (also commonly referred to as a Relational Database
Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect
any website or web application that makes use of an SQL-based database, the vulnerability
is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

How SQL Injection works

In order to run malicious SQL queries against a database server, an attacker must first find
an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly
include user input within an SQL statement. An attacker can then insert a payload that will
be included as part of the SQL query and run against the database server.

Cross-Site Scripting

It is a is one of the most common application-layer web attacks.

To check if the site is vulnerable or not attacker put some client-side scripting languages,
such as HTML and JavaScript.

Cross-site scripting (XSS) is another web application vulnerability that can be prevented
with
input validation. Attackers embed malicious HTML or JavaScript code into an email or web
site
error message. If a user responds to the email or error message, it executes the code. Many
times, this gives the attacker access to user cookies or other information about the user.

Cross-Site Request Forgery (XSRF)

Cross-site request forgery (XSRF or CSRF) is an attack where an attacker tricks a user into
performing an action on a web site. The attacker creates a specially crafted HTML link and
the user performs the action without realizing it.

Phishing

Phishing is the practice of sending email to users with the purpose of tricking them into
revealing personal information or clicking on a link. A phishing attack often sends the user
to a
malicious web site that appears to the user as a legitimate site.
The classic example is where a user receives an email that looks like it came from eBay,
PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the
recipient hasan account at the company, just as a fisherman doesn’t know if any fish are in
the water where he casts his line. However, if the attacker sends out enough emails, the
odds are good that someone who receives the email has an account.
The email may look like this:
“We have noticed suspicious activity on your account. To protect your privacy, we will
suspend your account unless you are able to log in and validate your credentials. Click here
to
validate your account and prevent it from being locked out.”

Phishing is a technique that deceit people to obtain data from users. The social engineer
tries to impersonate genuine website webpage like yahoo or face-book and will ask the
user to enter their password and account ID.

It can be prevented by

· Having a guard against spam

· Communicating personal information through secure websites only
· Download files or attachments in emails from unknown senders
· Never e-mail financial information
· Beware of links in e-mails that ask for personal information
· Ignore entering personal information in a pop-up screen

A technique used to scam people for information by impersonating a genuine site like
Facebook or Hotmail, to lure the user into entering their personal account and password
information.

Phishing is a type of social engineering attack often used to steal user data, including login
credentials and credit card numbers. Attacker sends malware through email (trick user to
click on a particular link) and once victim click on the link the malware gets installed to
their system.

Spear Phishing

Spear phishing is a targeted form of phishing. Instead of sending the email out to everyone
indiscriminately, a spear phishing attack attempts to target specific groups of users, or even
a singleuser. Spear phishing attacks may target employees within a company or customers
of a company.
Whaling
Whaling is a form of spear phishing that attempts to target high-level executives.

Vishing

Vishing attacks use the phone system to trick users into giving up personal and financial
information. It often uses Voice over IP (VoIP) technology and tries to trick the user similar
to other phishing attacks. When the attack uses VoIP, it can spoof caller ID, making it
appear as though the call came from a real company.

Privilege Escalation
Privilege escalation occurs when a user or process accesses elevated rights and
permissions.
When attackers first compromise a system, they often have minimal privileges. However,
privilege escalation tactics allow them to get more and more privileges.

Social Engineering attacks

Social engineering is the practice of using social tactics to gain information. It’s often low-
tech
and encourages individuals to do something they wouldn’t normally do, or causes them to
reveal
some piece of information, such as user credentials.

Shoulder Surfing
Shoulder surfing is simply looking over the shoulder of someone to gain information. The
goal is to gain unauthorized information by casual observation, and it’s likely to occur
within an office environment. This can be to learn credentials, such as a username and
password, or a PIN used for a smart card or debit card. Recently, attackers have been using
cameras to monitor locations where users enter PINs, such as at automatic teller machines
(ATMs).

Dumpster Diving
Dumpster diving is the practice of searching through trash or recycling containers to gain
information from discarded documents. Many organizations either shred or burn paper
instead of
throwing it away.
Impersonating
Some social engineers often attempt to impersonate others. The goal is to convince an
authorized
user to provide some information, or help the attacker defeat a security control.

Phases of Hacking

Reconnaissance
Reconnaissance is the phase where the attacker gathers information about a target using
active or passive means. The tools that are widely used in this process are NMAP, Hping,
Maltego, and Google Dorks.
Scanning
In this process, the attacker begins to actively probe a target machine or network for
vulnerabilities that can be exploited. The tools used in this process are Nessus, Nexpose,
and NMAP.

Gaining Access
In this process, the vulnerability is located and you attempt to exploit it in order to enter
into the system. The primary tool that is used in this process is Metasploit.
Maintaining Access
It is the process where the hacker has already gained access into a system. After gaining
access, the hacker installs some backdoors in order to enter into the system when he
needs access in this owned system in future. Metasploit is the preferred tool in this process.
Clearing Tracks
This process is actually an unethical activity. It has to do with the deletion of logs of all
the activities that take place during the hacking process.
Reporting
Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker
compiles a report with his findings and the job that was done such as the tools used, the
success rate, vulnerabilities found, and the exploit processes.
Cyber kill Chain

Cyber Kill Chain framework is a model for identification and prevention of cyber-attacks.

What are the steps?

1. Reconnaissance: Attacks gather information on the target. Much of the information is
readily available to the public.
2. Weaponization: Attackers develop a malicious payload for the victim. The victim is
largely unaware.
3. Delivery: Attackers launch their intrusion. The delivery method can take many forms.
4. Exploitation: Attackers compromise their target. Victim may still be unaware.
5. Installation: Attackers gain persistence on their target. Can be the delivery of malware
to a computer. If an elaborate attack, may take months to complete.
6. Command and control: Attackers issue commands to their payload. The adversary
will operate internal assets remotely.
7. Action on objectives: Attackers complete their end goal. The active attack process can
take months.
Threats
A threat is a potential danger. threat is any circumstance or event
that can compromise the confidentiality, integrity, or availability of data or a system.

Malicious Insider Threat

A malicious insider is anyone that has legitimate access to an organization’s internal
resources, but exploits this access for personal gain or damage against the company. This
person’s actions can compromise confidentiality, integrity, and availability.
Vulnerabilities
A vulnerability is a flaw or weakness in software or hardware, or a weakness in a process
that could be exploited, resulting in a security breach. Just because a vulnerability exists
doesn’t mean it will be exploited, only that it can be exploited.
Examples of vulnerabilities include:
Lack of updates. If systems aren’t kept up to date with patches, hotfixes, and service packs,
they are vulnerable to bugs and flaws in the software.
Default configurations. If defaults aren’t changed in hardware and software
configurations, they are susceptible to attacks. Similarly, default usernames and passwords
are susceptible to attacks if they aren’t changed.
Lack of malware protection or updated definitions. If antivirus and anti-spyware
protection isn’t used and kept up to date, systems are vulnerable to malware attacks.
No firewall. If personal and network firewalls aren’t enabled or configured properly,
systems are more vulnerable to network and Internet-based attacks.
Lack of organizational policies. If job separation, mandatory vacations, and job rotation
policies aren’t implemented, an organization may be more susceptible to fraud and
collusion from employees.

The vulnerability assessment is prioritized based on the severity of the vulnerabilities and
their ability to affect the high value asset items. A vulnerability assessment checks for the
existence of security controls such as a password policy and can include a user rights and
access review to identify unused accounts, or accounts with unneeded permissions.
However, a vulnerability assessment identifies these issues, but does not make changes.

Risks
A risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a
weakness, and a threat is a potential danger. The result is a negative impact on the
organization. Impact refers to the magnitude of harm that can be caused if a threat
exercises a vulnerability.
For example, a system without up-to-date antivirus software is vulnerable to malware.
Malware written by malicious attackers is the threat. The likelihood that the malware will
reach a vulnerable system represents the risk. Depending on what the malware does, the
impact may be an unbootable computer, loss of data, or a remote-controlled computer that
has joined a botnet.

A risk assessment identifies assets, asset values, threats, and vulnerabilities. It prioritizes
the results and makes recommendations on what controls to implement. Risk cannot be
eliminated.

RISK = Threat × Vulnerability

 Basic Network commands

We use ipconfig to find the router's IP number. Once you have that, you can ping the router
to test if it is responsive. The problem with the ping command is that, while it is fast, is
doesn't give you a lot of information. For that, we use the tracert command, which will be
covered next.

1->Hostname (How do I find my system name)

This command is use for identify the host name (your computer name).

2->ipconfig (How do I find My IP Address)

You’ll see a list of all the network connections your computer is using. Look under
“Wireless LAN adapter” if you’re connected to Wi-Fi or “Ethernet adapter” if you’re
connected to a wired network. For even more details, you can use the ipconfig
/all command.
3->ping (Packet InterNet Groper) (How do I find server is up or down)
Helps in determining TCP/IP Networks IP address as well as determine issues with the
network and assists in resolving them.

Example :-Ping google.com

So what happens when we ping a machine?

● The source sends an ICMP echo-request message to the destination.

● The ping program sets an sequence identifier which gets incremented with each
echo-request message. It also sets a TTL (Time-to-live) period.
● Ping also inserts the sending time in the data section of the message.
● If the host is alive and responding, it sends an ICMP echo-reply message back to the
source.
● Ping notes the time of the arrival of the response message, uses the sending time in
the message part and calculates the Round-trip time
● It then increments the sequence identifier (as said above) and sends a new echo-
request message. This goes on for the number of ping requests set by the user or the
program is terminated.

The whole of the data is calculated to summarize the percentage of packet loss and other
such information and the summarized data is then displayed, showing the number of
packets transmitted, received, percentage of packet loss, total time taken, the minimum,
average and maximum round-trip time.
4->tracert (How do I find packets path to destination across multiple hops)
The tracert command is used to visually see a network packet being sent and received and
the amount of hops required for that packet to get to its destination.

Each IP packet that you send on the internet has got a field called as TTL. TTL stands for
Time To Live. Although its called as Time To Live, its not actually the time in seconds, but
its something else.

TTL is not measured by the no of seconds but the no of hops. Its the maximum number of
hops that a packet can travel through across the internet, before its discarded.

Hops are nothing but the computers, routers, or any devices that comes in between
the source and the destination.

5->netstat
Displays active TCP connections, ports on which the computer is listening, Ethernet
statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols),
and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).
Used without parameters, netstat displays active TCP connections

Specifically, the netstat command can show details about individual network connections,
overall and protocol-specific networking statistics, and much more, all of which could help
troubleshoot certain kinds of networking issues.
6->pathping
Provides information about network latency and network loss at intermediate hops
between a source and destination. Pathping sends multiple Echo Request messages to each
router between a source and destination over a period of time and then computes results
based on the packets returned from each router.

When you run the command (Pathping), it will first display the hops that it is going
through, basically the same process as a ‘Tracert‘ command line. Once the trace is complete,
Pathping displays a busy message for the next 100 seconds, variable depending on the
numbers of hops, while it is computing the information previously gathered from the
routers and the links between them.
7->arp
Displays, adds, and removes arp information from network devices.

8->nslookup
Displays information that you can use to diagnose Domain Name System (DNS)
infrastructure. Before using this tool, you should be familiar with how DNS works. The
Nslookup command-line tool is available only if you have installed the TCP/IP protocol.
9->getmac

DOS command used to show both local and remote MAC addresses. When run with no
parameters (ie. getmac) it displays MAC addresses for the local system. When run with the
/s parameter (eg. getmac /s \\foo) it displays MAC addresses for the remote computer.
When the /v parameter is used, it also displays the associated connection name and
network adapter name.

10->telnet
Telnet is software that allows users to remotely access another computer such as a server,
network device, or other computer. With telnet users can connect to a device or computer,
manage a network device, setup a device, transfer files, etc.

If this ping test passes, it means that your client machine can see the server machine. This
does NOT mean you can connect to the server machine.

Once the ping test passes, you can use Telnet to test if your client machine can connect to
the server machine. Use the following steps to perform this test

● Type the following in the Console (DOS) Window

telnet serverOne 1433

 IMPORTANT: On Windows Vista and Windows 7, Microsoft does not install the
Telnet client by default. You will have to install this manually from Add Remove
Windows Component.

Principles of Security/ 3 pillars of Security

Confidentiality

Confidentiality ensures that data is only viewable by authorized users. If there is a risk of
sensitive data falling
into the wrong hands, it should be encrypted to make it unreadable. Any data should be
protected with access
controls to enforce confidentiality.

Integrity

Integrity is used to verify that data has not been modified, and loss of integrity can occur
through
unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA1 can
calculate hashes to
verify integrity. A hash is simply a number created by applying the algorithm to a file or
message at different
times. The hashes are compared to each other to verify that integrity has been maintained.

Availability

Availability indicates that data and services are available when needed. For some
companies, this simply means
that the data and services must be available between 8 a.m. and 5 p.m., Monday through
Friday. For other
companies, this means they must be available twenty-four hours a day, seven days a week,
365 days a year.

● OWASP 10
A1:2017-Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is
sent to an interpreter as part of a command or query. The attacker's hostile data can trick
the interpreter into executing unintended commands or accessing data without proper
authorization.

A2:2017-Broken Authentication

Application functions related to authentication and session management are often

implemented incorrectly, allowing attackers to compromise passwords, keys, or session
tokens, or to exploit other implementation flaws to assume other users' identities
temporarily or permanently.

A3:2017-Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial,
healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes. Sensitive data may be compromised
without extra protection, such as encryption at rest or in transit, and requires special
precautions when exchanged with the browser.

A4:2017-XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within
XML documents. External entities can be used to disclose internal files using the file URI
handler, internal file shares, internal port scanning, remote code execution, and denial of
service attacks.

A5:2017-Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced.
Attackers can exploit these flaws to access unauthorized functionality and/or data, such as
access other users' accounts, view sensitive files, modify other users' data, change access
rights, etc.

A6:2017-Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of
insecure default configurations, incomplete or ad hoc configurations, open cloud storage,
misconfigured HTTP headers, and verbose error messages containing sensitive
information. Not only must all operating systems, frameworks, libraries, and applications
be securely configured, but they must be patched/upgraded in a timely fashion.

A7:2017-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page
without proper validation or escaping, or updates an existing web page with user-supplied
data using a browser API that can create HTML or JavaScript. XSS allows attackers to
execute scripts in the victim's browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.

A8:2017-Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws
do not result in remote code execution, they can be used to perform attacks, including
replay attacks, injection attacks, and privilege escalation attacks.

A9:2017-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same
privileges as the application. If a vulnerable component is exploited, such an attack can
facilitate serious data loss or server takeover. Applications and APIs using components
with known vulnerabilities may undermine application defenses and enable various
attacks and impacts.

A10:2017-Insufficient Logging&Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with
incident response, allows attackers to further attack systems, maintain persistence, pivot to
more systems, and tamper, extract, or destroy data. Most breach studies show time to
detect a breach is over 200 days, typically detected by external parties rather than internal
processes or monitoring.

SLA (Service Level Agreement) :

P1 – Priority 1 incident tickets (Critical)

P2 – Priority 2 incident tickets (High)

P3 – Priority 3 incident tickets (Moderate)

P4 – Priority 4 incident tickets (Low)

Incident Resolution:
P1 – 1 hour
P2 – 1 day
P3 – 2 days
P4 – 1 week

Brute Force Logins Attempt

Impact: and Recommendation:

1.A brute force attack can manifest itself in many different ways, but primarily consists in
an attacker configuring predetermined values, making requests to a server using those
values, and then analyzing the response

2.Unauthorized User can gain access.

3.Source might be flooding the Unwanted requests to AD/Target.

4.Chances of Infection in source is also there.

Recommendation:

1.Check the reason for failure in Source and if any Passwords Saved.

2.Check if any infections and scan the System.

Backdoor activity

Impact:

1. This attack could pose a serious security threat as the source is trying to access
destination through a backdoor port 3198.

2. Target IP (10.60.1.217) seems to be an internal IP, please verify why the source is trying
to access the same through backdoor port.

3. Backdoors can be used bypass security policies and May enable hackers to take total
control over the system.

Recommendation:

1. Need to check why the user is trying to access backdoor port.

2. Kindly block the access through backdoor ports.

3. If the port is assigned for any particular application, change the same to some other port
and block the access through backdoor port.

4. As a workaround remove the infected machines (If any) from network so that the virus
cannot propagate and Please run full system scan manually and ensure that no files are
infected with virus/worm.

5. Make sure that the antivirus is updated and network shares are protected by strong
passwords.
Web Crawlers activities

Impact:.

1. A robot is a bot program that systematically browses the Web's hypertext

structure by retrieving a document, and recursively retrieving all documents
that are referenced. The robots.txt file is often misunderstood by Web
developers. The file will not protect or hide content. 2.A bad robots.txt file will
list admin pages, Web logs, and similar locations. Access all the locations listed
in robots.txt It will check server logs for sites that retrieve many documents,
especially in a short time. 3.The robots.txt file is commonly placed in the root
directory of a system's Web server to control the actions of Web robots. 4.A
user who is able to modify the contents of the robots.txt file could control the
actions of Web robots on your server.
Recommendation:

1.Kindly check the source address and review the contents of the robots.txt file to
check if the information is consistent with the policies of the organization. 2.If the
source is not legitimate, kindly block at perimeter firewall level.

List out the techniques used to prevent web server attacks?

· Patch Management
· Secure installation and configuration of the O.S
· Safe installation and configuration of the web server software
· Scanning system vulnerability
· Anti-virus and firewalls
· Remote administration disabling
· Removing of unused and default account
 Qradar SIEM Architecture

ECS is the core service responsible for event collection and event processing for
Qradar.
ECS is comprised of three core components:
Event Collector component

Event collector collects logs and performs following activities

1. Parsing: It is a process of converting unstructured format of logs into structured

format.
2. Aggregation(Coalescing): It is a process of adding same kind of events to save
the disk space and eps(events per second).
3. Normalization: It is a process of categorizing similar kind of events.
Eg:Authentication,system ,user.
Event Processor component

Custom Rules Engine (CRE): The Custom Rules Engine (CRE) is responsible for
processing events received by QRadar and comparing them against defined rules,
keeping track of systems involved in incidents over time, generating notifications to
users and generating offenses.
• Streaming: Responsible for sending real-time event data to the Console when a
user is viewing events from the Log Activity tab with Real time (streaming).
Streamed events are not provided from the database.
• Event storage (Ariel): A time series database for events and flows where data is
stored on a minute by minute basis. Data is stored where the event is processed.

Magistrate component (Console only)

The Magistrate Processing Core (MPC) is responsible for correlating offenses with event
notifications from multiple Event Processor (EP) components. Only the Console will
have a Magistrate component.

• Offense rules: Monitors and takes actions on offenses, such as generating email
notifications.
• Offense management: Updates active offenses, transitioning inactive offenses to
active and provides access to offense information to the user through the Offenses
tab.
• Offense storage: Writes offense data to a Postgres database.
User interface tabs Functionality is divided into tabs.

The Dashboard tab is displayed when you log in. You can easily navigate the tabs to locate
the data or functionality you require.

Dashboard tab :The Dashboard tab is the default tab that is displayed when you log in. The
Dashboard tab provides a workspace environment that supports multiple dashboards on
which you can display your views of network security, activity, or data that QRadar collects.
Five default dashboards are available. Each dashboard contains items that provide
summary and detailed information about offenses that occur on your network. You can also
create a custom dashboard to allow you to focus on your security or network operations
responsibilities. For more information about using the Dashboard tab, see Dashboard
management.

Offenses tab :The Offenses tab will allow you to view offenses that occur on your network,
which you can locate by using various navigation options or through powerful searches.
From the Offenses tab, you can investigate an offense to determine the root cause of an
issue. You can also resolve the issue. For more information about Offenses tab, see Offense
management.

Log activity tab: The Log Activity tab will allow you to investigate event logs being sent to
QRadar in real-time, perform powerful searches, and view log activity by using
configurable time-series charts. The Log Activity tab will allow you to perform in-depth
investigations on event data. For more information, see Log Activity investigation.

Network activity tab :Use the Network Activity tab to investigate flows that are sent in
real-time, perform powerful searches, and view network activity by using configurable
time-series charts. A flow is a communication session between two hosts. Viewing flow
information will allow you to determine how the traffic is communicated, what is
communicated (if the content capture option is enabled), and who is communicating. Flow
data also includes details such as protocols, ASN values, IFIndex values, and priorities. 6
QRadar User Guide For more information, see Network activity investigation.

Assets tab:QRadar automatically discovers assets, servers, and hosts, operating on your
network. Automatic discovery is based on passive flow data and vulnerability data,
allowing QRadar to build an asset profile. Asset profiles provide information about each
known asset in your network, including identity information, if available, and what services
are running on each asset. This profile data is used for correlation purposes to help reduce
false positives. For example, an attack tries to use a specific service that is running on a
specific asset. In this situation, QRadar can determine whether the asset is vulnerable to
this attack by correlating the attack to the asset profile. Using the Assets tab, you can view
the learned assets or search for specific assets to view their profiles.

Reports tab :The Reports tab will allow you to create, distribute, and manage reports for
any data within QRadar. The Reports feature will allow you to create customized reports
for operational and executive use. To create a report, you can combine information (such
as, security or network) into a single report. You can also use preinstalled report templates
that are included with QRadar. The Reports tab also will allow you to brand your reports
with customized logos. This customization is beneficial for distributing reports to different
audiences. For more information about reports, see Reports management.

Integration steps
Rules Creation
 Arcsight siem details

About ArcSight ESM

ESM collects, normalizes, aggregates, and filters millions of events from thousands of assets
across your network into a manageable stream that is prioritized according to risk,
vulnerabilities, and the criticality of the assets involved. These prioritized events can then
be correlated, investigated, analyzed, and remediated using ESM tools, giving you
situational awareness and real-time incident response time.

So ArcSight ESM stands for Enterprise Security Manager.

As the name itself implies the usage of this tool is that it adds value to your organization
security policies. Using this tool, it will help the organizations to focus on the threat
detection, analysis on the triages, compliance management. All of these are done on SIEM
platform where it actually reduces the time taken to resolve a cybersecurity threat.

Components of Arcsight ESM

Smart Connector :

Collects all required logs from devices in network

Filters data and thus saves storage and bandwidth
Parse all events and normalize in common schema for ESM
Aggregate events to reduce events count
Categorizes events in common format inorder to build rules,filters and reports
Processed events are passed to Manager

FlexConnector

The FlexConnector framework is a software development kit (SDK) that enables you to
create your own SmartConnector tailored to the nodes on your network and their specific
event data. FlexConnector types include file reader, regular expression file reader, time-
based database reader, syslog, and Simple Network Management Protocol (SNMP) readers.
For more information about FlexConnectors and how to use them, contact your ArcSight
customer service representative.

Forwarding Connector

The Forwarding Connectors forward events between multiple Managers in a hierarchical

ESM deployment, and/or to one or more Logger deployments. For more about the
Forwarding Connector, see the Connector Configuration Guide for ArcSight Forwarding
Connector.

Arcsight Manager :

It is Java based server

Evaluates each events as per network model and vulnerability information
Develops real time threat summaries
Writes events to CORR engine

The key features of ArcSight Enterprise Security Manager are as follows:

● Enriched Security Event data

● Powerful real-time data visualization and correlation
● Automated workflows
 ● Security process optimized
● ArcSight Enterprise Security Manager tool is compatible with ArcSight Data
Platform and ArcSight Investigate
● The use of ArcSight manager is to simply put in place robust security parameters
within the organization. So it is one of the high-performance service engines which
actually filters, manages, correlates all security-related events that are collected by
the IT system.
● The main parts that are essential for the ArcSight manager to work appropriately is:
● ** ArcSight Console
● ** ACC
● ** CORR Engine
● ** ArcSight SmartConnectors
● The operational environment for ArcSight Manager is nothing but the underlying OS
and the file system that are in place.

Corr Engine : (Correlation Optimized Retention and Retrieval Engine)

The Correlation Optimized Retention and Retrieval (CORR) Engine is a proprietary data
storage. ESM organizes event by date and stores in Corr Engine as per event retention
period. Correlation of events takes place in Corr Engine and then archived for long term
use.

User Interfaces within Arcsight

ArcSight Command Centre:

Manages users, storage and event data.

Monitors events
Generate Reports
Updates License

ArcSight Console:

Builds filters, rules, reports, pattern discovery and dashboards

Monitors data
Administer users and workflow

Arcsight Web :

Web interface to Manager

Monitors events .
Used to drill down dashboard ,reporting and notification for Security Analyst

Arcsight Risk Insight :

Assess business impact due to specific threat as per defined rules

Pattern Discovery :

Detects various patterns of events flow and used to

Discover day zero attacks

Discover low and slow attacks
Profile common patterns in network
Automatically creates rules

ArcSight Express :

Separately licensed. It’s a all in one appliance, a powerful threat detection, response and
compliance management platform.

What is the main purpose of ArcSight Express?

Basically, ArcSight Express provides the same functionalities that they do at ArcSight ESM
but at a very much smaller scale. ArcSight Express analyzes threats within a database and
provides possible action item.

Arcsight Logger

ArcSight Logger is an event data storage appliance that is optimized for extremely high
event throughput. Logger stores security events on board in compressed form, but can
always retrieve unmodified events on demand for historical analysis-quality litigation data.
Logger can be deployed stand-alone to receive events from syslog messages or log files, or
to receive events in Common Event Format from SmartConnectors. Logger can forward
selected events as syslog messages to ESM.

Store data for long time period. Store data in compressed form but can always retrieve
historical event data for analysis purpose.

What does ArcSight Logger do?

So, ArcSight Logger is nothing but a log management solution that can be used widely in the
security practices. So using solution, the users will be able to capture and analyze different
type of log data and provide necessary inputs to all the individual's teams so their
questions are answered. Eventually, this can be expanded into an enterprise level log
management solution if needed.

So using this solution, topics like compliance and risk management are taken into due
consideration. Also, the data can be used for searching, indexing, reporting, analysis
purposes and retention as well.

The main use of ArcSight Logger is to capture or stream real-time data and categorize them
into different buckets of specific logs.

ArcSight architecture with port number

Difference between ArcSight ESM and express

Express ESM
Express is an appliance delivered ESM is a software install delivered
solution solution
Threat detector is not available Threat detector is available on purchase
EPS 2500 EPS 10000

Aggregation

SIEM platforms collect data from thousands of different sources because these events
provide the data we need to analyze the health and security of our environment. In order to
get a broad end-to-end view, we need to consolidate what we collect onto a single platform.
Aggregation is the process of moving data and log files from disparate sources into a
common repository. Collected data is placed into a homogenous data store – typically
purpose-built flat file repositories or relational databases – where analysis, reporting, and
forensics occur; and archival policies are applied.
The process of aggregation – compiling these dissimilar event feeds into a common
repository – is fundamental to Log Management and most SIEM platforms. Data
aggregation can be performed by sending data directly into the SIEM/LM platform (which
may be deployed in multiple tiers), or an intermediary host can collect log data from the
source and periodically move it into the SIEM system. Aggregation is critical because we
need to manage data in a consistent fashion: security, retention, and archive policies must
be systematically applied. Perhaps most importantly, having all the data on a common
platform allows for event correlation and data analysis, which are key to addressing the use
cases we have described.
There are some downsides to aggregating data onto a common platform. The first is scale:
analysis becomes exponentially harder as the data set grows. Centralized collection means
huge data stores, greatly increasing the computational burden on the SIEM/LM platform.
Technical architectures can help scale, but ultimately these systems require significant
horsepower to handle an enterprise’s data. Systems that utilize central filtering and
retention policies require all data to be moved and stored – typically multiple times –
increasing the burden on the network.
Some systems scale using distributed processing, where filtering and analysis occur outside
the central repository, typically at the distributed data collection point. This reduces the
compute burden on the central server and allows processing to occur on smaller, more
manageable data sets. It does require that policies, along with the code to process them, be
distributed and kept current throughout the network. Distributed agent processes are a
handy way to “divide and conquer”, but increase IT administration requirements. This
strategy also adds a computational burden o the data collection points, degrading their
performance and potentially slowing enough to drop incoming data.

Data Normalization

If the process of aggregation is to merge dissimilar event feeds into one common platform,
normalization takes it one step further by reducing the records to just common event
attributes. As we mentioned in the data collection post, most data sources collect exactly
the same base event attributes: time, user, operation, network address, and so on. Facilities
like syslog not only group the common attributes, but provide means to collect
supplementary information that does not fit the basic template. Normalization is where
known data attributes are fed into a generic template, and anything that doesn’t fit is
simply omitted from the normalized event log. After all, to analyze we want to compare
apple to apples, so we throw away an oranges for the sake of simplicity.
Depending upon the SIEM or Log Management vendor, the original non-normalized records
may be kept in a separate repository for forensics purposes prior to later archival or
deletion, or they may simply be discarded. In practice, discarding original data is a bad idea,
since the full records are required for any kind of legal enforcement. Thus, most products
keep the raw event logs for a user-specified period prior to archival. In some cases, the
SIEM platform keeps a link to the original event in the normalized event log which provides
‘drill-down’ capability to easily reference extra information collected from the device.
Normalization allows for predicable and consistent storage for all records, and indexes
these records for fast searching and sorting, which is key when battling the clock in
investigating an incident. Additionally, normalization allows for basic and consistent
reporting and analysis to be performed on every event regardless of the data source. When
the attributes are consistent, event correlation and analysis – which we will discuss in our
next post – are far easier.
Technically normalization is no longer a requirement on current platforms. Normalization
was a necessity in the early days of SIEM, when storage and compute power were
expensive commodities, and SIEM platforms used relational database management systems
for back-end data management. Advances in indexing and searching unstructured data
repositories now make it feasible to store full source data, retaining original data, and
eliminating normalization overhead.

Connector Types
1. Smart connector
2. Flex connector
3. Forwarding connector

Smart Connectors

After collecting event data from network nodes, they normalize the data in two ways:
● Normalizing values (such as severity, priority, and time zone) into a common format
and
● Normalizing the data structure into a common schema.

Smart Connectors can then filter and aggregate events to reduce the volume of events sent
to the Manager, which increases ESM’s efficiency and accuracy, and reduces event
processing time.

Smart Connectors enable you to execute commands on the local host, such as instructing a
scanner to run a scan.

Smart Connectors also add information to the data they gather, such as looking up IP
and/or host names in order to resolve IP/host name lookup at the Manager.

SmartConnectors maintain a heartbeat with the Manager every 10 seconds. The Manager
sends back any commands or configuration updates it has for the SmartConnector. The
SmartConnector sends new event data to the Manager in batches of 100 events, or once
every second, whichever comes first. The time and event count intervals are all
configurable.

Smart Connectors perform the following functions:

● Collect all the data you need from a source device.

● Save network bandwidth and storage space by filtering out data which are not
required for analysis.
● Parse individual events and normalize them into a common schema (format).
● Aggregate events to reduce the quantity of events sent to the Manager.
● Categorize events using a common, human-readable format which helps to build
filters, rules, reports and data monitors.
● Pass events to the Manager after they have been processed.

FlexConnector
The FlexConnector framework is a software development kit (SDK) that enables you to
create your own
SmartConnector tailored to the nodes on your network and their specific event data.
FlexConnector types include file reader, regular expression file reader, time-based
database reader, and syslog and Simple Network Management Protocol (SNMP) readers.

Forwarding Connector

The Forwarding Connectors forward events between multiple Managers in a hierarchical

ESM deployment, and/or to one or more Logger deployments.

What are the system requirements for implementing ArcSight ESM?

Supported Operating systems are:

1. Red Hat Enterprise Linux Version 6.2, 64 bit CPU

2. Memory 16-36GB

3. Disk space for 2-4 TB

4. Average Compression of 10:1 SAS 15K RPM

What is correlation and aggregation

Correlation is the process to track the relationship between events as per defined
condition. While aggregation is the process to aggregate the similar events. Aggregation
can be used in correlation.

Field Sets

Field sets are a way to limit the columns that are displayed in the active channel grid
anywhere event
fields can be selected, such as the CCE and variables editors. They are an index of certain
field names
that you can create and save so that you don't have to sift through more than 400 event
fields to get to
the ones you are interested in when monitoring and investigating, or building content for a
specific use
case.
You can also create field sets for other places where event fields appear, such as in the
resource editors
displayed in the Inspect/Edit panel for filters, rules, data monitors, and Pattern Discovery.
ESM comes with field sets already defined in the All Field Sets/ArcSight System folder,
which
you can use as is, or create your own.

ArcSight Pattern Discovery

ArcSight Pattern Discovery is a separately licensed module you can activate in ESM that
applies data mining techniques to event flows in order to detect patterns of behavior that
may indicate previously unknown threats.

Rules and data monitors enable you to detect patterns or specific threats you know could
happen. Pattern Discovery automatically identifies patterns that occur in the event flow
that you don't know about or suspect.

This makes Pattern Discovery a vital tool for preventive maintenance and early detection in
your ongoing security management operations. This also makes Pattern Discovery a
valuable tool for identifying normal patterns of activity on your network.

Using periodic, scheduled analysis, you can always be scanning for new patterns over
varying time intervals to stay ahead of new exploit behavior. Once the system discovers a
pattern, you can take
Action on it, such as adding a system to an active list, opening a case, or notifying another
user. Or you can discard the pattern if you determine that no threat is evident.
As part of set up and tuning, you can use Pattern Discovery to profile patterns of normal
activity on established networks or newly protected networks, such as new customer
groups, or new divisions for large corporations. Once these normal patterns are identified,
you can mask them out, so the system can then concentrate on finding patterns that are not
normal.

Pattern Discovery operates on the same events that the correlation tools do. But while
correlation runs continuously, Pattern Discovery analyzes blocks of time (hour, day, week,
month, and so on) when searching for patterns, so it is run on demand or on a regular
schedule. Depending on the volume of events going through your system, Pattern
Discovery can be run once a day or every few hours to provide complete coverage of all
system traffic.

What is the Event Schema?

•Forms basic event data structure

•Enables ArcSight ESM to perform advanced correlation and reporting
•Contains more than 400 data fields organized into 17 groups
•Makes it easy to locate specific information within an event

What is Security Event vs Security Incident

A security event is any observable occurrence that is relevant to information security. This
can include attempted attacks or lapses that expose security vulnerabilities.

A security incident is a security event that results in damage or risk to information

security assets and operations.

Brute force rule creation? Cross Event Rule.

Blocked in IPS accepted in Firewall – Cross Device rule

How to Create Dash board
FIELD SET
Filter
Connect with Active channel

Active List
How to create report
Now Need to create a query

Just create a query and link it with new report.

Users
Windows connector installation process -

Push/Pull example with common connectors (one is not longer supported though):
 1. Push - Syslog connector - Here you configure the source to PUSH required logs to
your log location (e.g. system where your syslog connector is installed).
2. Pull - Windows Unified Connector (not recommended anymore, please use WEF
instead) - Here you configure the connector to PULL from your desired log source
systems.

QUESTIONS

● What is your role in current company?

● What are layer2 & layer3devices?
● Explain the OSI layers
● explain different types malware
● when malware attack happen, what you will do
● difference between tcp and udp
● recent malware attack made the news?
● What are the steps u will take to remediate ransomware?
● What are the components of SIEM?
● Explain SIEM Architecture?
● What are L1, L2, L3 roles in your organization and what is there role?
● The most severe breach you worked on in your organization
● How you detect and remediate an DDOS attack?
● What is 3 way handshake?
● What are the different sources from where you will get logs?
● How will you remediate in case of sql injection?
● what type of logs you come across daily basis
● What are L1, L2, L3 roles in your organization
● What all security solutions you worked or know?explain