Professional Documents
Culture Documents
MANAGEMENT
We need SIEM to move from being reactive to being proactive interms of our
security approach.
Imp Siem tools
Networking Concepts
Ports: ports are physical numbers use by tcp/ip to identify what services/application
should handle data received by system. Tcp having 65536(0-65535) ports.
0-1023 are well known ports
Protocols: a protocol is a set of rules and guidelines for communicating data .
Well known ports and protocols
SSH(secure shell) 22
SCP(secure copy protocol) 22
SSL(secure socket layer) 22
TLS(transport layer security) 22
IPsec(internet protocol security) 500
HTTP(hypertext transfer protocol) 80
HTTPS(hypertext transfer protocol secure) 443
FTP(file transfer protocol) 20&21
SNMP(simple network management protocol) 161
DNS(domain name system) 53
DHCP(dyanamic host configuration protocol) 67&68
LDAP(leightweight directory access protocol) 389
RDP(remote desktop protocol) 3389
SMPT(simple mail transfer protocol) 25
POP3(post office protocol) 110
IMAP(internet message access protocol) 143
MS SQL(Microsoft server) 1433
Kerberose(mutual authentication) 88
Syslog 514
SMB(server message block) 445
Flags
Reserved Reserved urgent Acknowledge push reset synchronize Finish
After completion of transmission of data client sends the FIN packet and server reply back with
ACK, at this point connection is terminated.
Difference Between TCP & UDP
NETWORK DEVICES
SWITCH
A network switch is a computer networking device that connects devices together on a computer
network by using packet switching to receive,process,and forward data to the destination device.
It operates at the data link layer.
Switch uses the ARP(address resolution protocol) to map ip network addresses to the
hardware addresses.
ROUTER
A router is hardware device designed to receive,analyze and move incoming data packets to
another network. It determines the best way for a packet to be forwarded to its destination.
NAT(network address translation) is a method of remapping one IP address space into another
by modifying network address information in IP header of packets while they are in transmit
across a traffic routing device(router).
NETWORK ARCHITECTUURE
Server LAN
Active Directory
An active directory is a service that provided by Microsoft that stores information about
items on a network so the information can be easily made available to specific users through
logon process and network administrators. It provides central authentication and authorization
services for windows based computers.
Application server
It is a program that handles all application operations between users and organization’s
backend business applications or databases.
File server
File server is computer responsible for central storage and management of data files so that other
computer on the same network can access files.
Exchange server
A popular email messaging system from Microsoft that runs on windows server. The server side
is Microsoft exchange server and feautered client program is Microsoft outlook.
Firewall
• It does allow/block any traffic
• It is ip and port filtering device
• It works on ACL(access control list) rules
• It has implicit deny rule by default
zone to zone src ip dest ip port action
INT EXT 10.1.1.1 53.3.3.4 80/443 deny/allow/drop
• It does stateful Inspection
• It works at layer 3 and layer 4
• It is inline with traffic
USE CASES
Use cases
1.High severity attack on several machines
Proxy(web security)
• It scans traffic only on port 80/443
• It works on layer 3 and above
• It has antivirus moule(whenever downloading file from website)
• It allows/block websites/contents
• It does NATing(hide internal ip)
• It has web categories (eg: sports,education,search engine,adult etc)
Vendor: Forcepoint, F5 Networks
Use cases
1.Too many http requests from a user/machine
Use cases
1.Too many mails from /to a user
2.Too many large attachments
3.Sudden increase in spam mails
Malware includes a wide range of software that has malicious intent. Malware is not
software that you would knowingly purchase or download and install. Instead, it is installed onto
your system through devious means. Infected systems give various symptoms, such as running
slower, starting unknown processes, sending out email without user action, random reboots, and
more.
You might hear people use the term virus to describe all types of malware, but that isn’t
accurate. A virus is a specific type of malware, and malware includes many other types of
malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware, and
more.
Viruses
A virus is a set of malicious code that attaches itself to a host application. The host application
must be executed to run, and the malicious code executes when the host application is executed.
The virus tries to replicate by finding other host applications to infect with the malicious code. At
some point, the virus activates and delivers its payload. Typically, the payload of a virus is
damaging. It may delete files, cause random reboots, join the computer to a botnet, or enable
backdoors that attackers can use to access systems remotely.
Worms
A worm is self-replicating malware that travels throughout a network without the assistance of a
host application or user interaction. A worm resides in memory and is able to use different
transport protocols to travel over the network. One of the significant problems caused by worms
is that they consume network bandwidth. Worms can replicate themselves hundreds of times and
spread to all the systems in the network. Each infected system tries to locate and infect other
systems on the network, and network performance can slow to a crawl.
Logic Bombs
A logic bomb is a string of code embedded into an application or script that will execute in
response to an event. The event may be a specific date or time, when a user launches a specific
program, or any event the programmer decides on.
A logic bomb executes in response to an event, such as when a specific application is executed or
a specific time arrives.
Backdoors
A backdoor provides another way of accessing a system, similar to how a backdoor in a house
provides another method of entry. Malware such as Trojans often install backdoors on systems to
bypass normal authentication methods.
Application developers often code backdoors into applications, but this practice is not
recommended. For example, an application developer might create a backdoor within an
application intended for maintenance purposes. However, if attackers discover the backdoor,
they can use it to access the application.
Trojan
A Trojan appears to be something useful but includes a malicious component, such as installing
a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also
infect systems from rogueware, pirated software, games, or infected USB drives.
Botnets
A botnet combines the words robot and network. It includes multiple computers that act as
software robots and function together in a network (such as the Internet), often for malicious
purposes. The computers in a botnet are called zombies and they will do the bidding of whoever
controls the botnet.
Bot herders are criminals who manage botnets. They attempt to infect as many computers as
possible and control them through one or more servers running command-and-control software.
The infected computers periodically check in with the command-and-control servers, receive
direction, and then go to work. The user is often unaware of the activity.
Most computers join a botnet through malware infection. For example, a user could download
pirated software with a Trojan or click a malicious link, resulting in a drive-by download. The
malware then joins the system to a botnet.
• Send spam.
• Launch a distributed denial-of-service attack.
• Download additional malware, adware, or spyware such as keyloggers.
Rootkits
A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact that
the system has been infected or compromised by malicious code. A user may suspect something
is wrong, but antivirus scans and other checks may indicate everything is fine because the rootkit
hides its running processes to avoid detection.
In addition to modifying the internal operating system processes, rootkits often modify system
files such as the Registry. In some cases, the rootkit modifies system access, such as removing
users’ administrative access.
Rootkits have system-level access to systems. This is sometimes called root-level access, or
kernel-level access, indicating that they have the same level of access as the operating system.
Spyware
Spyware is software installed on users’ systems without their awareness or consent. Its purpose
is often to monitor the user’s computer and the user’s activity. Spyware takes some level of
controlover the user’s computer to learn information and sends this information to a third party. If
spyware can access a user’s private data, it results in a loss of confidentiality.
Some examples of spyware activity are changing a user’s home page, redirecting web browsers,
and installing additional software, such as search engines. In some situations, these changes can
slow a system down, resulting in poorer performance.
Adware
When adware first emerged, its intent was usually to learn a user’s habits for the purpose
of targeted advertising. As the practice of gathering information on users became more
malicious, morepeople began to call it spyware. However, some traditional adware still exists.
A common type of adware is pop-ups. For example, while you are visiting a site, another
browser window appears, or pops up, with an advertisement. These pop-up windows aren’t
malicious, but they are annoying.
Sometimes pop-ups can be helpful. As a legitimate example, my online bank has interest-rate
information that I can view. When I click on this link, it pops up another window showing the
interestrate information without taking me away from the current page I’m viewing.
Ransomware
Ransomware is a type of malware that prevents or limits users from accessing their system,
either by locking the system's screen or by locking the users' files unless a ransom is paid. More
modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file
types on infected systems and forces users to pay the ransom through certain online payment
methods to get a decrypt key.
Dos attack
A denial of service is an attack intended to make a computer’s resources or services
unavailable to users. In the other words ,it prevents a server from operating or responding to
normal requests.dos attack come from single attacker.
DDOS attack
A denial-of-service (DoS) attack is an attack from one attacker against one target. A distributed
denial-of-service (DDoS) attack is an attack from two or more computers against a single target.
DDoS attacks often include sustained, abnormally high network traffic on the network interface
card of the attacked computer. Other system resource usage (such as the processor and memory
usage) will also be abnormally high. The goal of both is to prevent legitimate users from
accessing services on the target computer. Many DoS and DDoS attacks attempt to consume
resources on the target computer. For example, a SYN (synchronize) flood attack consumes
memory resources by flooding a system with half-open connections.
Zero-Day Attacks
A zero-day attack is one that exploits an undocumented vulnerability. Many times, the vendor
isn’t aware of the issue. At some point, the vendor learns of the vulnerability and begins to write
and test a patch to eliminate it. However, until the vendor releases the patch, the vulnerability is
still a zero-day vulnerability.
Buffer overflows occur when an application receives more data than it can handle, or receives
unexpected data that exposes system memory. Buffer overflow attacks often include NOP
instructions (such as x90) followed by malicious code. When successful, the attack causes the
system to execute the malicious code. Input validation helps prevent buffer overflow attacks.
Cross-Site Scripting
Cross-site scripting (XSS) is another web application vulnerability that can be prevented with
input validation. Attackers embed malicious HTML or JavaScript code into an email or web site
error message. If a user responds to the email or error message, it executes the code. Many times,
thisgives the attacker access to user cookies or other information about the user.
Cross-site request forgery (XSRF or CSRF) is an attack where an attacker tricks a user into
performing an action on a web site. The attacker creates a specially crafted HTML link and the
user performs the action without realizing it.
Phishing
Phishing is the practice of sending email to users with the purpose of tricking them into
revealing personal information or clicking on a link. A phishing attack often sends the user to a
malicious web site that appears to the user as a legitimate site.
The classic example is where a user receives an email that looks like it came from eBay,
PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the recipient
has an account at the company, just as a fisherman doesn’t know if any fish are in the water
where he casts his line. However, if the attacker sends out enough emails, the odds are good that
someone who receives the email has an account.
The email may look like this:
“We have noticed suspicious activity on your account. To protect your privacy, we will
suspend your account unless you are able to log in and validate your credentials. Click here to
validate your account and prevent it from being locked out.”
Spear Phishing
Spear phishing is a targeted form of phishing. Instead of sending the email out to everyone
indiscriminately, a spear phishing attack attempts to target specific groups of users, or even a
single user. Spear phishing attacks may target employees within a company or customers of a
company.
Whaling
Whaling is a form of spear phishing that attempts to target high-level executives.
Vishing
Vishing attacks use the phone system to trick users into giving up personal and financial
information. It often uses Voice over IP (VoIP) technology and tries to trick the user similar to
other phishing attacks. When the attack uses VoIP, it can spoof caller ID, making it appear as
though the call came from a real company.
Privilege Escalation
Privilege escalation occurs when a user or process accesses elevated rights and permissions.
When attackers first compromise a system, they often have minimal privileges. However,
privilege escalation tactics allow them to get more and more privileges.
Shoulder Surfing
Shoulder surfing is simply looking over the shoulder of someone to gain information. The goal is
to gain unauthorized information by casual observation, and it’s likely to occur within an office
environment. This can be to learn credentials, such as a username and password, or a PIN used
for a smart card or debit card. Recently, attackers have been using cameras to monitor locations
where users enter PINs, such as at automatic teller machines (ATMs).
Dumpster Diving
Dumpster diving is the practice of searching through trash or recycling containers to gain
information from discarded documents. Many organizations either shred or burn paper instead of
throwing it away.
Impersonating
Some social engineers often attempt to impersonate others. The goal is to convince an authorized
user to provide some information, or help the attacker defeat a security control.
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
1. Preparation
incident response planning, and in the end, the most crucial phase to protect your business. Part of this
phase includes:
Ensure employees are properly trained regarding their incident response roles and responsibilities in the
event of data breach Develop incident response drill scenarios and regularly conduct mock data
breaches to evaluate incident response plan.
Ensure that all aspects of your incident response plan (training, execution, hardware and software
resources, etc.) are approved and funded in advance
Your response plan should be well documented, thoroughly explaining everyone’s roles and
responsibilities. Then the plan must be tested in order to assure that your employees will
perform as they were trained. The more prepared your employees are, the less likely they’ll
make critical mistakes.
2. Identification
This is the process where you determine whether you’ve been breached. A breach, or incident,
could originate from many different areas.
It’s important to discover the breach quickly, where it’s coming from, and what it has affected.
3. Containment
When a breach is first discovered, your initial instinct may be to securely delete everything so
you can just get rid of it. However, that will likely hurt you in the long run since you’ll be
destroying valuable evidence that you need to determine where the breach started and devise a
plan to prevent it from happening again.
Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you
can, disconnect affected devices from the Internet. Have short-term and long-term containment
strategies ready. It’s also good to have a redundant system back-up to help restore business
operations. That way, any compromised data isn’t lost forever.
This is also a good time to update and patch your systems, review your remote access protocols
(requiring mandatory multi-factor authentication), change all user and administrative access
credentials and harden all passwords.
4. Eradication
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach.
This means all malware should be securely removed, systems should again be hardened and
patched, and updates should be applied.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace
of malware or security issues remain in your systems, you may still be losing valuable data, and
your liability could increase.
5. Recovery
This is the process of restoring and returning affected systems and devices back into your
business environment. During this time, it’s important to get your systems and business
operations up and running again without the fear of another breach.
6. Lessons Learned
Once the investigation is complete, hold an after-action meeting with all Incident Response
Team members and discuss what you’ve learned from the data breach. This is where you will
analyze and document everything about the breach. Determine what worked well in your
response plan, and where there were some holes. Lessons learned from both mock and real
events will help strengthen your systems against the future attacks.
• Offense rules: Monitors and takes actions on offenses, such as generating email
notifications.
• Offense management: Updates active offenses, transitioning inactive offenses to active
and provides access to offense information to the user through the Offenses tab.
• Offense storage: Writes offense data to a Postgres database.
Phases of Hacking
Reconnaissance
Reconnaissance is the phase where the attacker gathers information about a target using
active or passive means. The tools that are widely used in this process are NMAP, Hping,
Maltego, and Google Dorks.
Scanning
In this process, the attacker begins to actively probe a target machine or network for
vulnerabilities that can be exploited. The tools used in this process are Nessus, Nexpose,
and NMAP.
Gaining Access
In this process, the vulnerability is located and you attempt to exploit it in order to enter
into the system. The primary tool that is used in this process is Metasploit.
Maintaining Access
It is the process where the hacker has already gained access into a system. After gaining
access, the hacker installs some backdoors in order to enter into the system when he
needs access in this owned system in future. Metasploit is the preferred tool in this process.
Clearing Tracks
This process is actually an unethical activity. It has to do with the deletion of logs of all
the activities that take place during the hacking process.
Reporting
Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker
compiles a report with his findings and the job that was done such as the tools used, the
success rate, vulnerabilities found, and the exploit processes.
Threats
A threat is a potential danger. threat is any circumstance or event
that can compromise the confidentiality, integrity, or availability of data or a system.
Vulnerabilities
A vulnerability is a flaw or weakness in software or hardware, or a weakness in a process that
could be exploited, resulting in a security breach. Just because a vulnerability exists doesn’t
mean it will be exploited, only that it can be exploited.
Examples of vulnerabilities include:
Lack of updates. If systems aren’t kept up to date with patches, hotfixes, and service packs, they
are vulnerable to bugs and flaws in the software.
Default configurations. If defaults aren’t changed in hardware and software configurations, they
are susceptible to attacks. Similarly, default usernames and passwords are susceptible to attacks
if they aren’t changed.
Lack of malware protection or updated definitions. If antivirus and anti-spyware protection
isn’t used and kept up to date, systems are vulnerable to malware attacks.
No firewall. If personal and network firewalls aren’t enabled or configured properly, systems are
more vulnerable to network and Internet-based attacks.
Lack of organizational policies. If job separation, mandatory vacations, and job rotation
policies aren’t implemented, an organization may be more susceptible to fraud and collusion
from employees.
The vulnerability assessment is prioritized based on the severity of the vulnerabilities and their
ability to affect the high value asset items. A vulnerability assessment checks for the existence of
security controls such as a password policy and can include a user rights and access review to
identify unused accounts, or accounts with unneeded permissions. However, a vulnerability
assessment identifies these issues, but does not make changes.
Risks
A risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness,
and a threat is a potential danger. The result is a negative impact on the organization. Impact
refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.
For example, a system without up-to-date antivirus software is vulnerable to malware. Malware
written by malicious attackers is the threat. The likelihood that the malware will reach a
vulnerable system represents the risk. Depending on what the malware does, the impact may be
an unbootable computer, loss of data, or a remote-controlled computer that has joined a botnet.
A risk assessment identifies assets, asset values, threats, and vulnerabilities. It prioritizes the
results and makes recommendations on what controls to implement. Risk cannot be eliminated.
We use ipconfig to find the router's IP number. Once you have that, you can ping the router to
test if it is responsive. The problem with the ping command is that, while it is fast, is doesn't give
you a lot of information. For that, we use the tracert command, which will be covered next.
This command is use for identify the host name (your computer name).
The whole of the data is calculated to summarize the percentage of packet loss and other such
information and the summarized data is then displayed, showing the number of packets
transmitted, received, percentage of packet loss, total time taken, the minimum, average and
maximum round-trip time.
Each IP packet that you send on the internet has got a field called as TTL. TTL stands for Time
To Live. Although its called as Time To Live, its not actually the time in seconds, but its
something else.
TTL is not measured by the no of seconds but the no of hops. Its the maximum number of hops
that a packet can travel through across the internet, before its discarded.
Hops are nothing but the computers, routers, or any devices that comes in between the
source and the destination.
5->netstat
Displays active TCP connections, ports on which the computer is listening, Ethernet statistics,
the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6
statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without
parameters, netstat displays active TCP connections
Specifically, the netstat command can show details about individual network connections,
overall and protocol-specific networking statistics, and much more, all of which could help
troubleshoot certain kinds of networking issues.
6->pathping
Provides information about network latency and network loss at intermediate hops between a
source and destination. Pathping sends multiple Echo Request messages to each router between a
source and destination over a period of time and then computes results based on the packets
returned from each router.
When you run the command (Pathping), it will first display the hops that it is going through,
basically the same process as a ‘Tracert‘ command line. Once the trace is complete, Pathping
displays a busy message for the next 100 seconds, variable depending on the numbers of hops,
while it is computing the information previously gathered from the routers and the links between
them.
7->arp
Displays, adds, and removes arp information from network devices.
8->nslookup
Displays information that you can use to diagnose Domain Name System (DNS) infrastructure.
Before using this tool, you should be familiar with how DNS works. The Nslookup command-
line tool is available only if you have installed the TCP/IP protocol.
9->getmac
DOS command used to show both local and remote MAC addresses. When run with no
parameters (ie. getmac) it displays MAC addresses for the local system. When run with the /s
parameter (eg. getmac /s \\foo) it displays MAC addresses for the remote computer. When the /v
parameter is used, it also displays the associated connection name and network adapter name.
10->telnet
Telnet is software that allows users to remotely access another computer such as a server,
network device, or other computer. With telnet users can connect to a device or computer,
manage a network device, setup a device, transfer files, etc.
If this ping test passes, it means that your client machine can see the server machine. This does
NOT mean you can connect to the server machine.
Once the ping test passes, you can use Telnet to test if your client machine can connect to the
server machine. Use the following steps to perform this test
Confidentiality
Confidentiality ensures that data is only viewable by authorized users. If there is a risk of
sensitive data falling
into the wrong hands, it should be encrypted to make it unreadable. Any data should be protected
with access
controls to enforce confidentiality.
Integrity
Integrity is used to verify that data has not been modified, and loss of integrity can occur through
unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA1 can
calculate hashes to
verify integrity. A hash is simply a number created by applying the algorithm to a file or message
at different
times. The hashes are compared to each other to verify that integrity has been maintained.
Availability
Availability indicates that data and services are available when needed. For some companies, this
simply means
that the data and services must be available between 8 a.m. and 5 p.m., Monday through Friday.
For other
companies, this means they must be available twenty-four hours a day, seven days a week, 365
days a year.
QUESTIONS