SECURITY INFORMATION AND EVENT

MANAGEMENT

What is cyber security?

Cyber /IT security is the technique of protecting computers, networks, programs

and data from unauthorized access or attacks that are aimed for exploitation.

Eg:Flipkart database contains customer information

What is SOC(security operation centrer)?

Soc is a dedicated site where enterprise information

systems(websites,applications,databases,datacenters,servers,networks,desktop and
other endpoints ) are monitored,assessed,defended.

What is SIEM(security information and event management)?

It is a tool/technology supports threat detection and historical analysis of security

events through real time collection of events from various data/log sources.

It is a set of technologies for

• Log data collection

• Correlation
• Aggregation
• Normalization
• Retention
• Analysis and workflow

We need SIEM to move from being reactive to being proactive interms of our
security approach.
Imp Siem tools

HPE arcsight 6.9 version

IBM Qradar 7.3.1
Mcafee Nitro 9.6
Splunk

Networking Concepts

NIC(network interface card)

It enables computers to connect to network.it turns data into electrical signals
that can be transmitted over network.

MAC(media access control)address

Every NIC card having hardware address that’s known as mac .
It is a string of six sets 2 digits or characters separated by colons
Eg: 00:0a:83:ab:cf:67

IP(internet protocol) address

It is a logical address used to communicate with other devices.It is a value
of 32 bits/4 octates.
Eg:192.145.2.3
Range- 2^32 IPv4, 2^128 IPv6
Possibility of ip add 4.3 billion
Everyday internet using computers more than 10 billion
Assigning same ip address to 2 computers is not possible ip conflict happens,so ip
add devided into 2 types
1.Public ip address
2.Private ip address
*Classes of public ip address and range
Class A 0.0.0.0-126.255.255.255
Class B 128.0.0.0-191.255.255.255
Class C 192.0.0.0-223.255.255.255
Class D 224.0.0.0-239.255.255.255
Class E 240.0.0.0-255
*Classes of private ip address
Class A 10.0.0.0-10.255.255.255
Class B 172.16.0.0-172.31.255.255
Class C 192.168.0.0-192.168.255.255

Difference between public and private ip add

Public ip add Private ip add
Ip add issued by ISP Issued by router for the host within its
area
Routable worldwide Non routable
Registered /Paid Unregistered
 OSI Concepts
OSI(open system interconnection)
There are 7 layers
Application layer: it is a interaction between computer and users
PDU(protocol data unit)-user data
It provides set of protocols to enable computers to transfer the data.
eg:http,ftp,smtp
Presentation layer:It formats the data(presenting data in required format).
Encryption/Decryption,Encoding/Decoding,Compression/Decompression takes
place here.
PDU:formatted data
Session layer:It establish,maintain and terminate session(connection) between two
communicating hosts.
eg:3 way handshaking
PDU:formatted data
Transport layer:it does reliable data transport through network.it maintains proper
delivery and error correction of data.it gives port number.
Eg:TCP,UDP
PDU:segments
Network layer: it does routing(transmitting packet over the best path to exact
destination).it give ip address to packet
Eg:router PDU:packets
Data link layer: Reliable transfer of data across physical layer.switching(redirects
packet to exact system)takes place here.it gives MAC address.
Eg:switch PDU:frames
Physical layer:It converts raw bits to electrical signals vice versa.
Eg:cable, wifi
PORTS AND PROTOCOL

Ports: ports are physical numbers use by tcp/ip to identify what services/application
should handle data received by system. Tcp having 65536(0-65535) ports.
0-1023 are well known ports
Protocols: a protocol is a set of rules and guidelines for communicating data .
Well known ports and protocols
SSH(secure shell) 22
SCP(secure copy protocol) 22
SSL(secure socket layer) 22
TLS(transport layer security) 22
IPsec(internet protocol security) 500
HTTP(hypertext transfer protocol) 80
HTTPS(hypertext transfer protocol secure) 443
FTP(file transfer protocol) 20&21
SNMP(simple network management protocol) 161
DNS(domain name system) 53
DHCP(dyanamic host configuration protocol) 67&68
LDAP(leightweight directory access protocol) 389
RDP(remote desktop protocol) 3389
SMPT(simple mail transfer protocol) 25
POP3(post office protocol) 110
IMAP(internet message access protocol) 143
MS SQL(Microsoft server) 1433
Kerberose(mutual authentication) 88
Syslog 514
SMB(server message block) 445

TCP/IP Header or Packet Header

Source port destination port

Sequence number
Acknowledgement number
Flags window size
Checksum urgent pointer
Source ip
Destination ip
Data

Flags
Reserved Reserved urgent Acknowledge push reset synchronize Finish

TCP 3 way handshaking

To start tcp session, the client sends a SYN packet and the server responds with SYN ACK
packet,and the client completes the third part of handshake with ACK packet, at this point
connection is established.

After completion of transmission of data client sends the FIN packet and server reply back with
ACK, at this point connection is terminated.
Difference Between TCP & UDP

TCP(transmission control protocol) UDP(user datagram protocol)

1.Connection oriented 1.connectionless

2.Segment sequencing takes place 2.NO sequencing
3.Acknowledge the segments 3.No acknowledgement
4.slow process 4.fast process
5.segment retransmission 5.No retransmission
Eg:HTTP,SMTP Eg:live audio & video streaming(skype call)

NETWORK DEVICES

SWITCH

A network switch is a computer networking device that connects devices together on a computer
network by using packet switching to receive,process,and forward data to the destination device.
It operates at the data link layer.
Switch uses the ARP(address resolution protocol) to map ip network addresses to the
hardware addresses.

ROUTER

A router is hardware device designed to receive,analyze and move incoming data packets to
another network. It determines the best way for a packet to be forwarded to its destination.
 NAT(network address translation) is a method of remapping one IP address space into another
by modifying network address information in IP header of packets while they are in transmit
across a traffic routing device(router).

NETWORK ARCHITECTUURE
Server LAN

Active Directory

An active directory is a service that provided by Microsoft that stores information about
items on a network so the information can be easily made available to specific users through
logon process and network administrators. It provides central authentication and authorization
services for windows based computers.

Application server

It is a program that handles all application operations between users and organization’s
backend business applications or databases.

To maintain employ database(HRMS) and customer database(CRM) appserver is required.

File server

File server is computer responsible for central storage and management of data files so that other
computer on the same network can access files.

Exchange server

A popular email messaging system from Microsoft that runs on windows server. The server side
is Microsoft exchange server and feautered client program is Microsoft outlook.

DNS(domain name system)

It resolves domain names to ip addresses. It works like phonebook.

 1. Browser checks www.google.com web request in its cache memory, if it won’t find send
it to the resolver server.
2. Resolver is basically ISP(internet service provider),when it receives query it checks into
its cache memory, if it can’t find ip address sends it to next level i.e root server.
3. Root server is top or the root of dns hierarchy, 13 sets of these root servers placed around
the world,each set having own unique ip address. If it is not going to know where the ip
address but it know where to direct resolver to help it to find ip. It direct resolver to TLD
for the .com domain.
4. TLD stores the address information for the top level domains. Such as .com .net .org .in
etc. Even it is not going to know the ip address so it directs resolver to authoritative name
server.
5. Authoritative name server is responsible for everything knowing about the domain which
includes ip address. it receives the query for resolver and respond with ip address for
yahoo.com and once resolver receives ip add ,stores it in its cache memory in case of
another query for yahoo.com, it doesn’t need go for all steps again.

DHCP( Dynamic Host Configuration protocol)

The DHCP is controlled by a DHCP server that dynamically distributes network

configuration parameters such as IP address for interfacer and server.
DORA-discover ,offer, request,acknowledgement
“The process of assigning the ip address by the DHCP server is also
known as DORA”.

1.Client makes a UDP broadcast to the server about DHCP discovery.

2.DHCP offers to the client.
3.In response to the offer,client requests the server
4.server responds ip address/DNS information along with acknowledgement
Antivirus
• It is an application install to protect computer from malware
• Works on signatures(database of known malware file)
• Stops/cleans/delete malware excecution
• Actions of AV :Clean/delete/quarantine files after malware detection.
• We can set exclusion on AV
• There are 2 types scanning
1.On access-real time scanning(automatically)
2.On demand-scheduled/manual scan
Antivirus software detects and removes malware, such as viruses, Trojans,
and worms. Signature-based antivirus software detects known malware
based on signature definitions. Heuristic-based software detects previously
unknown malware based on behavior.
Vendor: Symantec,McAfee
USE Cases
• Malware outbreak(same malware found in ‘n’ systems)
• Multiple malwares in single system
• AV services are stopped.

Firewall
• It does allow/block any traffic
• It is ip and port filtering device
• It works on ACL(access control list) rules
• It has implicit deny rule by default
zone to zone src ip dest ip port action
INT EXT 10.1.1.1 53.3.3.4 80/443 deny/allow/drop
• It does stateful Inspection
• It works at layer 3 and layer 4
• It is inline with traffic

Vendor:Cisco ASA ,Symantec,Juniper,Fortigate

USE CASES

1.Too many connections denied/allowed

2.Traffic from suspicious Country

3.Firewall Configuration Changes

4.Too many VPN access failures

 5.Bad ip communication

IPS/IDS(intrusion prevention/detection system)

• It perfoms deep packet inspection

• It works at layer 3 and layer 4
• It works on signatures(network pattern)
• It is deployed in IDS mode(learning mode)
• Sits inline with traffic
Vendor :Palo Alto

Use cases
1.High severity attack on several machines

2.Too many attacks from a single public ip

Proxy(web security)
• It scans traffic only on port 80/443
• It works on layer 3 and above
• It has antivirus moule(whenever downloading file from website)
• It allows/block websites/contents
• It does NATing(hide internal ip)
• It has web categories (eg: sports,education,search engine,adult etc)
Vendor: Forcepoint, F5 Networks

Use cases
1.Too many http requests from a user/machine

2.Too many requests to blocked/malicious websites

Email Security Solution

• It scans only SMTP(port 25) traffic

• It has spam(unwanted email) filtering rules
• It does file filtering(based on size,name,type)
 • Blacklisting/whitelisting sender/receiver domain
• It has AV module
• It quarantine the mails
Vendor:Forcepoint,F5 Networks

Use cases
1.Too many mails from /to a user
2.Too many large attachments
3.Sudden increase in spam mails

Understanding Malware and its Types

Malware includes a wide range of software that has malicious intent. Malware is not
software that you would knowingly purchase or download and install. Instead, it is installed onto
your system through devious means. Infected systems give various symptoms, such as running
slower, starting unknown processes, sending out email without user action, random reboots, and
more.
You might hear people use the term virus to describe all types of malware, but that isn’t
accurate. A virus is a specific type of malware, and malware includes many other types of
malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware, and
more.

Viruses
A virus is a set of malicious code that attaches itself to a host application. The host application
must be executed to run, and the malicious code executes when the host application is executed.
The virus tries to replicate by finding other host applications to infect with the malicious code. At
some point, the virus activates and delivers its payload. Typically, the payload of a virus is
damaging. It may delete files, cause random reboots, join the computer to a botnet, or enable
backdoors that attackers can use to access systems remotely.

Worms
A worm is self-replicating malware that travels throughout a network without the assistance of a
host application or user interaction. A worm resides in memory and is able to use different
transport protocols to travel over the network. One of the significant problems caused by worms
is that they consume network bandwidth. Worms can replicate themselves hundreds of times and
spread to all the systems in the network. Each infected system tries to locate and infect other
systems on the network, and network performance can slow to a crawl.

Logic Bombs

A logic bomb is a string of code embedded into an application or script that will execute in
response to an event. The event may be a specific date or time, when a user launches a specific
program, or any event the programmer decides on.

A logic bomb executes in response to an event, such as when a specific application is executed or
a specific time arrives.

Backdoors

A backdoor provides another way of accessing a system, similar to how a backdoor in a house
provides another method of entry. Malware such as Trojans often install backdoors on systems to
bypass normal authentication methods.
Application developers often code backdoors into applications, but this practice is not
recommended. For example, an application developer might create a backdoor within an
application intended for maintenance purposes. However, if attackers discover the backdoor,
they can use it to access the application.

Trojan
 A Trojan appears to be something useful but includes a malicious component, such as installing
a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also
infect systems from rogueware, pirated software, games, or infected USB drives.

Botnets

A botnet combines the words robot and network. It includes multiple computers that act as
software robots and function together in a network (such as the Internet), often for malicious
purposes. The computers in a botnet are called zombies and they will do the bidding of whoever
controls the botnet.
Bot herders are criminals who manage botnets. They attempt to infect as many computers as
possible and control them through one or more servers running command-and-control software.
The infected computers periodically check in with the command-and-control servers, receive
direction, and then go to work. The user is often unaware of the activity.
Most computers join a botnet through malware infection. For example, a user could download
pirated software with a Trojan or click a malicious link, resulting in a drive-by download. The
malware then joins the system to a botnet.

Some of the instructions sent by the command-and-control servers include:

• Send spam.
• Launch a distributed denial-of-service attack.
• Download additional malware, adware, or spyware such as keyloggers.

Rootkits
A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact that
the system has been infected or compromised by malicious code. A user may suspect something
is wrong, but antivirus scans and other checks may indicate everything is fine because the rootkit
hides its running processes to avoid detection.
In addition to modifying the internal operating system processes, rootkits often modify system
files such as the Registry. In some cases, the rootkit modifies system access, such as removing
users’ administrative access.
Rootkits have system-level access to systems. This is sometimes called root-level access, or
kernel-level access, indicating that they have the same level of access as the operating system.
Spyware
Spyware is software installed on users’ systems without their awareness or consent. Its purpose
is often to monitor the user’s computer and the user’s activity. Spyware takes some level of
controlover the user’s computer to learn information and sends this information to a third party. If
spyware can access a user’s private data, it results in a loss of confidentiality.
Some examples of spyware activity are changing a user’s home page, redirecting web browsers,
and installing additional software, such as search engines. In some situations, these changes can
slow a system down, resulting in poorer performance.

Adware

When adware first emerged, its intent was usually to learn a user’s habits for the purpose
of targeted advertising. As the practice of gathering information on users became more
malicious, morepeople began to call it spyware. However, some traditional adware still exists.
A common type of adware is pop-ups. For example, while you are visiting a site, another
browser window appears, or pops up, with an advertisement. These pop-up windows aren’t
malicious, but they are annoying.
Sometimes pop-ups can be helpful. As a legitimate example, my online bank has interest-rate
information that I can view. When I click on this link, it pops up another window showing the
interestrate information without taking me away from the current page I’m viewing.

Ransomware

Ransomware is a type of malware that prevents or limits users from accessing their system,
either by locking the system's screen or by locking the users' files unless a ransom is paid. More
modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file
types on infected systems and forces users to pay the ransom through certain online payment
methods to get a decrypt key.

Well known attacks

Dos attack
A denial of service is an attack intended to make a computer’s resources or services
unavailable to users. In the other words ,it prevents a server from operating or responding to
normal requests.dos attack come from single attacker.

syn flood attack

 It is a common dos attack used against servers on the internet,it disrupts the TCP handshake
process and can prevent legitimate client from connecting, In syn flood attack ,attacker never
completes the handshake by sending the ACK packet. Additionally ,the attacker sends a barrage
of SYN packets,leaving the server with multiple half-open connections.

DDOS attack
A denial-of-service (DoS) attack is an attack from one attacker against one target. A distributed
denial-of-service (DDoS) attack is an attack from two or more computers against a single target.
DDoS attacks often include sustained, abnormally high network traffic on the network interface
card of the attacked computer. Other system resource usage (such as the processor and memory
usage) will also be abnormally high. The goal of both is to prevent legitimate users from
accessing services on the target computer. Many DoS and DDoS attacks attempt to consume
resources on the target computer. For example, a SYN (synchronize) flood attack consumes
memory resources by flooding a system with half-open connections.

Brute Force Attacks

A brute force attack attempts to guess all possible character combinations.it is a trial and error
method.in this multiple login failures amy be followed by successful login. One of the best
protections against offline brute force attacks is to use complex passwords.
Account lockout policies (also covered in Chapter 1) are effective against online brute force
attacks.

ARP(ADDRESS RESOLUTION PROTOCOL)

The MAC address is the physical address, or hardwareaddress, assigned to the network interface
card (NIC). ARP resolves the IP addresses of systems to their hardware address and stores the
result in an area of memory known as the ARP cache.
TCP/IP uses the IP address to get a packet to a destination network. Once the packet arrives on
the destination network, it uses the MAC address to get it to the correct host. ARP uses two
primary messages:
ARP request. The ARP request broadcasts the IP address and essentially asks, “Who has this
IP address?”
ARP reply. The computer with the IP address in the ARP request responds with its
MACaddress. The computer that sent the ARP request caches the MAC address for the IP. In
manyoperating systems, all computers that hear the ARP reply also cache the MAC address.

ARP Poisoning Attack

Address Resolution Protocol (ARP) poisoning is an attack that misleads computers or switches
about the actual MAC address of a system.

Zero-Day Attacks
A zero-day attack is one that exploits an undocumented vulnerability. Many times, the vendor
isn’t aware of the issue. At some point, the vendor learns of the vulnerability and begins to write
and test a patch to eliminate it. However, until the vendor releases the patch, the vulnerability is
still a zero-day vulnerability.

Buffer Overflows and Buffer Overflow Attacks

A buffer overflow occurs when an application receives more input, or different input, than it
expects. The result is an error that exposes system memory that would otherwise be protected
and inaccessible. Normally, an application will have access only to a specific area of memory,
called a buffer. The buffer overflow allows access to memory locations beyond the application’s
buffer, enabling an attacker to write malicious code into this area of memory.
As an example, an application may be expecting to receive a string of 15 characters for a
username. If input validation is not used and it receives more than 15 characters, it can cause a
buffer overflow and expose system memory.

Buffer overflows occur when an application receives more data than it can handle, or receives
unexpected data that exposes system memory. Buffer overflow attacks often include NOP
instructions (such as x90) followed by malicious code. When successful, the attack causes the
system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

SQL Injection Attack

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL
statements (also commonly referred to as a malicious payload) that control a web application’s
database server (also commonly referred to as a Relational Database Management System –
RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web
application that makes use of an SQL-based database, the vulnerability is one of the oldest, most
prevalent and most dangerous of web application vulnerabilities.
How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first find an input
within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly include
user input within an SQL statement. An attacker can then insert a payload that will be included as
part of the SQL query and run against the database server.

Cross-Site Scripting

Cross-site scripting (XSS) is another web application vulnerability that can be prevented with
input validation. Attackers embed malicious HTML or JavaScript code into an email or web site
error message. If a user responds to the email or error message, it executes the code. Many times,
thisgives the attacker access to user cookies or other information about the user.

Cross-Site Request Forgery (XSRF)

Cross-site request forgery (XSRF or CSRF) is an attack where an attacker tricks a user into
performing an action on a web site. The attacker creates a specially crafted HTML link and the
user performs the action without realizing it.

Phishing

Phishing is the practice of sending email to users with the purpose of tricking them into
revealing personal information or clicking on a link. A phishing attack often sends the user to a
malicious web site that appears to the user as a legitimate site.
The classic example is where a user receives an email that looks like it came from eBay,
PayPal, a bank, or some other well-known company. The “phisher” doesn’t know if the recipient
has an account at the company, just as a fisherman doesn’t know if any fish are in the water
where he casts his line. However, if the attacker sends out enough emails, the odds are good that
someone who receives the email has an account.
The email may look like this:
“We have noticed suspicious activity on your account. To protect your privacy, we will
suspend your account unless you are able to log in and validate your credentials. Click here to
validate your account and prevent it from being locked out.”

Spear Phishing
Spear phishing is a targeted form of phishing. Instead of sending the email out to everyone
indiscriminately, a spear phishing attack attempts to target specific groups of users, or even a
single user. Spear phishing attacks may target employees within a company or customers of a
company.

Whaling
Whaling is a form of spear phishing that attempts to target high-level executives.

Vishing

Vishing attacks use the phone system to trick users into giving up personal and financial
information. It often uses Voice over IP (VoIP) technology and tries to trick the user similar to
other phishing attacks. When the attack uses VoIP, it can spoof caller ID, making it appear as
though the call came from a real company.

Privilege Escalation
Privilege escalation occurs when a user or process accesses elevated rights and permissions.
When attackers first compromise a system, they often have minimal privileges. However,
privilege escalation tactics allow them to get more and more privileges.

Social Engineering attacks

Social engineering is the practice of using social tactics to gain information. It’s often low-tech
and encourages individuals to do something they wouldn’t normally do, or causes them to reveal
some piece of information, such as user credentials.

Shoulder Surfing
Shoulder surfing is simply looking over the shoulder of someone to gain information. The goal is
to gain unauthorized information by casual observation, and it’s likely to occur within an office
environment. This can be to learn credentials, such as a username and password, or a PIN used
for a smart card or debit card. Recently, attackers have been using cameras to monitor locations
where users enter PINs, such as at automatic teller machines (ATMs).

Dumpster Diving
Dumpster diving is the practice of searching through trash or recycling containers to gain
information from discarded documents. Many organizations either shred or burn paper instead of
throwing it away.
Impersonating
Some social engineers often attempt to impersonate others. The goal is to convince an authorized
user to provide some information, or help the attacker defeat a security control.

INCIDENT LIFE CYCLE

There are 6 Phases in incident life cycle .

The incident response phases are:

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

1. Preparation
incident response planning, and in the end, the most crucial phase to protect your business. Part of this
phase includes:
Ensure employees are properly trained regarding their incident response roles and responsibilities in the
event of data breach Develop incident response drill scenarios and regularly conduct mock data
breaches to evaluate incident response plan.

Ensure that all aspects of your incident response plan (training, execution, hardware and software
resources, etc.) are approved and funded in advance

Your response plan should be well documented, thoroughly explaining everyone’s roles and
responsibilities. Then the plan must be tested in order to assure that your employees will
perform as they were trained. The more prepared your employees are, the less likely they’ll
make critical mistakes.

2. Identification
This is the process where you determine whether you’ve been breached. A breach, or incident,
could originate from many different areas.
It’s important to discover the breach quickly, where it’s coming from, and what it has affected.

3. Containment
When a breach is first discovered, your initial instinct may be to securely delete everything so
you can just get rid of it. However, that will likely hurt you in the long run since you’ll be
destroying valuable evidence that you need to determine where the breach started and devise a
plan to prevent it from happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you
can, disconnect affected devices from the Internet. Have short-term and long-term containment
strategies ready. It’s also good to have a redundant system back-up to help restore business
operations. That way, any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access protocols
(requiring mandatory multi-factor authentication), change all user and administrative access
credentials and harden all passwords.

4. Eradication
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach.
This means all malware should be securely removed, systems should again be hardened and
patched, and updates should be applied.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace
of malware or security issues remain in your systems, you may still be losing valuable data, and
your liability could increase.

5. Recovery
This is the process of restoring and returning affected systems and devices back into your
business environment. During this time, it’s important to get your systems and business
operations up and running again without the fear of another breach.

6. Lessons Learned
Once the investigation is complete, hold an after-action meeting with all Incident Response
Team members and discuss what you’ve learned from the data breach. This is where you will
analyze and document everything about the breach. Determine what worked well in your
response plan, and where there were some holes. Lessons learned from both mock and real
events will help strengthen your systems against the future attacks.

Qradar SIEM Architecture

ECS is the core service responsible for event collection and event processing for Qradar.
ECS is comprised of three core components:
Event Collector component
Event collector collects logs and performs following activities

1. Parsing: It is a process of converting unstructured format of logs into structured

format.
2. Aggregation(Coalescing): It is a process of adding same kind of events to save the
disk space and eps(events per second).
3. Normalization: It is a process of categorizing similar kind of events.
Eg:Authentication,system ,user.

Event Processor component

Custom Rules Engine (CRE): The Custom Rules Engine (CRE) is responsible for
processing events received by QRadar and comparing them against defined rules, keeping
track of systems involved in incidents over time, generating notifications to users and
generating offenses.
• Streaming: Responsible for sending real-time event data to the Console when a user is
viewing events from the Log Activity tab with Real time (streaming).
Streamed events are not provided from the database.
• Event storage (Ariel): A time series database for events and flows where data is stored
on a minute by minute basis. Data is stored where the event is processed.

Magistrate component (Console only)

The Magistrate Processing Core (MPC) is responsible for correlating offenses with event
notifications from multiple Event Processor (EP) components. Only the Console will
have a Magistrate component.

• Offense rules: Monitors and takes actions on offenses, such as generating email
notifications.
• Offense management: Updates active offenses, transitioning inactive offenses to active
and provides access to offense information to the user through the Offenses tab.
• Offense storage: Writes offense data to a Postgres database.
Phases of Hacking
Reconnaissance
Reconnaissance is the phase where the attacker gathers information about a target using
active or passive means. The tools that are widely used in this process are NMAP, Hping,
Maltego, and Google Dorks.
Scanning
In this process, the attacker begins to actively probe a target machine or network for
vulnerabilities that can be exploited. The tools used in this process are Nessus, Nexpose,
and NMAP.

Gaining Access
In this process, the vulnerability is located and you attempt to exploit it in order to enter
into the system. The primary tool that is used in this process is Metasploit.
Maintaining Access
It is the process where the hacker has already gained access into a system. After gaining
access, the hacker installs some backdoors in order to enter into the system when he
needs access in this owned system in future. Metasploit is the preferred tool in this process.
Clearing Tracks
This process is actually an unethical activity. It has to do with the deletion of logs of all
the activities that take place during the hacking process.
Reporting
Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker
compiles a report with his findings and the job that was done such as the tools used, the
success rate, vulnerabilities found, and the exploit processes.

Cyber kill Chain

Cyber Kill Chain framework is a model for identification and prevention of cyber-attacks.

What are the steps?

1. Reconnaissance: Attacks gather information on the target. Much of the information is readily
available to the public.
2. Weaponization: Attackers develop a malicious payload for the victim. The victim is largely
unaware.
3. Delivery: Attackers launch their intrusion. The delivery method can take many forms.
4. Exploitation: Attackers compromise their target. Victim may still be unaware.
5. Installation: Attackers gain persistence on their target. Can be the delivery of malware to a
computer. If an elaborate attack, may take months to complete.
6. Command and control: Attackers issue commands to their payload. The adversary will operate
internal assets remotely.
7. Action on objectives: Attackers complete their end goal. The active attack process can take months.

Threats
A threat is a potential danger. threat is any circumstance or event
that can compromise the confidentiality, integrity, or availability of data or a system.

Malicious Insider Threat

A malicious insider is anyone that has legitimate access to an organization’s internal resources,
but exploits this access for personal gain or damage against the company. This person’s actions
can compromise confidentiality, integrity, and availability.

Vulnerabilities
A vulnerability is a flaw or weakness in software or hardware, or a weakness in a process that
could be exploited, resulting in a security breach. Just because a vulnerability exists doesn’t
mean it will be exploited, only that it can be exploited.
Examples of vulnerabilities include:
Lack of updates. If systems aren’t kept up to date with patches, hotfixes, and service packs, they
are vulnerable to bugs and flaws in the software.
Default configurations. If defaults aren’t changed in hardware and software configurations, they
are susceptible to attacks. Similarly, default usernames and passwords are susceptible to attacks
if they aren’t changed.
Lack of malware protection or updated definitions. If antivirus and anti-spyware protection
isn’t used and kept up to date, systems are vulnerable to malware attacks.
No firewall. If personal and network firewalls aren’t enabled or configured properly, systems are
more vulnerable to network and Internet-based attacks.
Lack of organizational policies. If job separation, mandatory vacations, and job rotation
policies aren’t implemented, an organization may be more susceptible to fraud and collusion
from employees.

The vulnerability assessment is prioritized based on the severity of the vulnerabilities and their
ability to affect the high value asset items. A vulnerability assessment checks for the existence of
security controls such as a password policy and can include a user rights and access review to
identify unused accounts, or accounts with unneeded permissions. However, a vulnerability
assessment identifies these issues, but does not make changes.

Risks
A risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness,
and a threat is a potential danger. The result is a negative impact on the organization. Impact
refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.
For example, a system without up-to-date antivirus software is vulnerable to malware. Malware
written by malicious attackers is the threat. The likelihood that the malware will reach a
vulnerable system represents the risk. Depending on what the malware does, the impact may be
an unbootable computer, loss of data, or a remote-controlled computer that has joined a botnet.

A risk assessment identifies assets, asset values, threats, and vulnerabilities. It prioritizes the
results and makes recommendations on what controls to implement. Risk cannot be eliminated.

RISK = Threat × Vulnerability

Basic Network commands

We use ipconfig to find the router's IP number. Once you have that, you can ping the router to
test if it is responsive. The problem with the ping command is that, while it is fast, is doesn't give
you a lot of information. For that, we use the tracert command, which will be covered next.

1->Hostname (How do I find my system name)

This command is use for identify the host name (your computer name).

2->ipconfig (How do I find My IP Address)

You’ll see a list of all the network connections your computer is using. Look under “Wireless
LAN adapter” if you’re connected to Wi-Fi or “Ethernet adapter” if you’re connected to a wired
network. For even more details, you can use the ipconfig /all command.
3->ping (Packet InterNet Groper) (How do I find server is up or down)
Helps in determining TCP/IP Networks IP address as well as determine issues with the network
and assists in resolving them.

Example :-Ping google.com

So what happens when we ping a machine?

• The source sends an ICMP echo-request message to the destination.

• The ping program sets an sequence identifier which gets incremented with each echo-
request message. It also sets a TTL (Time-to-live) period.
• Ping also inserts the sending time in the data section of the message.
• If the host is alive and responding, it sends an ICMP echo-reply message back to the
source.
• Ping notes the time of the arrival of the response message, uses the sending time in the
message part and calculates the Round-trip time
 • It then increments the sequence identifier (as said above) and sends a new echo-request
message. This goes on for the number of ping requests set by the user or the program is
terminated.

The whole of the data is calculated to summarize the percentage of packet loss and other such
information and the summarized data is then displayed, showing the number of packets
transmitted, received, percentage of packet loss, total time taken, the minimum, average and
maximum round-trip time.

4->tracert (How do I find packets path to destination across multiple hops)

The tracert command is used to visually see a network packet being sent and received and the
amount of hops required for that packet to get to its destination.

Each IP packet that you send on the internet has got a field called as TTL. TTL stands for Time
To Live. Although its called as Time To Live, its not actually the time in seconds, but its
something else.

TTL is not measured by the no of seconds but the no of hops. Its the maximum number of hops
that a packet can travel through across the internet, before its discarded.

Hops are nothing but the computers, routers, or any devices that comes in between the
source and the destination.
5->netstat
Displays active TCP connections, ports on which the computer is listening, Ethernet statistics,
the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6
statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without
parameters, netstat displays active TCP connections

Specifically, the netstat command can show details about individual network connections,
overall and protocol-specific networking statistics, and much more, all of which could help
troubleshoot certain kinds of networking issues.
6->pathping
Provides information about network latency and network loss at intermediate hops between a
source and destination. Pathping sends multiple Echo Request messages to each router between a
source and destination over a period of time and then computes results based on the packets
returned from each router.

When you run the command (Pathping), it will first display the hops that it is going through,
basically the same process as a ‘Tracert‘ command line. Once the trace is complete, Pathping
displays a busy message for the next 100 seconds, variable depending on the numbers of hops,
while it is computing the information previously gathered from the routers and the links between
them.
7->arp
Displays, adds, and removes arp information from network devices.

8->nslookup
Displays information that you can use to diagnose Domain Name System (DNS) infrastructure.
Before using this tool, you should be familiar with how DNS works. The Nslookup command-
line tool is available only if you have installed the TCP/IP protocol.
9->getmac

DOS command used to show both local and remote MAC addresses. When run with no
parameters (ie. getmac) it displays MAC addresses for the local system. When run with the /s
parameter (eg. getmac /s \\foo) it displays MAC addresses for the remote computer. When the /v
parameter is used, it also displays the associated connection name and network adapter name.

10->telnet
Telnet is software that allows users to remotely access another computer such as a server,
network device, or other computer. With telnet users can connect to a device or computer,
manage a network device, setup a device, transfer files, etc.

If this ping test passes, it means that your client machine can see the server machine. This does
NOT mean you can connect to the server machine.

Once the ping test passes, you can use Telnet to test if your client machine can connect to the
server machine. Use the following steps to perform this test

• Type the following in the Console (DOS) Window

telnet serverOne 1433

 IMPORTANT: On Windows Vista and Windows 7, Microsoft does not install the
Telnet client by default. You will have to install this manually from Add Remove
Windows Component.

Principles of Security/ 3 pillars of Security

Confidentiality

Confidentiality ensures that data is only viewable by authorized users. If there is a risk of
sensitive data falling
into the wrong hands, it should be encrypted to make it unreadable. Any data should be protected
with access
controls to enforce confidentiality.

Integrity

Integrity is used to verify that data has not been modified, and loss of integrity can occur through
unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA1 can
calculate hashes to
verify integrity. A hash is simply a number created by applying the algorithm to a file or message
at different
times. The hashes are compared to each other to verify that integrity has been maintained.

Availability

Availability indicates that data and services are available when needed. For some companies, this
simply means
that the data and services must be available between 8 a.m. and 5 p.m., Monday through Friday.
For other
companies, this means they must be available twenty-four hours a day, seven days a week, 365
days a year.

QUESTIONS

• What is your role in current company?

• What are layer2 & layer3devices?
• Explain the OSI layers
• explain different types malware
• when malware attack happen, what you will do
• difference between tcp and udp
• recent malware attack made the news?
• What are the steps u will take to remediate ransomware?
• Explain SIEM Architecture?
• What are L1, L2, L3 roles in your organization and what is there role?
• The most severe breach you worked on in your organization
• How you detect and remediate an DDOS attack?
• What is 3 way handshake?
• What are the different sources from where you will get logs?
• How will you remediate in case of sql injection?
• what type of logs you come across daily basis
• What are L1, L2, L3 roles in your organization
• What is proxy server?