Professional Documents
Culture Documents
Cyber Security Notes
Cyber Security Notes
It is a centralized server.
It does Authentication and Authorization.
2. AD (Active Directory) :-
EDR refers to a category of tools used to detect and investigate threats on endpoints
EDR is a new generation Antivirus.
7. MDR: - Managed Detection and Response
8. NDR: - Network Detection and Response
9. WAF: - Web Application Firewall
10. OWASP: - (Open Application Security Project)
This is a web site that shows top 10 Cyber-attacks.
11. SANS: - (System admin Audit Network Security)
This is a web site that shows top 25 Cyber-attacks.
12. NGFW (Next Generation Fire Wall):-
NGFW monitors internet traffic (Inborn traffic and Outborn traffic)
13. MITRE:- Thus is a MIT website which tells us how the attacks takes place.
14. DLP (Tool):- Data Loss Prevention.
15. FIM:- File Integrity Monitoring
FIM prevents from deleting (or ) modifying data
16. CIA:- Confidentiality Integrity Availability
Transport Layer
I.P address
* MAC address No change
* MAC I.P address Logical address
* I.P address Version 4 32 bit
Version 6 128 bit
* Public IP
I.P address
Private IP
Classes:-
C-A: - 0.0.0.0 – 126.225.225.225
C-B: - 128.0.0.0 – 191.225.225.225
C-C: - 192.0.0.0 – 223.225.225.225
C-D: - 224.0.0.0 – 239.225.225.225
C-E: - 240.0.0.0 – 225.225.225.225
Private (I.P):-
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.16.255.255
192.168.0.0 – 192.168.255.255
DHCP - Server
(Dynamic Host Configuration Protocol)
DHCP server allocates IP to the host automatically
DHCP server is using DORA process
D Discover
O Offer
R Request
A Acknowledge
DNS - Server
(Domain Name System)
DNS server converts Domain Name to IP address
First the DNS server checks whether the IP of that particular domain
name is present in the cache memory or not , if it contains the domain
name then DNS server returns the IP or else it ask the Authentication
Server for the IP then the DNS stores in the cache memory and then it
returns the IP to the laptop
DNS Records
A Record:- Converts:- Domain IP address(IPv4)
AAAA Record:- Converts:- Domain IP address(IPv6)
PTR Record:- (reverse pointer) Converts:- IP address Domain
Cname Record:- Example:- amazon.com http://www.amazon.com.in
SMTP Server
(Simple Mail Transfer Protocol)
SMTP checks or verifies SPK, DMARC, DKIM of mails, when a mail is sent
from one user to another.
SPK: - Sender Policy Framework
DMARC: - Domain Message Authentication Reporting & Conformance
DKIM: - Domain Keys Identified Mail
TCP/IP layer
Commands
1. Ping: - The Ping tool is used to test whether a particular host is reachable
across an IP network. A Ping measures the time it takes for packets to be
sent from the local host to a destination computer and back. The Ping tool
measures and records the round-trip time of the packet and any losses
along the way.
4. Exploitation: - In this step, the malware starts the action. The program
code of the malware is triggered to exploit the target’s
vulnerability/vulnerabilities.
(or)
Identifying the weakness .
5. Installation: - In this step, the malware installs an access point for the
intruder / attacker. This access point is also known as the backdoor.
1. Malware Category: -
Virus: - Virus is a unwanted software which self-replicate itself.
Rootkit: - The malware tries to get access to the admin (or) root.
Mitigation: -
3. Spoofing Category:-
Spoofing is the act of disguising a communication from an unknown
source as being from a known, trusted source.
Spoofing is categorized into: -
IP Spoofing
E-mail Spoofing
ARP Spoofing
DNS Spoofing
4. Authentication Category: -
Authentication and authorization attacks aim at gaining access to
resources without the correct credentials.
Dictionary Attack: - A type of brute force attack where an
intruder attempts to crack a password-protected security system
with a “dictionary list” of common words and phrases used by
businesses and individuals.
Heart Bleed: - Other than SSL/TLS there are 18 certificates and the
attack on those 18 certificates is known as HeartBlead Attack.
EDR Tool can block a file by Hash value but a Antivirus cannot block a
file it can only detect the virus.
Office Data: -
Personal Data:
-
I. PII: - Personal Identifiable Information
Network Security
DPC: - Defense In Depth Control
Defense in depth is a strategy that leverages multiple security measures to
protect an organization's assets. The thinking is that if one line of defense
is compromised, additional layers exist as a backup to ensure that threats
are stopped along the way
Features: -
1. Packet Filtering
2. Stateful Inspection (Deep packet Analysis)
3. Application Gateway
4. IP filtering
5. Malware Scan
Packet Filtering: -
Packet filtering is a firewall technique used to control network
access by monitoring outgoing and incoming packets and allowing
them to pass or halt based on the source and destination Internet
Protocol (IP) addresses, protocols and ports.
Stateful Inspection(Deep Packet Analysis): -
Stateful inspection, also known as dynamic packet filtering, is a
firewall technology that monitors the state of active connections
and uses this information to determine which network packets to
allow through the firewall
TCP/IP layers: -
Application (4th layer)
Transport (3rd layer)
Internet (2nd layer)
Network Interface (1st layer)
Application Gateway: -
An application gateway is a program that serves as a firewall
proxy. It runs between computers in a network to tighten security.
It is responsible for filtering incoming traffic that contains network
application data. To illustrate, think of a program that wants to
connect with another
Basic conditions: -
1. Same model number
2. Same frame ware(OS)
3. Same inter face connections.
Upgrade process: -
i. Never upgrade both the servers at the same time.
ii. Break the connection between primary & secondary server.
iii. Make the primary server to secondary server and secondary server
to primary server.
Primary server Secondary Server
Secondary Server Primary Server
iv. Upgrade the current secondary server.
v. Check whether it is working properly or not for two days.
vi. Make the secondary server to primary server and primary server to
secondary server.
Secondary server Primary Server
Primary Server Secondary Server
vii. Upgrade the secondary server.
VPN
VPN is a private network via public network.
(Or)
VPN is a private Network between end user and office location via public
network.
Types of VPN: -
1. Site to site VPN
2. Remote VPN
Proxy
A proxy server is a system or router that provides a gateway between users and
the internet. Therefore, it helps prevent cyber attackers from entering a private
network. It is a server, referred to as an “intermediary” because it goes between
end-users and the web pages they visit online.
NIDS/NIPS
It is used to identify command and control.
What is NGFW?
NGFW can do the work of Firewall, Proxy, NIDS &NIPS
Application Security
Cryptography is done using two keys: - public key and private key
Types of cryptography: -
1. Symmetric: - For Encryption and Decryption we use the same key.
2. Asymmetric: - For Encryption and Decryption we use Different keys.
OWASP – top 10
1. Broken Access Control
2. Cryptography Failures
3. Injection Flaws
4. Insecure Design
5. Security Miss-configuration
6. Vulnerability Outdated Component
7. Authentication Failures
8. Software Data Integrity
9. Security Logging and Monitoring
10. Server Side Request Forgery
Log Sources
In Networking: -
1. Router
2. Switch
3. Load Balancer
4. LAN
5. WAN
Application: -
1. App server
2. Web Server
3. Data Base Server
4. Cloud Server
Windows (Logs): -
Event Viewer:-
1. Audit log
2. Application log
3. System log
4. Setup log
Triaging
To triage means to assign a level of importance or urgency to incidents, which
then determines the order in which they will be investigated.
IOC: - Indicator of Compromise.
IOA: - Indicator of Attacker.
User Console
Data Collector: -
Aggregation: - Collection of logs from different log sources.
Normalization: - Rescaling the size.
Parsing: - Convert a raw log into an understandable log.
Data Processing: -
Indexing: - Grouping of different types of events based on their log
sources.
Querying (or) Correlation: - Linking one event with another event i.e.,
mapping one event with another event.
Filtering: -
Retention Policy
How many days we need to maintain the Backup logs.
Min: - 3 months to Max: - 1 year
Blocking
Malicious Domain: - Block in Firewall, Proxy, EDR
Malicious IP: - Block in Firewall
Malicious URL: - Block in Fire, Wall, Proxy, EDR, WAF
Hash Value: - Block in EDR
SOC
Compromiser Alert States Human States
False Positive Ok
True Positive Alert
False Negative No problem
True Negative Very much Alert
False: - The Incident what we got did not compromise any Device.
True: - The Incident what we got did compromise the Device.
Positive: - The abnormal log is notified as an Alert in the SIEM tool.
Negative: - The abnormal log is not notified as an Alert in the SIEM tool.
Incident Analysis
Cyber incident analysis refers to the carefully orchestrated process of
identifying what happened, why and how it happened and what can be done to
prevent it from happening again.
1. Malware Analysis: -
Step 1: - Assigning alert
Step 2: - Triaging
Step 3: - Validation
Ones we found out that the file contains virus or harmful content
Then we have to go to the virus total web site and check the IOA
values of
(i) IP Address pass/fail
(ii) Hash Value pass/fail
(iii) Domain pass/fail
Virus Total
Checking
(i) IP address
Yes (True/Positive) No (False/Positive)
(ii) Hash Value
(iii)Domain
If true for
Close the
ticket
Checking
(i) IP address
Yes (True/Positive) No (False/Positive)
(ii) Hash Value
(iii)Domain
If true for
(iv) url
Close the
ticket
Domain URL
Proxy, EDR
Fire wall, Fire wall
proxy, Fire wall,
EDR, WAF
EDR
Step 3: - Validation
Ones we found out that the file contains virus or harmful content
Then we have to go to the virus total web site and check the IOA
values of
(iv) IP Address pass/fail
(v) Hash Value pass/fail
(vi) URL pass/fail
(vii) Domain pass/fail
Step 4: -
In case of compromised state
1. Contact Network team: -
Conform whether there is a backup for the effected server
No (we can’t do anything)
Yes (The follow the below steps)
I. Backup Server Primary Server.
II. Isolate the previous Primary server.
III. Run a AV Scan and format the Isolated Server.
IV. Reinstall and everything is back to normal.
Windows Logon
A logon is an event in Windows that shows a user account being granted some
access to a workstation/server/computer.
(Or)
Windows Logon gives you the type of operation and also identifies the type of
network operations.
There are nine types of logon: -
There is no type 1.
Type 3: - Network:-
It deals with login of a computer using network.
Type 5: -Server: -
It deals with Server Control Manager
There is no type 6.
Type 7: -Unlock:-
It deals with multiple failures will lock and unlock.