Network:

A group of independent computers interconnected together is called Network.

Network types:

1. LAN(Local Area Network)

2. MAN(Metropolitan Area Network)
3. WAN(Wide Area Network)

1) LAN (Local Area Network):

 Local area network is a group of computers connected with each other in a small
geographical area’s, such as school, hospital, apartment etc.
 LAN is secure because there is no outside connection with the local area network
thus the data which is shared is safe on the local area network and can’t be
accessed outside.
 It’s used to sharing the data and resources. EX-Printers &Scanners
 LAN frequency range is 0 to 2 kms

2)MAN(Metropolitan Area Network):

 Metropolitan area network various Local area networks are connected with each
other through telephone lines (or) Combination of different LANS
 It’s used to sharing the data and resources.
 MAN frequency range is 0 to 50 kms
 MANs covers the larger area of a city or town.
 Example- INTRANET
3)WAN(Wide Area Network):

 Wide area network provides long distance transmission of data. A WAN can cover
country, continent or even a whole world.
 It’s used to sharing the data and resources.
 MAN frequency range is entire world
 Internet connection is an example of WAN. Other examples of WAN are mobile
broadband connections such as 3G, 4G etc.
 Example- INTERNET

Network Addresses:
1) MAC Address(Media Access Control)
2) IP Address(Internet protocol)

1)MAC Address(Physical Address):

MAC address means Media Access control Address and it is Physical address.

IP Address MAC Address

1. IP address stands for Internet Protocol 1. MAC address stands for Media Access Control
2. IP Address is logical address of the 2. MAC address ensure that physical address of
computer and is used to uniquely locate the computer unique .
computer via network.
3. IP address is of 4 bytes. 3. MAC address is of six byte, hexa decimal
4.IP address is provided by ISP 4. Manufacturer provided the MAC Address.

Ex: 100:121:41:10 Ex: 00:1A:C2:7B:00:47

1)IP Address( Logical Address):

It’s given to a computer in the network for identification and communication. These IP
Address provided by the ISP (Internet service provider)

It is a logical address.

Range of IP address IS 0.0.0.0 to 255.255.255.255

IP Address is 2 types

1)Static IP- Fixed IP

2) Dynamic IP- Not fixed( keep on changing)

Static IP Dynamic IP
1. Static IP means Fixed IP 1. DHCP(Dynamic host configuration protocol) is
used to generate dynamic IP
2. Static IP Address does not get changed. 2. Dynamic IP will be changing.
3. It is costly to maintain 3.Dynamic IP is cheaper to use and maintain
4. Device using Static IP can be trace easily. 4. Difficult to trace.
5. Static IP address is highly stable. 5. Less Stable.

IP’S types:

1) Private IP
2) Public IP

Private IP Public IP
1.Used with LANS or Within the organization 1. Used on Public Network (Internet).
2.Not recognized on Internet 2. Recognized on Internet.
3.Given by Administrator 3.Given by ISP
4.This is to free setup 4. Pay to service provider.
5.Unregisterd IP’S 5.Registerd IP’S

Network Devices:
Network devices, or networking hardware, are physical devices that are required for
communication and interaction between hardware on a computer network.

Networks are following types:

1. HUB

2. Switches

3. Router

1) HUB:

 HUB is not an intelligent device

 Hubs connect multiple computer networking devicestogether
 Hubs do not perform packet filtering or addressing functions; they just send data
packets to all connected devices.
 HUBS not maintain the data privacy.
 Half Duplex Communication
2) Switches:

 Switches generally have a more intelligent role than hubs.

 Hub is used for data transferring, whereas a switch is used for filtering &
forwarding the data.
 Switches sharing the data based on MAC addresses.
 Switches maintain the data privacy

3)Router:

 Router is one kind of network device in a computer network.

 It is used for routing traffic from one network to another. These two networks could
be private to a public company network.
 For example, here a router is considered as traffic police at the junction, he directs
dissimilar traffic networks to dissimilar directions.
 Router sharing the data based on IP addresses.

Security Devices:
Security devices are used to protect the data

Firewalls:

 Firewall is a security device.

 Firewall monitors the incoming and outgoing traffic based on set of rules defined by
the ACL(Access control list).
 Its acts as barrier between trusted and un trusted network.
 Controls access to resources.
 Firewalls its works on through IP Addresses, Port Numbers and Protocols.

IDS/IPS:

IDS: Intrusion Detective System

IPS: Intrusion Prevent System

These are security devices. It’s specially designed to monitor all inbound and outbound
network activity
Both IDS and IPS solutions detect threat activity in the form of malware, spyware, viruses,
worms and other attack types, as well as threats posed by policy violations

IDS (Intrusion Detective System):

 IDS is an intrusion detection.

 IDS will just detect the intrusion and will leave the rest to the administrator for
further action.
 IDS tools passively monitor and detect suspicious activity.

IPS( Intrusion Prevent System)

 IPS is an intrusion prevention system.

 IPS tools perform active, in-line monitoring and can prevent attacks by known and
unknown sources.
 IPS will detect the intrusion and will take further action to prevent the intrusion.
Another difference is the positioning of the devices in the network. Although they
work on the same basic concept but the placement is different

Web Proxy Server:

 Acts as intermediary between outside networks.

 Verifies and forwards incoming client requests to other server.
 Its provides extra layer of protection against operating system and web server
attacks.
 Scan for Virus and Malware.
 Does not allow client to directly connect to the server.
Protocols:

 Protocol defines common set of rules for formatting and processing data.
OR
 Protocol defines common set of rules& signals that computers on the network use
to communicate.
 Network protocols are like a common language for computers

Important Protocols:

HTTP: Hyper text transfer protocol.

HTTPS: Hyper text transfer protocol secure.

TCP: Transmission control protocol

UDP: User datagram protocol

FTP: File Transfer protocol

SSP: Secure shell protocol

SMTP: Simple mail transfer protocol

SSL: Secure socket layer

TLS: Transport layer securities

DNS: Domain name system.

TCP Flags:

 SYN: Synchronization
 ACK: Acknowledgement
 PUSH: Push
 URG: Urgent
 RST: Reset
 FIN: Finish
Packet:
Packet is sharing data with Source IP to Destination IP.

Source IP Data Destination

IP

Difference between the TCP and UDP

TCP UDP
1. TCP defines Transmission control protocol 1. UDP defines user datagram protocol
2. Its connection oriented protocol 2. Connection less protocol.
3. TCP more reliable than UDP 3.UDP is more faster than TCP for data sharing
4. TCP has Acknowledgement segments. 4. No Acknowledgment.
5. TCP gives guarantee that the order of data 5. UDP has no such guarantee.
at receiving end source as on sending end.

TCP 3 Way Handshake:

 Client sends a SYN message to Server, to initiate a connection

 Server receives SYN and sends a SYN or ACK to Server
 Client receives SYN-ACK and sends ACK
 Server receives ACK
 TCP Connection established

Important Port numbers:

Transport
Port Service name protocol
20 File Transfer Protocol (FTP) - Data TCP
21 File Transfer Protocol (FTP) -Control TCP
22 Secure Shell (SSH) TCP and UDP
 23 Telnet TCP
25 Simple Mail Transfer Protocol (SMTP) TCP
50, 51 IPSec
53 Domain Name System (DNS) TCP and UDP
Dynamic Host Configuration Protocol
67, 68 (DHCP) UDP
69 Trivial File Transfer Protocol (TFTP) UDP
80 HyperText Transfer Protocol (HTTP) TCP
110 Post Office Protocol (POP3) TCP
119 Network News Transport Protocol (NNTP) TCP
123 Network Time Protocol (NTP) UDP
135-
139 NetBIOS TCP and UDP
143 Internet Message Access Protocol (IMAP) TCP and UDP
161, Simple Network Management Protocol
162 (SNMP) TCP and UDP
Lightweight Directory Access Protocol
389 (LDAP) TCP and UDP
443 HTTP with Secure Sockets Layer (SSL) TCP and UDP
3389 Remote Desktop Protocol (RDP) TCP and UDP

OSI Model
It is Open System Interconnection is a reference model for how Devices communicate over a
network.
There 7 layers in OSI which are:
- Application layer->Data -> network process and apps -> SMTP, telnet, HTTP, FTP, etc.
- Presentation Layer->Data -> Data formatting and encryption -> JPG, HTTPS, SSL
- Session layer->Data -> establishes/ends connections between two hosts -> NetBIOS, PPTP
- Transport layer->Segments -> end-to-end connections and reliability -> TCP, UDP
- Network layer-> Packets -> Path determination and IP (logical addressing) -> routers and layer3
switches
- Data link layer-> Frames -> Physical addressing - > switches
- Physical layer -> Bits -> Send data on to the physical wire -> Hubs, NICS, cables
Malware:

 Malware is nothing but “Malicious software” or “Malicious Code”.

 It is a software its damage to the user computer computers without user
interaction.
Mal = Malicious, Ware = Software

Malware Types:

1) Virus
2) Worm
3) Trojan Horse
4) Adware
5) Spyware
6) Ransom ware

1) Virus:

 Virus is malicious software.

 The virus code injected into the executive files, whenever we run the program its
spread itself
 Its captured with photos, data , screen shots etc. data resend to the hacker.
 These type of malicious software can spread one computer to another computer
leaving infections as it travels.
 But it can’t infect our computer unless we run the malicious program.
 It can damage our hardware, software

2) Worm’s:
  Worms are another category of malicious software.
 Its self-replicating and self-propagating
 Worms creates the duplicate files and its effected with memory usage and system or
network performance degrade.
 Both Virus and Worm’s executes without the knowledge of the end user.

3) Trojan horse:
 Trojan horse is a program
 It is showing legitimatize software, but it installs once damaging the software behind
the system
 Trojan once installs total system control accessed by hacker
 Trojan unlike Virus and Worm’s, it cannot self-replicate and cannot reproduce.

4) Adware:
 Adware is a software application that displays or downloads advertisements to a
computer
 If you don’t carefully read the terms and conditions of original programs you can
easily connect adware on your computer
 When typing the search engine your web results may be redirected t the other
advertisement websites
 Its effects performance of computer.

5) Spyware:
 Spyware is a software
 That aims to gathering the information about a user activity without their
knowledge
 Transmitted or Routing that information in the background to some one else
 Spyware can also gather the information about Emails, address and even passwords
and credit card numbers

6) Ransom ware:

It is a Malware that install’s secretly on a Victims computer and Encrypts the data and
demands payment for the decryption Key.

Encryption:

It’s a process of data into plain text to Cipher Text

Decryption:

It’s a process of data into Cipher text to Plain Text

Cyber kill chain process:

1. Reconnaissance: Intruder selects target, researches it, and attempts to identify

vulnerabilities in the target network.
2. Weaponization: Intruder creates remote access malware weapon, such as a virus or
worm, tailored to one or more vulnerabilities.
3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites
or USB drives)
4. Exploitation: Malware weapon's program code triggers, which takes action on target
network to exploit vulnerability.
5. Installation: Malware weapon installs access point (e.g., "backdoor") usable by
intruder.
6. Command and Control: Malware enables intruder to have "hands on the keyboard"
persistent access to target network.
7. Actions on Objective: Intruder takes action to achieve their goals, such as data
exfiltration, data destruction, or encryption for ransom.

Attacks:
Attack is nothing but trying to gain unauthorized access.
(or)
In a computer network an attack is any attempt to destroy, expose, Steal, disable and
gain unauthorized access.

Asset:

An asset is what we are trying to protect (example- System, Servers and Devices etc..)
Hacker/Cracker/Attacker:

A person, whose trying to gain the unauthorized access.

Backdoors:

 It is also called as a “Trapdoor”

 It is a method of gaining access to a program, online services or entire computer
system.

Victims:

Target machine in an exploit.

Zombie:

A machine used for attack(or) compromised system.

Attacks Types:
Zero day attack:

 A zero day attack is occurs on the same day a weakness discovers in a software.
 At that point its exploits by hackers before the vendor becomes aware and hurry to
fix it.

Bot net Attack:

Bot = compromised system Net= network

 It is a collection of compromised computers.

 Usually installed via Virus, Worm’s, Trojans or Backdoor.
 It is a collection of interconnected devices such as PC, Servers and mobile services
are controlled remotely by common malware

Brute force attack:

 It’s one of the most common method to crack the passwords.

 This attack is basically trail & error method, usually to find the legitimative
authentication credentials.
 This attacks sometimes takes longer but its success rate is very higher.
 In order to gain the password authentications, attackers can use passwords
guessing tools and scripts.

Phishing or Spoofing attack:

  Phishing attacks are used to steal the consumers personal identity data and financial
account credentials.
 Hacker are use Spoofed emails to gain financial data such as account numbers,
usernames, passwords credit card numbers
 Spoofing is the creation of TCP/IP packets, using somebody IP addresses and send a
packets to a victim computers with an IP addresses, indicating that the message is
coming from trusted host.

Phishing types:

Smishing: Through messages to hack.

Vishing: Through calls to hack.
Spear fishing: To attack the individual person

DOS (Denial of services):

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network,

making it inaccessible to its intended users. DoS attacks accomplish this by flooding the
target with traffic, or sending it information that triggers a crash.

DDOS(Distribution of Denial service):

 DDoS stands for distributed denial of service. When a network/server/application is

flooded with large number of requests which it is not designed to handle making the
server unavailable to the legitimate requests. The requests can come from different
not related sources hence it is a distributed denial of service attack. It can be
mitigated by analysing and filtering the traffic in the scrubbing centres. The
scrubbing centres are centralized data cleansing station wherein the traffic to a
website is analysed and the malicious traffic is removed.

SQL Injection:

 SQL injection is an attack.

 Databases responding through SQL queries.
 SQL injection is one of the most commonly exploited web application vulnerability at
the database layer.
 By using SQL injection method attackers can create, read, modify or deletes the
sensitive data
 The vulnerability is one of the oldest, most prevalent an most dangerous of web
application vulnerability.

Man in the middle:

MITM attack happens when a communication between two parties is intruded or intercepted by an
outside entity.
- Use encryption (public key encryption) between both parties
- Avoid using open wi-fi networks.
- Use HTTPS, forced TLS or VPN.

CIA triangle:

 Confidentiality: Keeping the information secret.

 Integrity: Keeping the information unaltered.

 Availability: Information is available to the authorized parties at all times.

SIEM(Security Information and event management):

  It is a Security information and Event management system
 SIEM technology is used in many enterprises or organizations to provide real time
reporting and longterm analysis of Security events
 SIEM is collection logs from network device, Security devices and & Router
 It is a centralized log format
 We will collect the logs from at one access point(SIEM)

SIEM Uses:

 Centralized log format

 Log collection
 Rules
 Alerting
 Real time logs and historical logs

Arcsight Architecture:

Arcsight Architecture is two types:

1. Linear Architecture
2. Dual Destination(Bi directional destination)

ArcsightComponents :

Arcsight built on multi tier Architecture. It consist of

1. Arcsight Smart connector

2. Arcsight ESM
3. Arcsight Logger
4. Arcsight CORR-Engine or Database
5. Arcsight ESM web/Console
Arcsiht Connector:

 It acts as a Interface between the Arcsight ESM and data sources that generates the
ESM relevant data on your network
 Smart connector, perform the Data collection, Normalization, Aggregation etc.
 Smart connector collect event raw data from the data sources such as (Network
devices, security devices, Servers)
 Its normalize the data in CEF form(Common Event Format)
 And smart connector can perform first level of filtering and aggregate the events.
 To reduce the volume of events sent to the ESM manager which increase the ESM
efficiency and reduce the Event processing time.

Arcsight Smart connector-

Smart connector is agent that pull’s and receives logs from the end devices

Arcsiht Flex Connector:

Flex connector is a Custom agent, where you can integrate devices which are not support by
Arcsight.

In this case you have to collect logs and create a custom connector using it types, so that
you can integrate required devices

Arcsight ESM(Enterprise Security Manger) :

 It is heart of the ESM solution

 It is Java based server that drives ESM analysis workflow & Services.
 It‘s function as a server.
  It receives the events from connectors and correlates the events and store them in
the database (CORR-Engine).
 And also it provides advanced correlation and reporting capabilities.

Arcsight Logger:

 Arcsight Logger is an event data Storage appliance.

 Logger is quick searcher and fast report generator.
 Logger receives events in CEF format from Connectors
 Logger can forward selected events to ESM

Arcsight CORR Engine( Correlation Optimization Retention and Retrival)

 The ESM database works based on Oracle DBMS

 Arcsight ESM used to storage based on the core engine Which receives events from
Manager.

User Interface:

ESM provides two interfaces Arcsight WEB, ESM console to navigate the features and
functions of ESM.

Arcsight WEB Console:

 Arcsight WEB interfacing having very limited resources like active channels & reports
 Basically this interface for Clients and business team for checking and download the
data
 It provides a Secure WEB based interface to the manager

Arcsight Console:

 It provides user interface to perform administrate task on Arcsight.

 It is a total for building flitters, rules, reports, dashboards and data Monitoring
 It is also the interface for administrating the users and workflow
Its consist of 3 panels
1) Navigator panel
2) Viewer panel
3) Edit/Inspect panel

Navigator Panel:

In navigator panel we can access all ESM resources.

 Active Channels
 Assets
  Cases
 Customer
 Connectors
 Dashboards
 Fields Sets
 Files
 Filters
 Integration commands
 Knowledge base
 List
 Notification
 Query viewer
 Reports
 Rules
 Saved search
 Search filters
 Stages
 Users

Viewer Panel:

The viewer panel is the middle section of the console window and its display the
results of ESM monitoring and investigating tool.

Inspect/Edit panel:

Inspect/edit panel enable’s you to view details of an individual events or edit the values of
new or existing ESM resources.

Data Sources:

Arcsight ESM collects outputs from the data sources such as IDS, IPS, Switches,
Routers, Servers, Vulnerbility assistance, Penetration testing and antivirus etc.

Normalization:

 It’s a process of convert the raw events into common event format(CEF)
  Smart connector collects the raw data generated by different types of devices such
as network devices, security devices and Servers
 All formats are different its difficult to understand because networks are
heterogeneous environment
 Each device have a different logging format & reporting mechanism
 its difficult to understand so that Smart connector convert the raw events into CEF
format

Aggregation:

 Aggregation consolidates events with matching values into single aggregate event.
 Which reduce the number of events the manager must evaluate
 Which increases the ESM efficiency and reduce event processing
 Connector aggregation merges events with matching vales into single aggregate
event

Correlation:

 It is a process that discovers the relation between events

 The significance of those relationship prioritize them and then provided a
framework for taking action
 It is a prospect data storage and retrieval frame work
 That receives and process events at high rates and perform high speed searches
 A correlation is a software application that programmatically understand
relationships.

Example: ESM correlation engine uses the rules you construct to correlate the Base events
and Aggregated events fed in from the smart connector to determine something of interest
has occurred.