Phases in Cybersecurity | Cybersecurity Training | Edureka | Cybersecurity Rewind - 2

Key Takeaways

hi so the today's session we'll be covering about the phases of Cyber attack what are the phases of Cyber attack why say its phases the attack does not happen immediately or it's not happening on a fraction of second or Indian fraction of second for any type of attack or any planned attack it is similar to the Cyber I mean real life attacks on any person any organization or any company or any country even the attacks will be happening in multiple phases the initial phase would be recognizance understanding gathering information about the target studying more about it understanding more about the target we about attack so we talk about things in detail and so with this basically we try to manipulate things and we try to download some other tools some freely available tools which can help us to understand more on the cyber attacks okay the objective for today what are we going to take away from this session we'll be understanding the basic concepts of cyber crime and what are the types of cyber crime the techniques and phases of Cyber attack why do we need a need to have a enterprise-wide security framework to ensure that everything is secure and the Frameworks and any guidelines and policies which are available for us it's only help us in defending the environment so no other guide no prescriptions which is freely available or which is prescribed by any other body which is completely offensive in nature so the cyber security for us 90 percent of the goal 95 percent of the contribution from every community and every General body who takes care of the cyber security restrictions or cyber security enhancements they provide defensive security guidelines alone and only the remaining five percent of people who work on offensive security who try to go offensive on their own organization we'll talk about the hackers and what are the different type of hackers available in it and I'll take you to your nist cyber security framework as we see that nist is uh available on almost all of the domains they provide guidelines on cloud computing they were providing guidelines on the cryptography as well so list is almost an integral part of any domain of cyber security and we'll be talking about the cyber security framework which is specifically available for dependency framework one and understanding the basic concepts around incident response so what is an incident response and what are the steps we need to take and what are the ways we can get ourselves prepared for any type of incident and how to respond to it cyber crime is any criminal activity which involves Computing devices or anything which happening over digitally there is even any kind of crime if you try to start bullying someone if you're trying to attack someone in the physical world obviously the person will get hurt physically and they might be a bleeding or they might be injured they might be the same thing which can also do on the cyber world we can same bully the person we can attack the person we can injure the person mentally what happens when we threaten him over the emails chat messages over a manipulated voice calls or we keep on hearing that there are multiple leaks on various celebrities what happens when we defame them obviously it's like injuring or attacking or physically not in the physical sense it's in a cyber way the mentally we are targeting some person organization or even on countries so as a meaning what described on this slide criminal activity that involves Computing devices such as computers tablets phones iot's network devices or network so to be simply anything and everything happening any crime which is happening over digital Network what are the examples of cyber crimes a cyber bullying uh threatening someone or hacking someone's account or defaming someone or consistently you can also also see the multiple games we heard about the blue whale game or the Momo games these are the games which are making the people addicted over and they threaten people to do some activities on behalf of the attacker even most of the scenarios I mean most of the kids and teenagers we see that they even go to an end where they even sacrifice their life what are the other things can happen identity theft losing Identity or someone stealing our identity as I already gave you an example that someone applied for a bank loan on behalf of myself wherein I received an SMS stating that your application is successfully processed so anywhere because even as a security professional we need to make sure that every data which is available on the internet to be protected and that has to be taken care please also there are multiple guidelines instead of following the multiple guidelines we just need to follow the Instinct Basic Instinct what a mind says what a heart actually feels about sharing something on in social media or sharing something on the Internet for checking a person I mean it is obviously very easy for anyone can steal an identity like your resistance your other cards whatever it may be anything can be taken off there are various tools multiple tools we can get from the internet which are freely available the open source intelligence a lot of tools for gathering information I believe the site is okay multico is one of the tools which are available actually for training purpose it is easy for us to go on with multi-go Community Edition that's free and it is limited with features we cannot expect 100 features available on the paid version but anyway we go for the one before downloading it we need to register it as usual so recently uh why we have this kind of captures nowadays A lot of people see that the captures are available whenever we fill in a form before we submit it this is just to ensure that the things are not happening by a robot or a bot I have not filled the name email address I just entered the password because the form was pre-filled because when I get in everything was predefined it is easy for us to set up the values of any Target if it asks for a name it should give something if it asks for a last name it should give a value it would ask for your email address address telephone number date of birth everything everything that can be pre-configured in a list and that can be passed on to any number of forms within the minute or I mean manually for interrupt form it would take at least 30 seconds or a minute to complete this form and log into this page complete this activity but what makes it easy when I automate it when I use a script or when I use an app application I can create hundreds of account within a minute because every time I can provide a random value so just to stop it ensure that it is not bought activity it gives these kind of captures or other mechanisms so I'm registering okay the email address already exists so then I need to log in okay let's go for multi-go Community Edition we need to find a download link okay we have the flavor supporting a multiple operating systems Windows Linux Mac so I'm choosing Windows actually I don't have Java to run in because most of these open source softwares which are freely available are written for Linux because we don't find much of the testing tools or offensive security tools for Windows platform but even when we want to run it most of the applications need Java support so just to make sure if some of your tools which are downloaded by on the internet and they're not working on your platform please make sure that you're using a latest version of java installed and here we click on the download I'm downloading the exe file along with the Java executable so it's around 160 MB in size okay this is an identity theft uh where we left and cyber terrorism as like the real world everything happening over the internet people spreading some activity which are related to their Community or people convincing them to join digital army or any any kind of crime or any kind of terrorism activity terrorism kind not only if you are attacking like convincing people to do something creating and Publishing the games like Momo games or blue whales those are categories under terrorism the computer viruses that's more frequently available just to make sure they are damaging our system personally or anything it may be smartphone or a computer or a desktop whatever that may be what are the categories of first cybercromb the computer systems uh where the target has a technology and other thing the technology has a weapon the tools which are available uh for us and tools which are we demonstrating these are not software simply we call them as a weapons weapon can be used for for protection and as well as destruction so we are using these weapons for I mean the purpose how we use it the computer systems Network and any kind of personal or business enablers there are a lot of things even there could be attack on the Pacemakers there is obviously possible for a person to pass on the electromagnetic signals or electromagnetic waves or just a diffuse or just to confuse the function of pacemaker what typically a pacemaker does it ensures that the heartbeat rhythm is normal and it is artificially managed so when manipulating the things what could cause it it can definitely hack a person's life so the each and every technology can be remotely handled or tackled or taken down or manipulated in any way so that the purpose of application which was actually designed is make sure to be a good or to cause something good for the maker or for the general public if you produce a software which makes good it makes uh delivers a better performance or it enhances some features or anyway some or other way if your application helps others it means a good software if the software destructs in general and if that gives only the benefit for the developers that mean the software is malicious and it's not intended for reusing so what is hacking hacking is not only just refacing or getting unauthorized of access of a system taking down a system breaking down a system hacking is general term which is taking advantage of something if you're a better Craftsman you can hack into some existing design and you can manipulate it you can enhance the performance you can enhance the feature of it it is something if you are able to modify the existence of something it is called as hacking when you add something your TV speakers are not working fine and if you are good in electronics or if you are good in Acoustics or sound system when you make something when you attach some existing advanced audio system to your existing television and you can simply we call it as I hack the television system now it's my Entertainment System it is no more a regular TV and the audio system it's an editing so similarly when you enhance or update or modify the existing performance of a particular thing it's called hacking but in real world we use the term hacking as a wrong sense that means obviously the people hacked me the people will damage us the people will destroy something nowhere like that depending on the purpose of hacking it differs usually people will speak about two different hackers one is with the white hat and other one is with the black hat why that people do the same hacking hacking in the sense they try to manipulate they try to modify they try to take advantage of something the application or a hardware or infrastructure anything it may be it is just to check how the environment or how the application or how the hardware is and is there a possibility of making it Advanced is it a possibility of making it work better or if there is any patch to make it go good these are the ways the wide attackers could think and also they would be helping the organization to identify the organizational weakness they are the Specialists they use the same kind of cyber weapons just to test the environment whether any vulnerability is available in the network side or Hardware side or even on the configuration part people can identify it and they can create a report the testing phase will be so interesting that was wonderful we can spend time even for a couple of days couple of weeks or month we can test it I mean the Fahad which I feel bad is the reporting part we need to rewrite everything is in theory I mean including the screenshots and why was the attack so critical and how to manipulate how to make it repeat I mean what are the procedures and step-by-step procedure to reproduce it that's a hefty task of a whitehead hacker typically the black ant hacker what they do they do the same thing they use the same type of weapons say they used to manipulate the network then try to penetrate the network exfiltrate they do everything for their personal costs the person who has a bad intention with a good professional or technical skills and also one more person who sits in between who can be called as a gray hat hacker he would be neither a good person or a bad person maybe for some time he works as a good obviously there would be change in his behavior and we cannot trust the people whether he could be a black hat or a wife that he would know he would be always like a neutral cat which is standing on a wall which can jump on either side and as for the description on this slide white and hacking carries out planned approved and ethical reasons the one more thing is planned approved and ethical reason because when you do a pin testing it is obviously you need to get a written approval from the consent team or concern organization without a consent of written agreement or email agreement anything whatever it may be signed agreement you should not carry out any testing over a network or any kind of thing because obviously it will lead you to uh legal action or anything that can cause because uh cyber laws not so strict or not so strict in in our country but even though it's a company which is not a part of an Indian company and he is from a different region and who follows a strict cyber security guidelines and cyber security law obviously there is a possibility of getting it demanded uh through the government and anyway in one day or another because every company will not obviously sue you but that is obviously chance of getting penalized and face the legal consequences when we do the same testing with approval even for a good purpose but the same other people they don't mind they don't need authorization they will not be ethical and their intention is personal gain or typically just for happiness just for fun or just to destroy the competitor company Etc so we call the black attack hackers as a people who are not ethical enough who lives in a darker Place could not come out and work on the dark secrets so what are the incentives of crime what is the purpose of crime and what are the motivation of it with this picture we can see that there are one percent of people who looks for the reward reward in the sense that I already said to you there are a lot of communities where is available that is called background or bug Bounty targets there is plenties available in there people will openly host their softwares or openly host their Hardware or they want you to test the software and Hardware to find bugs and when you find a bug obviously they will pay you in huge cash so the vulnerability disclosure the Next Generation pen testing the bugnundi the bug bounties are where we can demonstrate the ethical hacking skills and make it cash because usually these kind of hackers will be paid well on the organization but even as a part-time you can do it the other percentage of fraction of people 51 percent of people doing these activities the intention of it is for the fun and thrill people even does not bother carrying the money fame or something they carry this only for thrill and fun typically but even uh some people do that if there is any site is challenging of any site is complicated or some people even say that my site is 100 protected or my company is 100 secured it is easy for someone to try his skills on the web application or the real Enterprise Network or the cloud Network just to make sure that he he is able to bridge it if he's able to break it what happens there are a lot of web pages where we can find like a paste bin these are freely available paste when some color and only notepads where people steal the credentials and post it on the internet look when we search for it 1.4 billion clear text credential discovered in a single database Facebook for example we can try opening any of it we are not sure how confident it is okay these are seems to be looking like a script which automates some kind of attacks uh exit process for example if the email address and passwords are freely posted on some place how the raw data looks like it is easy for anyone to compromise a network and you can simply publish it on the internet when the credential route it is easy for any person who can get into it get access into it so know where the digital and network or digital devices are 100 secure and as we see that 51 percent of people working for fun and thrill alone only the 1919 percent works on the money and the gains what they gain and the 29 percent of moral issues this is the simple chart which explains why the attacks are happening what is the intention of it and cyber attacks making news every day not only a single day every day in news contents which are seeing here would be maybe from 2017 or maybe this was designed uh six months or one year ago even new people might hear the Pakistani Banks got hacked when you simply click on a Cyber attack on a news banks in Cyber attack number nine cyber security tax is needed for better practices UK will be hit by a category 1 Cyber attack says the government three's attacks are publicly disclosed I mean they inform that they are getting attacked I mean they will be informing that you'll be getting attacked so the everyday the vectors and the weapons the people use are more complex and more sophisticated and that can do huge damage and I can tell you an example a band from America got hacked because uh it got partner with the bank of Bangladesh that comes under the operational risk I mean business logic risk because without the due diligence the bank from America got contract with uh Bank in Bangladesh for financial transaction and everything so what happening between the Bank of America or the band from America trusting the bank from Bangladesh so the network between the Bangladesh bank and America Bank could be secure they might be having an ipsec tunnel or a VP internal or they might be having an mpls secure connection any type of network connectivity between these two Banks could be secure but when a person is able to infiltrate or intrude into the bank of Bangladesh is it is easy for him to go to the bank which is located in America and make the transaction and within minutes and within hours there were millions of transactions happening around the Asian countries and that was a huge breach so not only protecting your network you need to make sure that who are you contacting with and who are you giving authorization with any misused credential because we see that the credentials were publicly available what could be one of the credential maybe your Cloud account admin account when you give a cloud admin account of your Enterprise what happens obviously there is a possibility of making it changes or getting a total Enterprise down so it is always advisable for having a multi-factor authentication for any sensitive accounts for even for a standard account it is is necessary to implement the multi-factor authentication like user name password along with the token number OTP number Iris kind of fingerprint scanner whatever is feasible for you Cyber attack what are the categories of Cyber attack what are the types of Cyber attack compromising of a computer or a network device that is more common and more frequent and the beauty of it 99 of breaches or compromised are not even getting detected that's how the security of any environment works on I was supporting for a Enterprise customers once wherein I handled threads risk I mean I especially work on not work on Merchant configurations and installation part I work on the threat and I love to play with it whenever I see a compromisation in the network or anything when I talk to the people or when I talk to the senior team they even not ensure that there was a breach that there was an existing misconfiguration or existing tamper of the network protection is already done it is obviously it is a human tendency to forget things or laziness or irresponsibility or not following the proper procedures or proper checklist step by step when you do something you need to have a particular list what are the things the planning even I seen that on large Enterprises not only a company scaled of 100 to 200 Miller in my experience as a support for customers I handle at least a thousand two thousand five hundred incidents to be minimum in three years of span most of the targets most of the infections most of the damage is not caused by the advancement risk these were regular infections regular malware which spread across which was not controlled which was not proactively defended which was not configured even how can we detect malware in advance in mean proactively proactively uh there are multiple ways why the malware I mean the antivirus software SS are not detecting your malware you are excluding some particular folders there is always a thumb of rule the AV softwares will always exclude the applications the folders are devices whatever you exclude it it means that you are letting know the antivirus softwares that it is a trusted application so you should not do anything to it it may be good for some locations what if you are a developer you have a you are a software firm you are developing some software which uses Network tracking or network tracing or if it needs some other Advanced features with which looks similar to a malware but adverse could easily block it or delete it quarantine it whatever it can damage your project so on those occasions you can exclude a particular folder or not the complete subfolders or subtrees or giving access exclusion to your root folder that would be a huge mistake and these are the ways people are getting there when we found why these malwares are not infected I mean not protecting the antivirus are not catching yeah typically when you give an exclusion to the user folders when you give exclusion to the C drive anything and everything runs from it or anything downloaded to the folder will be trusted and Antivirus will not take any action on the exclusions ransomware can be come through anyway there is one method of Distributing is fishing monetizing or sometimes even defacing or making a honey pot Watering Hole is a concept wherein for example if a LinkedIn page phishing not only may be in a happening on an email it may be through an SMS it may be through a misdirected URLs you might be wrongly routed to something DNS poisoning there are many ways just to distribute the package to your computer it's easy we don't trust as a hacker or an attacker I will not rely on a single method of distribution I'll use multiple uh sources and multiple vectors to get into you so the exclusions should be properly taken care of and even the Network when you exclude a particular subnet or particular type of devices particular complete entire intranet obviously any traffic between your computers inside the network will not be monitored and that will not be tracked even if it has a good exception what would the ideas or what would the IPS would do usually the intrusion detection system and introduction prevention system those devices are not cheaper devices those would be more costlier and having a high budgeted devices on it and misconfigurating it obviously lead for I mean misconfiguring it or not configuring bad it's just like there is no device in between or no protection in between to be simpler so again disruption of service deception of service we can take down one of your DNS server or deface your general login page when you take down your login page if people will obviously not able to log in they will not be able to work from home or connect to your corporate and work remotely so that could be some of the this description in the service Data Theft we've seen multiple times any data whatever it may be a personal data your customer data your company data even a company can decide the data is not not worth and it is useless but that could give so much information to a hacker or so much information to the competitor so the classification of data is so much important so that's why we can categorize it that's how we can protect it even if the data is not required it's not valid and it is no longer important to you proper disposal of data is important if it's a printed material you always use a shredder and just chunk the papers out wherein no one can arrange it back and read it and even if you want to erase it there are multiple ways to securely erase the data from your computer simply deleting it and if it goes to the recycle bin or getting it back from the recycle bin even a kid from first and last seconds and it could do but even for deleting some file from a computer and recovering it using a data recovery software to be easy everything is available online and most of uh most of the tools are freely available so there are when you call for a data recovery or when you check for a data recovery you get multiple softwares wherein you can run on a particular sector of your hard drive and collect recover the data which was accidental deleted or intentionally deleted it is nowhere safe so injection injections are more common more frequent when you take as a web application obviously they are injecting the sqlster query strings or injecting a additional script code on the regular program the cross-site scripting or cross-site photo tracks both are similar to the injection type they are just injecting unwanted or a malicious code in your existing working regular program but in a regular Windows based application which is already installed there are people have Technologies or techniques to inject in Rogue dlls Rogue exes are a rogue o6 files any supporting file that can be injected or not normal exe file which can perform malicious task it is not recommended to have more than one or two softwares because we don't want to reduce the performance combination of two antivirus is not good but if you have antivirus installed and if you have a anti-malware component I mean if you have a intuition prevention system or any other technology of protection is installed that needs to be installed that can be done but having a two different antivirus what will be happening is for any type of file accessed or n type which is in memory two applications will be scanning the same thing there is a possibility of getting conflict between these two applications that might reduce it and my suggestion would be not having softwares for the same purpose if your antivirus A1 takes care of only about the antivirus you can take care of it or you can install it if the antivirus to specifically designed and it works only with the S5 as an adverse and it will not interfere with any of the antivirus one's activity you can obviously have it and advanced persistent threats are not so common to the civilians or small to medium scale Enterprises these apts are so Advanced and these are developed by highly trained professionals and it will be mostly a state sponsored or a country to Country attack or a country to large organization attack so on those occasions the apts will be come into place but you will not find it on your computer and even if it's on a computer it we will not know that whether it's resides as a malware or not it will not work until it gets I mean most people might seen a movie like holiday or Tamil movies Etc wherein people call as a Sleeper Cell right these amputees will be exactly same to the safely person it will be in your computer it will be on a network device it will be on multiple Parts a fragmented across multiple devices until you receive a command it will not function even for years or months it will be stay inactive compromise of a device what are we going to get from compromising a device we'll be getting the full control over it and we can do anything if I have a full control over a computer device I can restrict access for other users or I can do additional tasks which are not intended for me I mean which are not I am designated into when you have got a and for example when you have a root taxes admin access power user credentials anything you can do that for elevation appropriate elevation of privilege is nothing but from a standard user or normal user you are getting yourself as a super user or a power user I mean your privilege of the user account is getting increased so what happens the outcome once the control incentives achieved gives a huge power to the hacker to carry on multitude of attacks so when you gain an administrator account you can use the account to take over other systems on the network as well so getting compromising compromising a single device will lead you total Network down as a security saying there would be always people say that you are as strong as your weakest link every link has to be strong enough just to hold so if any of one any one of the link is weak obviously the chain will get broken it is always mandatory to treat each and every device and every node or every host connected as a weakest chain then we need to treat them as a weaker strain and to protect them as possible as we can so the disruption in the service what we can have disruption in the service we normally uh the service will not function properly or there is a poor performance in the service so what are the outcome system failure system downtime Revenue loss repetition loss repetition loss yeah for example when the third party tries to log into access I'm using uh office 365s as an email for example if I'm not able to log into the email online and I'm not able to send or receive emails or even if I log into Gmail or not that could be a reputation loss the fitness tracking app that was also known that when GPS enabled tracking device which gave the exact map of what are the infrastructure mostly uh the Google Maps or any other mapping Network that will be highly censored and you can only see the civilian information on Google Maps or any map which is freely available even NASA have published this map but the maps are censored any military or any confidential information will not be available but these kind of fitness apps which are connected to a GPS enabled Fitness device obviously a person can track how long or what is the specific physical activity and what are the areas he moves just to make sure calculating the right amount of information but that was stolen and it was helped the bad guys to track exactly where he goes and what is his office locations if a person typically from nine to five Monday to Friday he is being in this particular location what it is easy for us to guess Knight to five on a particular location from Monday to Friday every day every day every week he goes obviously that might be his work location so tracking his GPS location and tracing out where exactly it goes where are the various rounds with it we can give a visual map of it okay this is one of the tool which he was informing you that multi-go which has multiple editions we are using the multi-go Community Edition which is free but just to run it we need to have account registered and it will not have complete features or should be receiving password in my email so I can check what was the offer at the time if I want to pursue a course on blockchain on December Jan 2017 it was around 399 okay I can compare it what is the exact growth it is if it's uh costing 300 why it was cost 99 extra at that time or if it costing 500 why it was costing 100 extra at this time so for a gauging performance uh financial status or what is the market value of a stock at the time we can compare how what is the growth and who was the what are the changes what are the major plans which made the company to grow our company to District so we can use one of this way back tool these are types of reconnaissance so objective of an ATP what it is it's uh long-term reconnaissance it will stay in your computer it will stay stealthy and not in antivirus or high-end Appliance can detect it because it will not function when the ATP is splitted across a component one is residing on computer one component two is receding on computer 2 for example if I scan only the component one I would not find anything from it the component 2 I individually scan the component it would not work on it the ability to act on targets quickly after establishment so once everything is done when the action is triggered it is like a software I mean regular software application which also get the patches or upgrades available have you heard about the malware which are getting upgrades available like Windows update so whenever they find even in the inside the network they'll be testing it how it works when when one of the component is not functioning obviously it will replace it it will get itself downloaded or any of the new modules or improved code or improved functionalities available it will be automatically replaced so when it's in the network it's it can be self-destructive there is no need for anyone to go if I need to delete it I can get it deleted permanently and also securely even people cannot recover there is a news that virus total I mean virus total is a important web page I'm a web application education where it gathers a open source Intelligence on the malware virus total is owned by uh owned I cannot say it is a subsidiary of Google you can search if you find any search to be to be malicious you can scan the URL if you get something get some email from any malware with AI function artificial intelligence what we'll do on a residual file it will not go on a scan each and every file when the components are inactive it will not go to the level where it reads the code in it the a component Advanced machine learning deep intelligence these are all marketing terms which are not actually work on the real life environment any antivirus company will say that they are sophisticated they work on it but typically on the real world it has to work and for the AV to work properly we need to configure it for configuration we need to understand the environment what are the attack types I mean actively we can attack or passively we can attack so what we actively do we can actively we do the intuition intuition is just penetrating or getting into your into your network or into your computer make disruption to the service or your computer environment or making it crash thus actively you can do it some examples for it the drain lab server is high utilization of resources system resources to perform it make it perform for a spoofing uh spoofing is something like if I got hacked into your computer I can send emails from your email address uh most people have the tendency of remembering the password on browser if I get into your computer I can access multiple accounts when I open a browser it will always show the pre-filled autofill username passwords so I'll get into many of your account or even if I don't I can create some account like yourself and pretend that I'm messaging to someone on your behalf the passive attacks can be like sniffing a password uh sniffing Network traffic sniffing there will not be actively will not be making the participation but will be capturing I mean capturing the packets or monitoring the traffic or monitoring what activity is happening in the network it is simply like the information gathering uh record is in space Etc his identity or pretends to be someone else to the victim of the Trust on behalf if I talk to your friend as yourself obviously he he will trust and what if I have a similar email address or creating a similar Facebook ID or similar Instagram ID getting knowing some things about you for knowing a person is so easy because when you work on a company uh gathering information step by step say simple phone calls will do call to the reception and check whether you're working there or not if you're working which team you are there just multiple calls or Google searches or linkedins the open source intelligence like multi-gos there is tools like Scrappy which will gather information about a particular person or a particular entity this pooping is proofing may be eyepiece proofing emails proofing whips proofing spoofing is manipulating or just making a false identity fortunately we have a picture which explains what is this proofing spoofing is also a kind of a man in the middle attack the person in the left the spoofide IP is 10 20 to 54 to 25 to 30. actually what the attack is real IPS 10 20 25 50. this is the IP address of the attacker and he impersonates he makes a spoof IP of the same person and he sends a wrong message or he forwards a wrong packet uh he targets something in the network base even a simple ARP request our ping request which can be created on behalf of this proof ID when I broadcast some unique packet obviously at the TCP packet will have a three-way handshake and when I initiate the transaction obviously a return will be sent to the Target type so if I manipulate this IP with uh 10 20 25 and 30 and send it across not only a single victim might be on multiple uh FPS what happens the replay will come back to the spoof typing and making it as a Das attack I mean for a single reply a broadcasted by a different person the reply will be sent to the spoofed person so thousands of replies are hundreds and reply comes to the person on a single point of time there will be a single disruption in the network that can be also done with the IPS proofing method or you can impersonate that you are using this message these sometimes the Internet relay chats will use the IP address to reply back similar to the Smurf attack of the DDOS okay similarly the destination after the hacker sensor hackers real IP and what is census he sends from IP you from 10.25.50 to the IP address similarly just manipulating his IP address or email address he clones are he modifies his existence I mean existing identification hacker impersonates or Alters his own IP address to the spoof dip address the spoof Drive address is 10.20 to 25.50 the original IP address is 10.20.25.30 the hacker sends message to a receiving machine mascoding as spoofed machine the receiver interprets the message as if it is has been sent by the spoofed machine so the real identity will not be uh visible but the recipient will think that the person sits in the middle sent the attack actually I mean sent the message actually the receiver replies back on the support message does the hacker does not actually receive message from that machine because in turn every computer will reply to the sender alone not from the spoofed one it is a the computers or the network device is not so intelligent enough to identify the spoofs so emails proofing is simply creating an email account or emailing person equation there are multiple Webmail security appliances which can identify the email impersonation for example what is it ceo.rkm.organization yahoo.com the actual email addresses dot ceo.rkm.organization.com but instead of it what it does at ceo.rkm at organization yahoo.com the hacker creates a wrong ID but when typically a person receives an email from it most of the time the email address will be hidden and the first name and the last name of the email will be visible to the recipient what happens when he got a ceo.orgator email created and he creates the first name as the CEO and last name as the rkm obviously the email will be displayed as CEO or km sentiment and if the person is good enough the hacker is good enough he can try creating the signature resembling the original one and the email body and the same font style and how exactly the typical persons and original and sends it if we can replicate the same on his scenario obviously it is easy for someone to trick other people with kind of email spoofing with that whips proofing when a person buys google.com instead of Google he buys googly or Google and in this example for funfair.com is the original one these are the probabilities firmware firmware these are the probabilities the people will obviously type wrong I mean spelling mistake is uh I'm making spelling mistake is a repeated human error no one is perfect in typing so obviously that's a possibility of making it redirect to a different web page and this web page can be look similar to funfair even what will happen when a person types in a URL when he visits a web page he will be curious in watching the content what is visible whenever go virus total I'll be curious only on the content I will not be noticing what exactly on the URL or what I type when I type something instead of funfair I typed it firmware I came to the same page resulting to the original one I will not think bad about it I will keep on browsing in it if it gave some download I'll start downloading it if I want to make some transaction financial transaction now this is done so the URL web spoofing is more common these are all the also one of the method where we can deliver the malwas into your computer Watering Hole is also a method wherein a particular set of employees we track multiple employees of an organization what are the regular pattern are they using Facebook frequently are they using a particular Facebook page frequently or are they using a web page or web blog what are the regular web not only web oriented any particular traffic in real world scenarios also we can manipulate it that is actively we can social engineer we can try to talk to him we work with him we sit with him work with them just to gather the information whatever we can do you there is no limitation for any kind of attack every day the attack is expanding the magnitude of attack is expanding this is not how the techniques or tactics the tools and weapons we used 10 years back while there was an introduction in the hacking I mean people started using additional tips and tricks to manipulate things just for fun and practice yes virus total will help you determining the false positive you can get the hash or the location from where you download the file or hash value URL you can search with it that will give you the complete so we try with the hash when you search on hash it not only searches with the single antivirus Appliance it scans with multiple AVS online you have the major security vendors when you search it shows a hash file Avast 49 Malwarebytes McAfee Zone alarm these are the Avs which detected it detected the actual malware but others say still it's a trusted one we can go inside and dig deeper enough what is the actual P information in which language It Was Written what are the components associated with it what are the dlls associated with it we can also check relation between the other similar malware in it so this is the registry key which was used in this so when you see on this every antivirus solution will have a particular naming convention pup Pua potentially unwanted application potentially unwanted program or the abbreviation of it adverse some call it as an adverb with the iteration just to win 32 version win the data error these are the bundle these are the families of the malwas which can be identified if you want to know more about senatal one how this was classified Sentinel one was the random type Nana and Torres does not give me anything about it so the popular malware Bud should be giving and blog on it malware has it so it tells you what is the basic about what type of infection is about semantic has a huge virus database so each and every type of malware will have a detailed description of how it functions and when was the last detection when was the antivirus release date and manual removal method also will be provided analyzing the logs will not give you the hash values sometimes hashes may be obtained it depends on what kind of log you analyze most of the time we'll be knowing what kind of file it is actually we'll start searching with the file name for example I got v4nx.ini this is the file I was able to identify it we need to search where this exactly located into where was related into for example if I usually 10 places if I'm on the temp if I see something strange with the names or strange folders I usually get into it just to see what inside it and it is always a best practice to go with the tree View kind not directly by double clicking the folders sometimes or even it's a better idea to have the file extension added along because sometimes the exe files will clone the icon and it will look like a folder when you double click it automatically it starts so always have file extension enabled so that you ensure that what kind of extension you are working on is it exactly a folder or it's a file type some files even doesn't have a file extension so this will be modified all the time when you find suspiciously when there is no file size file type design it is hard for you to determine to which application it relates to but these are the files are common when you download the malware's get downloaded this will encoder characters cannot be read by humans so given you open some file it will be assembled gibberisht we cannot read it but the actual malware can translate it back and it can modify the file to a different executable or different readable whatever machine can read things but we are not smart enough to read as all the things mission reads it is like raising one thing tracing a name with the name we get some location of it with the location we go to identify and why this has actually available we can try always use uh opening these kind of INF files DMP files and a notepad or a word processor my preferred wordpressor would be notepad plus plus or some my colleagues use a Sublime Text so Malwarebytes gives information on it some inter gives information on it you can even browse through it there are plenty of sites where we can make leverage of there are Community wise web pages applications which can be used for us task attack we frequently see that just stopping the service or reducing the performance of something is called as the Dos DNA love service session hijacking session hijacking can be done by manipulating the cookies or recession what is the session for every transaction the TCP or HTTP or even a single application installed on the computer will maintain a session which is associated to your user so what happens this is some cookie editor for example I'm running it on 80raker.com these are the values of cookie available here so this goalkeeper related to this webpage will have multiple information about me and when I get this thing for example if this is my value for joining so by manipulating the values I can definitely modify things for value of a login session is ga1 dot this is the one when I manipulate it with something else 5047 instead of four seven five zero I'll manipulate I'll update and reload the virus total is not working as for the cookie Edition because uh every time when I refresh the real value of the cookie is getting changed but some sides would not for example this is how the session ID would look like alphanumeric sometimes it's j session token or some token when I get this I can definitely modify it and open it on a different browser this is the quick editor I got it I'll copy the home page here you ask me for a sign in username and password let me add up a cookie here copy the information UI session and on session so we made a session a simultaneous session is not valid usually we can capture the cookie session from any of the cookies available and we can clone it as for the browsers whatever browser we can on live this is how the session will be hijacked usually the session ID will be transmitted when you enter a password in your network in your corporate environment when you type in your username and your passwords it will not be sent to the network as a plain text or a cipher text only the hash value of the password will be sent across when the password of the hash value sent across we can have multiple decrypters or de-suffering text when we enter the hash value we can get the similar original text and with it we can directly bypass the authentication mechanism of any Windows environment buffer overflow is one of the technique which is uh frequently we can see it on the Windows executables not only Windows executables Mac or Linux what is a buffer buffer is a stack or a piece of of chunk of memory which is allotted for a particular program if you have a one gigabyte of Ram or two gigabyte of RAM and if you run a multiple application for example I'm using a web browser Firefox here Firefox uses a particular memory location on the physical RAM or even if it's a page file storage any storage where the system uses it and what happens if some application tricks the memory and if it rewrites or changes the memory location or Alters it if a fixed location is given so this is the room for your complete memory location and the red portion here you use the green and this is the actual location of Mozilla Firefox which is utilizing and the remaining portion is empty so you cannot access it more when particular memory is processed this is the allotted memory space whenever a data is processed it will be recycling the data this is not a residual data it is data and live which will be periodically changed and actively monitored so every chunk will have have a separate memory address separate memory address this is for a process to be functioning every single function we have a separate these are called a buffers on a memory complete memory stack you'll be have above one buffer two we'll be flooding the memory with additional unwanted information so the green area which are reserved for other application and cannot be used only the blue which is available for modular Firefox and the black is unusable memory and this is the available stack which is happening but what I do I'll start populating it with other the red memory objects so when I replace it when I overwrite it when I make flooded I'll make confusion in the memory system just by using the regular memory addressing I'll be manipulating it I'll be flooding additional information to the existing buffer location that makes the application to malfunction or to crash so the similar scenario can be used for crashing the application if you are able to read the memory live and if you are able to identify the memory location where the application resides you can replace the the particular function of Mozilla Firefox with your custom code and you can make it executed via particular application not only Firefox not only is it as a city before there are Network Services could be running on Windows network devices when we have access to it those applications will be already running with the higher privilege when we have direct access to it on the memory direct memory access will be restricted in most of the scenarios but even with minimum knowledge or minimum leveragable tools we can inject a code in memory or make it buffer we can fill the memory stack with unwanted information just to make crash or to manipulate the actual functionality Cyber attack lifecycle or we can also call it as a cyber kill chain this is called a cyber kill chain what are the phases of attack and how we do the attack this is also a described and prescribed by nist and the code for it SP 800 hyphen 150. these are the level there are seven stages of attack life cycle so if in every phase is very much important the first phase would be reconnaissance reconnaissance is understanding gathering information collecting information and analyzing it identifying it who are you and what is the target is all about what is the weakness or what is infrastructure researching on it the researching and development and everything happening on the recognition phase is to identify each and every single pinpoint information to make use of it and the second thing is weaponizing weaponizing is a phase we'll be particularly crafting a payload so every a targeted attack will have a specific environment in mind so the attacker will not deploy a Mac based malware to your windows of infrastructure or Windows based in from malware to your Mac based infrastructure that will not be obviously useless if I want to Target your Mainframe computer my payload will be different if I want to Target your Linux computers that payload will be different after understanding a detailed gathering information about your network if the market comes in it would be easy for me to show I can show you like a tree like view for example if this is the computer organization the multiver can give you information about each and every folder this is the category for example if reflogs would be a finance department and other program files might be your it Department under its subdivisions you can correlate it with the regular file structure in my Windows Explorer to a CPU or domain structure how it configured and what are the operating systems in it so when I fingerprint the network came to know that what operating system and what an IP address what are the subnets involved in what are the ports often involved in everything after a gathering I create this customized payload just for your environment and after crafting it I'll get it ready the third phase is the delivery phase the delivery phase could be phishing emails drive by downloads or monetizing uh internal redirects are effect May able to possibly poison your DNS it will be routed to your wrong trick I mean wrong website to download the payload or as we've seen that web session spoofing multiple vectors can be done or we've seen in the stuck next scenario I'll copy the malware and throw it outside your company premise any of your employee could pick up the pen drive and get it connected on your computer which is inside your network so anyway the malware delivered to it after delivery the exploitation phases start the exploitation phase actually execute after the what the payload is designed is delivered to it it starts executing and The Phase 5 is collecting the additional information or gathering additional information from the CNC C to servers are installing it or making it remotely accessible what exactly installs it may be installing a back door it may be a remote access Trojan or it may be settling up just to give with the elevator privilege it might be residing in a computer without any action it might be in rest so the six command rental control center will give the instruction on what to do what are the things to be performed because any malware and every malware is designed the most advanced malvers will obviously need a common control center they will not act on its own when they they have no connectivity with the CNC Center the purpose would be simply idle or if they did not work for a particular month or particular time frame just like the expiry date if there is an expiry date if they are not able to reach the Common Center after installation for more than 30 days or 40 days they will self-destruct the itself and they will delete itself from there and the phase seven one of the things are done when the CNC receives the command and it gets additional packages and installs itself on the network it is ready now the attacker is good to go and he can do anything whatever he wished to on the network on the compromised environment these are the seven steps lay by layer approach initially from gathering information or identifying or understanding the target we'll be customizing especially craft a malware which is specific for the environment third we deliver it and that are delivering it the expert starts and he installs the remote accessible pieces of software that ensures stubborn persistence on the target environment and command and control center on the phase six hacker uses the install bug to launch a remote CNC Channel with the compromise device so the communication securely happens seven act on the objectives so this is the place where the actual user hackers interference or Hacker's motive will be achieved this is the Cyber kill chain Matrix what we seen previous slide which was uh almost the same with explanation but it shows how it goes so what are the things we can do proactive control protection and detection that has to be in the face within reconnaissance reprise and delivery phase the protection detection mechanism has to be in place but when it passes to the Stage 5 installation command and Center objectives what we do that will be reactive the two types of response we provide proactive response and our reactive response and reactive controls are incident response and recovery on when it crosses the exploitation phase and after it gets installed on the local device recognition webinars deliver exploit install a communicate to the CNC attack on the object phase one water recognition phases effort of an attacker towards Gathering maximum information in the Target in the network information architecture information operating system and other specific information on it the data can be gathered from public Source or dumpster diving or Google search social engineering any means any whatever the means it may be the attacker will gather information about your organization so this is the phase where he'll be identifying who are the active users who are the directors or who are the it administrators and what kind of credentials are used what are the things can be used whose account can be compromised easily for the first time so it might be helpful to bridge others account as well to see the objective what are the types active intervention they perform the penetration testing and they use the Cyber weapons to test in the attack so passive is already getting Gathering or paying amount or paying some amount and getting information about your company actively if I am not participating on collection of your data that is uh passive I can use some other source to gather information about you so what are the tools available apart from the physical human intelligence a variety of freely available results are used for Gathering and correlating information on it what are the things Google tricks showed on zoo my senses dark web marketplaces for Gathering leaked details of servers and uses information so there are marketplaces available where you can purchase the leaked information of user credentials sometimes even hackers can post it on a paste bin where you can use the credentials to try access it it is most common when hacker steals the Netflix the Amazon Prime account these accounts are easily hacked and these credentials are easily available across and a single account was shared between multiple users that's happening we cannot control them but still it happens so what are the ways we can mitigate on the reconnaissance phase there should be a proper detection and prevention control in each and every layer the the system hardening and vulnerability management and patching and configuration manager are the key objective I mean key controls available when you harden the image Harden the operating system when all the vulnerabilities are passed there is no vulnerable no existing one and the softwares and network devices the applications and everything is configured properly configured properly means the right configuration suits for your Enterprise or an environment and also the policy streamlining in the first phase we can use the deception technology deceptions are nothing but it is like a regular computer or regular device which will be imitating or mimicking the actions wherein user Bots or user rules which they try to penetrate inside the network will think this is also one kind of tool it's like a toy or Robo or someone in Disguise to compare to a real life scenario someone in disguising as a clown or someone disguising as a house owner you might be come across with multiple examples it is something like the same attacks will be also happening on the honey Parts the honey part will not get damaged because the main purpose is to get attacked and get compromised and get breach and these attacks compromisation will be blocked and these are a primary source these are the initial vectors the honeypots will be kept on the initial layers where the detection will happen the intuition will happen so when there is any alert or any tamper in the settings or configuration with the notification we can also go for a next level of protection once the alert is already taken it's obviously of us to jump into the action the phase two what we discussed on this is the urbanization phase a hacker goal is to create a bot or a Trojan or a malware whichever suits your infrastructure especially crafted if you don't have a email server hosted on your premise I will not load a component which attacks the accent server or Domino server or I won't have an additional module which needs to be included in the existing payload I'll just Target the window based operating system and the windows based service that's enough if I see your endpoint computers are worthless I just need to Target your server web server would be obviously hosted publicly hosted or internally hosted or intranet I need to take down I need to specifically write on the includer package which is on the web server service may be running typically they use IIs or Apache servers the most commonly if you use a different kind of web server I use a specific payload which can take down your web server the only thing I need this phase I'll be understanding I mean I'll be making a package customly I'll wrap it up with the gift package and get it ready so what are the tools I can use it for I can use Metasploit Veil framework Lucky Strike these are the Frameworks which are available for us to customize our customersly create package in matter of just few clicks or one or two lines of commands these are already done there are in India in globally we find more script kiddies script kiddies are the people who really want to become a hacker and does not process a programming knowledge or inability to write code but they are somehow smart they get the tools downloaded from internet they go through blogs or go through the dark net to read some articles and how to read they use the predefined a pre-customized scripts which are available even in this session we when we searched on base bin we found multiple exploits written in multiple languages so that can be used on the existing framework and we can customize it and deploy it as per the need so the delivery phase what is it the delivery phase after making the package for you it's a gift wrapping up sending a name whatever it may be this is the objective is to deliver the actual weapon inside your environment we can use any type of tool like social engineering you can distribute the malware containing USB drives malver types and anything so what we can do for mitigation the mitigation you can use IDs IPS firewall and if I'm targeting on a web application server I can install a web application firewall and also there is a security training to be given to the employees employ employees is the very first source and very first misconfiguration we can call error we can call because we humans always tend to do mistakes how many times we do accidentally or repeatedly wantedly unknowingly we'll do something which are not to be meant which are not to be done on the Enterprise which can take down the server for some time even a single reboot everyone know that we should not reboot a computer when during the production us but accidentally if someone instead of log off he clicked on the shutdown instead of log off you click down or restart there is a server will take at least 5-10 minutes to get a proper boot up so during the time it will be also like a tiny love service attack but due to a human error so proper training of about the security and how should we respond to the every cyber incident when we receive an email from a strange person what are the things we need to look into it what are the best practices we need to if every computer is provided with antivirus or some solutions if they keep on popping up with notification stating there is a wire or malware or the antiviruses out of date we need to educate the user to reach out to the help desk or the service desk so that it will be notified to the right people and we can get into the work and get to fix it so the training and awareness program is important for any employee from any level so any human is a tendency of a human to make mistakes exploitation phase the phase four that this is the phase after delivering the package the package gets into the environment the exploitation of payload actually gets into it and already known vulnerabilities are getting exploited during this phase so what are the type of attack I can do I can do malware dropper malware dropper or nothing but a small component which does not have any malicious functionality and other than downloading something from internet I write a single line of code once it's executed or once a similar action or similar event I mean logic bombs multiple we can create a single line of code download a particular file from it and run this can be written on a single batch file I don't need to be a good programmer to write a bad script or a Powershell script to download a file and execute that can be done it is a human tendency to download any file can be run so the malware dropper will just download it and install the other software from your remote code execution that's also remotely from your computer you can explore you can take control you can run you can execute commands on a remote machine buffer overflow we already seen that integer overflow buffer overflow system crash memory leak these are more common mitigation control what can we do we can implement the process monitoring post introduction detection system anti-malware system hardening again we come back to the security awareness installation after the successful installation if it's already customized malware which is ready for environment it's done or in case if it's a malware downloader it downloads and gets its installed on the computer it makes sure that whenever I use a deletes or antivirus deletes malware it tries to recover or if some portion of the malware is deleted it again downloads a riff some portion of malware is missing it somehow wants to retain its persistence in the network host introduction detection system are typically software based when it placed on a network interest detection system is just like a device which is on a pass-through device not like a firewall what firewall does it monitors every traffic it based on the rules every traffic it lets in or blocks in intuition deduction system it lets every traffic inside and it makes a track software so when something is malicious and when something is similar to a malware Behavior or suspicious Behavior it creates an alert that is the only difference if it's an intrusion prevention system instead of alert it will block so that is the difference between IPS and IDs so when the same kind of detection system is installed in a host that is a application that comes along with the antivirus for example so this is one of the antivirus which is Enterprise Edition which available you can see that Network and host exploits mitigation is one of the components what action it does is it monitors the incoming and outgoing traffic and it also has a intuition prevention system built in so this component is called hips host based iteration prevention so when it's on a network level it is network based interaction prevention so there are multiple companies antiviruses proactive threat partition will have additional components like sonar and application device control Etc so when it's software it's a software post-based iteration prevention so what are the mitigation the network is security control endpoint security control server hardening the server monitoring user Behavior Analysis the user behavior analysis is important task in getting stuff I mean we cannot always expect the attack happening from the outside if it's a bad employee acting inside the company or what if a hacker want to hack into your company but if it is unsuccessful outside it is so easy for anyone to get a low cost job when you have a potential to earn lacks in money when you clear up an interview and if you are a fresher obviously if a company wants to just pay you 10 15 000 obviously the company would be happy identifying a best person it says even will be happy I got the best resource for the low cost so what happens when he comes in real intention is not to earn the ten thousand or fifteen thousand what the company gives in just to get into the infrastructure and physically that is a intruder I mean uh Insider when a person acts inside and he acts against your company not only a hacker needs to be run when unsatisfied employee I mean with the poor appraisals or poor High poor growth anything it may be whatever the human tendency whatever things makes a human behave abnormal or go beyond the ideal way user behavioral Swift incident response is very important in any such attempt Swift is nothing but how fast we can react how efficient we can react when a incident is notified when the incident in alert related to incident was triggered what are the measures we have in hand what are the plan we already have in hand what is the initial step we need to do and what are the precautionary measures we'll be taking in to slow down the attack because it is impossible to immediately stop the attack it is obviously possible to slow down the attack when a malware breaches the computer in a minute it reaches 100 computers we can reduce it to reach 50 computers a minute but it cannot be stopped on a single time so slowing down the computer and particular Network segment is getting infected we can take the network down I mean particularly segment down and specifically we can control them what happens our investigation team instant Response Team what they do there are multiple Specialists available the antivirus specialist the SM specialist the alert management Specialist or data recovery specialist even the forensic Specialists are available on site how organized they are and how they react and how fast they react and respond to the particular incident that's called Swift incident response the comfort and control center after the installation of back doors or the malware is previously staged this is the place where it communicates to the CNC Center we go through the objective it establishes a connection between the internal host and the external command and control center many times the CNC communication takes place in a small unnoticeable Sun hence the communication is not made often the frequency of the communication between the existing malware and the CNC Center will not be much frequent will be like a smaller package because for a human we need a message to be said mitigate the risk the actual location is there but for a mission it is easy we can program a code if we receive a number one start the attack if you receive the number two wait for the response if you receive the command number three self destruct so the size of the message received by the N malware or send that will be a small Trend that will go unnoticed for complex ATP the CNC servers are moved frequently from one IP or another IP this not only happening for complex ATP so even the ransomware's are having multiple server was every day the servers are getting routed or keeps on moving but these apts will be able to identify the next IP address I mean next URL because these IP addresses are web URLs are generated using a hashing algorithm so obviously the malware will know what would be their next IP address so everything is pre-programmed or logically it will make the decision on it the mitigation Advanced network security control the correlation between endpoint security controls user Behavior again again goes to the same script response in such a term the plan of action is everything is after getting into it the finally the attacker will take carries out his work and the mitigation on this stage is often too late because everything is set and everything is ready for the attacker to proceed the thing the Swift response and Recovery is the key and also it is essential to detect the bug or malware which is communicating to the CNC Center thing which we need to find it in the phase five phase six we left phase seven it's too late so obviously we need to plan for some other Disaster Recovery or backup that is a plan of action on the seven the phase seven it's obviously we say that it's too late it's almost over the same thing in a different diagram reconnaissance weaponization delivery exploitation installation CNC and Direction so what is a layered approach how depth we can get in so the difference is not a single tier architecture it's a multi-tier architecture every layer we Implement security so the core is the data so for protecting the data what are we doing is data backup local or off-site and also the plans for a disaster recovery business continuity is the next layer the first layer of approach which Target attacker needs to pass through is the security policy security policy is the first layer which is protecting everything when the policy is properly placed and appropriately the controls are set I would not say that it will stop the attack it will slow down the attack when the user education and application updates are done again it will slow down the attack or sometimes the possibility of blocking the attack is there web security filtering wireless security so layer by layer will be defending every segment so every layer an attacker passes through the speed of this bridge or the intensity of his attack is slowing down so what are the security controls we have female security that will keep on monitoring your incoming and outgoing emails your data loss prevention or information rights management software to ensure that the data are confidentially safe or it resides inside your network your network firewall to secure your network traffic cyber threat intelligence or platform feed cyber threat intelligence are commonly available with vendors like Verizon Simon Tech Fire eye these are openly available we can subscribe to it and sometimes most of intelligence are free for most of the customers detection response Advanced threat protection user Behavior analytics tuition prevention detection web application firewall each and every log from every application or everyday security device are fed into the security events and monitoring application which correlates each and every accident and every log why was the particular incident is related it just analyzes how could this log be compiled or correlated or what is the dependency of the log with this we can identify what are the relations between the logs from various sources on a particular instant or even sensual practices cyber difference in depth what are the things we need to do the discoverness culture building up I mean educating the user building up the awareness the proper Access Control Management and also securing your Cloud creating maintaining your up-to-date inventory asset inventory is a main key you need to know your assets and also the configuration so be vigilant to the threat intelligence and external both internal and focus on security by Design even from the any design any network or any new infrastructure design start including a security test based practices and all the things not only the cost Factor the performance Factor the implementation Factor how relabel or how usable it is is security has to be a contributing a major factor in it think about the security and add other attributes to your infrastructure and also your business process as well second framework there are a lot of security Frameworks available and as we already know that the we will be discussing on Nast nist cyber security framework which is uh guidelines provided by the security leader so once it's fit we have the option of making it the same to live monitor it can traffic our live monitoring a particular folder or gather information periodically we can configure as ever we can characteristic it's measurable cost balance technology agnostic flexible and repeatable and common linguistic so it should be common to understood by every business and adaptable every missedness and it can be measured how much we can Implement how much we can make let it can also help us to balance the cost involved in the implementing Security in the infrastructure and also technology wise we can Implement in which technology which concept or which control we can use it's flexible for any type of environment and it's repeatable so this is the objective of cyber security framework which is prescribed by nist so what happens initially describe the current security posture where the security of your Enterprise or environment currently is in and you need to identify what is the target security procedure so if you understand where you stand you need to decide where you move so the Improvement has to be identified the difference between the current state and the next state should be identified and the Improvement has to be continuous once we move repeat the process of Target and this is the target posture if there is any risk communicate again it's a cyclable process it is repeating whenever we complete a single phase it goes to the next phase in the clock it's a repeating Circle some of the other Frameworks height rest which takes care of health insurance and information related to the health sector keeper is also one of the thing pcdss which specifically talks about the digital transaction and digital cash cards or debit card credit card Etc ISO has multiple standards 27 000 which is on the generic requirements on security requirements what is needed for the organization and ISO 27002 is on implementing the required controls on the environment security system controls in this Frameworks on the other hand so these are the Frameworks which will provide you the guidelines on how to secure your data and your infrastructure so these are the key elements of cyber security program considering business priorities assets and processes document formal cyber security strategy and create a goal and objective on it different formal framework or risk management controls if you are not formally able to follow it there are risk management controls already available freely you can Implement readily available security Frameworks format evaluate what is your current strategy and where you are up to building a plan and to understand actually you need to Monitor and repeat the process again and again to make the improvements the improvement from zero hundred will not be achieved down a single cycle it might take a hundred Cycles or 200 cycles and the fraction of improvement should be always constant so nist cyber security framework has components identify product detect respond and recover these are the five steps which are prescribed it in the identification phase you need to identify the Assets in your management your business environment what is your current risk assessment happen and what is your current risk management strategy so these are the thing identification phase you need to identify your existing state the protection so only after identification you can protect your computers or provide Access Control provide training data security technology anything the production phase comes again comes next and third thing will be detection if there is any abnormality anomalies there is any threat the detection phase so once it detects the phase four we'll talk about how you respond what is the response plan how to communicate how soon the communication has to be sent to the right team or if it's a major risk whether it has to be communicate or cascaded to the stakeholders or it can be handled internally or externally so every plans and everythings will be handled on the recovery phase we'll talk on the BCP or Disaster Recovery or how do we improvise the existing plan thank you