Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Similar documents
Forensic Network Analysis in the Time of APTs

Command Line Review of Wireshark CLI Tools, tshark & more

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

Automated Threat Management - in Real Time. Vectra Networks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

CSE 565 Computer Security Fall 2018

Activating Intrusion Prevention Service

Symantec Ransomware Protection

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Dynamic Datacenter Security Solidex, November 2009

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

intelop Stealth IPS false Positive

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Legal Informatics, Privacy and Cyber Crime

Gladiator Incident Alert

Imperva Incapsula Website Security

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

RSA Security Analytics

Comprehensive datacenter protection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Compare Security Analytics Solutions

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Developing the Sensor Capability in Cyber Security

Computer Network Vulnerabilities

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Incident Response Agility: Leverage the Past and Present into the Future

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

SIEM (Security Information Event Management)

Stopping Advanced Persistent Threats In Cloud and DataCenters

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Corrigendum 3. Tender Number: 10/ dated

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Seceon s Open Threat Management software

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21

Check Point DDoS Protector Introduction

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

ProCurve Network Immunity

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

2. INTRUDER DETECTION SYSTEMS

Technical Brochure F-SECURE THREAT SHIELD

Hands-On Ethical Hacking and Network Defense 3 rd Edition

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Network Intrusion Analysis (Hands on)

CISNTWK-440. Chapter 5 Network Defenses

COMPUTER NETWORK SECURITY

Network Security: Firewall, VPN, IDS/IPS, SIEM

Basic Concepts in Intrusion Detection

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

PRACTICAL NETWORK DEFENSE VERSION 1

Enhancing Threat Intelligence Data. 05/24/2017 DC416

OODA Security. Taking back the advantage!

Detect & Respond to IoT Botnets AS AN ISP. Christoph Giese Telekom Security; Cyber DefenSe Center

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Chapter 9. Firewalls

Intrusion Detection and Malware Analysis

The Eight Components of a Strong Cyber Security Defense System

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Internet had lots of examples and tutorials for specific or advanced dashboards

Advanced Endpoint Protection

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Security+ SY0-501 Study Guide Table of Contents

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

DO NOT OPEN UNTIL INSTRUCTED

SIEM FOR BEGINNERS Everything You Wanted to Know About

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Threat Intel for All: There s More to Your Data than Meets the Eye

CSC - DRAFT - VER6c FOR PUBLIC COMMENT ONLY

Cisco s Appliance-based Content Security: IronPort and Web Security

Lastline Breach Detection Platform

CNIT 121: Computer Forensics. 9 Network Evidence

Transforming Security from Defense in Depth to Comprehensive Security Assurance

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

CloudSOC and Security.cloud for Microsoft Office 365

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Intrusion Detection Systems and Network Security

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

An Aflac Case Study: Moving a Security Program from Defense to Offense

Industry 4.0 = Security 4.0?

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

CHECK POINT SANDBLAST MOBILE BEHAVIORAL RISK ANALYSIS

Locking down a Hitachi ID Suite server

Transcription:

Analyzing Huge Data for Suspicious Traffic Christian Landström, Airbus DS

Topics - Overview on security infrastructure - Strategies for network defense - A look at malicious traffic incl. Demos - How Wireshark can help

House rules 3

Tool-Box Defaults: Proxy servers with authentication Logging, Monitoring, (SIEM) Layers of Defense: Firewalls / WAFs Intrusion Detection / Intrusion Prevention NIDS/NIPS/HIDS/HIPS Malware Sensors / Sandboxing / APT-devices

Overview on sec. infrastructure - Depending on area of protection type of attack - External: Internet facing - Internal: non-inet facing External $malware Network External $APT Internal $malware Internal $APT

External I External $malware Internal $malware Network Typical protection for DMZ systems: Packet filter IPS / APT device local (host-)firewall External $APT Internal $APT

Demo #1: DMZ Service - Monitoring the request size in this example reveals some huge request resulting in a new connection initiated by the FTP Server

Demo #1: DMZ Service Knowing your applications behavior may lead to valid thresholds to reveal anomalies e.g. based on packet length, payload entropy or other factors

External II External $malware Internal $malware Perimeter defense: Monitoring all protocols - Know your systems configuration - In-depth understanding of App behavior - Monitor the events from sec. devices - Correlate events after sec. alert WebServer accessing other servers after unsuccessful exploit? Network External $APT Internal $APT

Demo #2: Encrypted sessions Watch for protocol anomalies e.g. missing HTTP dissector information on HTTP ports containing no valid requests or malformed data

Demo #2: Encrypted sessions Another example for pretended encrypted traffic not containing a valid SSL handshake Sample: Using relative Sequence numbers try: tshark r <tracefile> -Y "tcp.dstport==443 and tcp.len > 0 and tcp.seq == 1 and!ssl.record"

Internal I Incoming traffic critical and monitored But: Sessions going out are trusted Mail / Web / FTP etc. How to spot outgoing malicious stuff External $malware Internal $malware Network External $APT Internal $APT

Demo #3: Surfing the web Also valid protocol requests may hint for an anomaly based on irregular behavior or other indicators

Internal II External $malware Internal $malware Network Big issue: Lateral movement and other postinfection activities - Internal scanning / enumeration - Access to internal applications - bruteforce attempts - legitimate access with stolen credentials Mostly depending on log files from internal sources External $APT Internal $APT

Baselining / Anomaly detection Knowing your application behavior / network flows is critical to spotting malicious events - Might be easy for default applications Statistics: Conversation e.g. - How about special applications?

Demo #4: Baselining sample Especially difficult if application payload types unknown or difficult to baseline # tshark -r Trace1.pcap -Y udp -Tfields -e data more 4b417947534b6753414142746157357062474674596d3841524739 e1650518e41793d5abb03d 755d021f5cf975c6342cc14f84caf5e0b863 e1680231b0aee0ecbb648c0a4b14167412cbfb16356e8b6b76db 755f02cf93f622f368d2fef70bf71c5e5f85a8e297eb79795ac04f Legitimate example Skype Malicious example Peacomm.C malware # tshark -r Trace2.pcap -Y udp -Tfields -e data more 10a6b286d9736aae21afc2ddf005f6125f66633de613a63e46 10a6b286d9736aae21afc2ddf005f6125f66633de613a63e46 10a7 10a0b286d9736aae21afc2ddf005f6125f66633de613a63e46 10b15a78 10bf281d1581812c38ee0e0d90c18f2e5458bbc25bc030b0 10a1530e1598ba7ad499afea4ca126827f07de483537d0ad14c0be

Baselining approaches e.g. Web Many approaches for finding unknown sources of malicious activity Sample: domain lists -> diff approach - Cat I : Clean or already infected - Cat II : newly infected Timely Diff s -> approach new infections / applications

How Wireshark can help - Better understanding of your application behavior - Scripted generation of baselining data - Long-term comparison of network traces for detecting abnormal changes - Incident Analysis Results can lead to good rules for IDS/IPS and other appliances

Demo #5-7: How Wireshark can help - Better understanding of your application behavior - Scripted generation of baselining data - Long-term comparison of network traces for detecting abnormal changes - Incident Analysis Results can lead to good rules for IDS/IPS and other appliances

Demo #5: How Wireshark can help DNS answers for localhost IP can lead to inactive c2c system Beware: Also used for lots of valid reasons e.g. SPAM checking tshark -r 127.0.0.x.pcap -Tfields -e dns.qry.name grep -v -E "(<valid1> <valid2>)" sort uniq -c more [ ] 1 c-0.19-xxxxxxx.avqs.mcafee.com 1 c-0.19-yyyyyyy.avqs.mcafee.com 147 <malicious1>.is-certified.com 148 <malicious2>.dnsalias.com 146 <malicious3>.dyndns-ip.com 148 <malicious4>.dyndns-office.com 148 <malicious5>.doomdns.com

Demo #6-7 How Wireshark can help <presentation only sorry>

Monitoring Networks - Proactive - Use NetFlow/OpenFlow to monitor meta data Set up alerts for unusual patterns - Use IDS/IPS with optimized signatures Reduce false positives as much as possible - Set up Passive DNS / Passive SSL recording servers Helps in tracking down name resolution and certificate history

Monitoring Networks - Reactive - Forensic analysis on full packet captures Has to be recorded before something happened, of course Carefully selected locations, e.g. Internet outbreaks - Use NetFlow/OpenFlow for meta data Long term storage for forensic searches, e.g. where did the attacker connect to from the infected system? - Use IDS/IPS as custom IoC alarm system Write custom IDS rules for known Indicators of Compromise from Wireshark Analysis results

Detecting malicious traffic - Forget silver bullets there is no showmethebadstuff Wireshark filter - Attackers hide in plain sight DNS, HTTP(S), FTP,... - Filter out positives E.g. Alexa 1 Million Known update sites: OS, AV, Vendors

Final Words - Network defense is a 24/7 challenge - Attackers only need to succeed once, defenders would need 100% success Read as: it s not if but when an attack will succeed. Expect successful attacks on your network. - Keep searching It s a continuous task Don t just wait for some alarm to go off

!! Thank you for attending!! Questions? --------------------------- email: Web: Twitter: landi@packet-foo.com www.packet-foo.com @0x6C616E6469

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback