AMP-Based Flow Collection. Greg Virgin - RedJack

Similar documents
The Future of Threat Prevention

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Data Sources for Cyber Security Research

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

ClientVantage Agentless What s New in Release 11.1

Basic Concepts in Intrusion Detection

Implementing Coarse, Long- Term Traffic Capture

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Ken Hines, Ph.D GraniteEdge Networks

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Application Firewalls

Enhancing Threat Intelligence Data. 05/24/2017 DC416

ARAKIS An Early Warning and Attack Identification System

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Monitor your containers with the Elastic Stack. Monica Sarbu

Automated Threat Management - in Real Time. Vectra Networks

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Monitoring and Threat Detection

Novetta Cyber Analytics

Virtual Dispersive Networking Spread Spectrum IP

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

CIS Controls Measures and Metrics for Version 7

Configuring Dashboards

Monitor your infrastructure with the Elastic Beats. Monica Sarbu

Incident Response Agility: Leverage the Past and Present into the Future

CIS Controls Measures and Metrics for Version 7

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

BIG-IP System: Implementing a Passive Monitoring Configuration. Version 13.0

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Validating the Security of the Borderless Infrastructure

How can we gain the insights and control we need to optimize the performance of applications running on our network?

Introduction to Security. Computer Networks Term A15

WHITE PAPER. Best Practices for Web Application Firewall Management

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Developing the Sensor Capability in Cyber Security

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

RSA NetWitness Suite Respond in Minutes, Not Months

Scrutinizer Flow Analytics

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Transforming Security from Defense in Depth to Comprehensive Security Assurance

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Network Security Monitoring: An Open Community Approach

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Computer and Network Security

IBM Next Generation Intrusion Prevention System

Monitoring the Device

Understanding the Internet

ch02 True/False Indicate whether the statement is true or false.

Configuring attack detection and prevention 1

Migrating massive monitoring to Bigtable without downtime. Martin Parm, Infrastructure Engineer for Monitoring

Activating Intrusion Prevention Service

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

RSA IT Security Risk Management

Botnets Behavioral Patterns in the Network

SIEM: Five Requirements that Solve the Bigger Business Issues

Fighting Phishing I: Get phish or die tryin.

The Evolving Threat of Internet Worms

Fun with Flow. Richard Friedberg rf [at] cert.org Carnegie Mellon University

Internet Continuous Situation Awareness

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

IBM Proventia Network Anomaly Detection System

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Threat Intel for All: There s More to Your Data than Meets the Eye

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Check Point DDoS Protector Simple and Easy Mitigation

Announcements. Designing IP. Our Story So Far (Context) Goals of Today s Lecture. Our Story So Far (Context), Con t. The Internet Hourglass

Forensic Network Analysis in the Time of APTs

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

CS519: Computer Networks. Lecture 2: Feb 2, 2004 IP (Internet Protocol)

A BETTER PATH: Security Enlightened. Security s Shift to the Cloud

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Cognitive Threat Analytics Tech update

EXECUTIVE BRIEF: WHY NETWORK SANDBOXING IS REQUIRED TO STOP RANSOMWARE

Network Security: Firewall, VPN, IDS/IPS, SIEM

Cisco Tetration Analytics

Lecture 8: Internet and Online Services. CS 598: Advanced Internetworking Matthew Caesar March 3, 2011

Enterprise IPv6 Deployment Security and other topics

Network Intrusion Detection Systems. Beyond packet filtering

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Welcome to this session on Network Flow Analysis.

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada

Integrating Human and Synthetic Reasoning Via Model-Based Analysis

Network Analysis of Point of Sale System Compromises

Lecture 12. Application Layer. Application Layer 1

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Configuring attack detection and prevention 1

Transcription:

AMP-Based Flow Collection Greg Virgin - RedJack

AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata (TCP stack information, software banners) Metrics Purpose of this talk: To discuss the flow data collection implications of these additional data types for forensic analysis (not just correlation and alerting) Additional data sources Analysis scenarios Collection schemes

Additional Data Sources Core data source: flow data Netflow-like data with additional TCP flag information Flow-derived data sources: port details Ports accepting connections Bandwidth statistics Additional data sources (Not appropriate for flow records- aggregated data sources by IP, not communication) TCP Stack information reflecting running O/S Server Banners (as seen by the Internet) Client Banners (as sent to the Internet) DNS Names collected from both the DNS protocol and other protocols (NEVER trust DNS!) Search strings from search engines (HTTP referer tags)

Scenario 1: Server Importance Server Profile Why? Configuration ( Windows 2000 ) List of listening ports (80, 443) List of available services ( IIS/6 ) Domain name(s) ( www.golfcarts.com ) Traffic Volume (X connections today, per week, per month) Associated search strings ( golf carts, high performance golf carts ) Provides metrics to automatically partition servers by volume, type, vulnerability Provides forensic value through server details often unavailable at time of analysis Flow analysis scenarios: Which active servers were impacted by flow traffic / scans / attacks Scrutinize payload-bearing traffic going to these servers Make sure you re not picking up potentially normal activity in other anomaly detection approaches (your concept of normal doesn t necessarily have to be perfect) Assign real world concepts to traffic activity and perform sanity checks through search strings

Scenario 2: DNS / Name Analysis Naming Information: Why? DNS Response packets HTTP Get requests, mail protocol name announcements The current DNS implementation presents major risks because threats can masquerade as well known sites The web protocol is dominated by virtual servers We have found interesting discrepancies between DNS and naming in other protocols Dealing with hosts as domain names is more natural (the purpose of the protocol) Flow analysis scenarios: Name-based queries (possible with SiLK) Names or name checksums incorporated into flow records for web traffic, followed by correlation with a name for the IP once the data is collected (helps with virtual servers) Forensic analysis of traffic to or from bogus domain names to determine potential damage (but you have to do the above correlation first)

Scenario 3: Making IP Space Heterogeneous Required data: Why? Host Configuration listening ports running services Too often IP space is considered one big homogeneous blob - analysis is done on traffic between nodes without considering types of nodes The diagnosis of activities such as worms can be made from hosts in a set running the same piece of software rather than signature Flow analysis scenarios: What has been called a similarity analysis: take an IP set and run it against host profiles to provide statistics on what the hosts in the set have in common Flow analysis broken down by host attributes isn t very common, so there are a number of possibilities

Scenario 4: The Alternate Use Flag Marking flows for statistically significant attributes is marking flows based on signatures, not necessarily new data Alternate Use refers to the proper use of an Internet protocol without being used for the purpose of the protocol (this is not protocol analysis) Why? This type of traffic can be a huge portion of the traffic Of unique DNS names seen by your network, more than half of them may come from just a handful of sources Flow analysis scenarios: Often port and protocol numbers are considered synonymous with legitimate use of protocols; this can be used to filter out alternate uses Most of the alternate uses for DNS appear to be spam reporting, that information could be harvested

Scenario 5: IDS Verification Use host information or flow data to validate IDS records If hosts aren t running the software that IDS signatures think they are Not a new concept and done in practice

Summary of Scenarios New data sources can be used with flow data to: Add contextual information and increase situational awareness Create filters that could be useful for both queries and data collection Partition data into bins or streams with more (or less) analytic meaning The best result is for these techniques to impact the data or be recorded as additional data This has an obvious impact on collection infrastructure Data production software should be able to mark, reformat, or drop flow data based on this information Data collection and storage software should be able to process or partition this information Since most of these techniques don t amount to much more than a filter definition, a registry for these filters that different parts of the flow collection infrastructure can use is appropriate

New Sensor Attributes (This is in addition to flows with TCP options, host information, and DNS) Filters based on additional information Domain name value for the web protocol Alternate Use flag Not yet discussed: Change ICMP to include third IP address in some instances

New Data Collection Attributes Marking or partitioning flows with domain names Metrics, filtering, and additional aggregation (flows for large servers can be compacted)

New Data Store Attributes Flow data closely tied to new data sources Registry for filtering techniques that can be leveraged by the sensor and collection Questions? Greg Virgin, greg.virgin@redjack.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback