ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10....
Transcript of ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10....
![Page 1: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/1.jpg)
ADVANCED THREAT DETECTION AND FORENSICS
VIA NETFLOW/IPFIX
Charles Herring@charlesherring
http://f15h.co
1
![Page 2: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/2.jpg)
FLOW CONCEPTS
2
![Page 3: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/3.jpg)
Network Logging Basics• A record; not a sample
• Can only log available data
• Unidirectional in nature
• Interface specific
• “Phone record” not “Phone tap”
• Category called “NetFlow” or “Flow”
• Devices with one or more Flow producing interfaces are “Exporters”
• Exporters cache and forward records to “Collectors”
• Bandwidth of “basic” Flow export is ~0.1% of monitored traffic
3
![Page 4: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/4.jpg)
Logging Standards• NetFlow v9 (RFC-3950)• IPFIX (RFC-5101) • Rebranded NetFlow
– Jflow – Juniper
– Cflowd – Juniper/Alcatel-Lucent
– NetStream – 3Com/Huawei
– Rflow – Ericsson
– AppFlow - Citrix
4
Basic/Common Fields
![Page 5: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/5.jpg)
Extensible Data Fields
• Network Based Application Recognition
• Performance Metrics (SRT/RRT, Collisions)
• HTTP Headers
• NAT Data
• Security Action (Permit/Deny)
• TTL
• DSCP
• Payload
5
Data sources can provide additional log information
Examples of Extensible Fields
![Page 6: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/6.jpg)
Packet Capture of IPFIX
6
![Page 7: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/7.jpg)
Stitching & De-duplication
7©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
![Page 8: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/8.jpg)
8
Stitching & De-duplication
![Page 9: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/9.jpg)
TOOLS: SILK
9
![Page 10: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/10.jpg)
SiLK
• Download at http://tools.netsa.cert.org
• Stores and processes flow
• Project Managed by Carnegie Mellon CERT
10
![Page 11: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/11.jpg)
iSiLK
11
![Page 12: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/12.jpg)
iSiLK
12
![Page 13: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/13.jpg)
PySiLK
13
![Page 14: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/14.jpg)
Commercial Solutions• Arbor PeakFlow
• IBM Qradar
• Invea-Tech FlowMon
• Lancope StealthWatch
• ManageEngine
• McAfee NTBA
• Plixer Scrutinizer
• ProQSys FlowTraq
• Riverbed Cascade (formerly Mazu)
* For comparison see Gartner Network Behavior Analysis Market December 2012 (G00245584)
14
![Page 15: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/15.jpg)
WHAT CAN LOGGING REVEAL
15
![Page 16: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/16.jpg)
Signature Matching
• Look for “known bad” conversations
• Match against data collected in NetFlow
• Per Flow Analysis
16
![Page 17: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/17.jpg)
What Can Intelligent NetFlow Analysis Do?
Reveal BotNet Hosts
Layer 3 Layer 4 and URL
![Page 18: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/18.jpg)
Report on Compliance
What Can Intelligent NetFlow Analysis Do?
![Page 19: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/19.jpg)
Unsanctioned Device and Application Detection
Identify the use of unsanctioned applications
Detect rogue servers and other rogue devices
What Can Intelligent NetFlow Analysis Do?
![Page 20: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/20.jpg)
20
Audit Firewall rules
Immediately detect misconfigurations
Ensure regulatory compliance
What Can Intelligent NetFlow Analysis Do?
![Page 21: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/21.jpg)
Behavior-based Analysis of Network Flows
![Page 22: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/22.jpg)
Reveal Recon
What Can Intelligent NetFlow Analysis Do?
![Page 23: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/23.jpg)
Investigate Infections
What Can Intelligent NetFlow Analysis Do?
![Page 24: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/24.jpg)
Loss of Protected Data
What Can Intelligent NetFlow Analysis Do?
![Page 25: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/25.jpg)
FORENSIC INVESTIGATIONS
25
![Page 26: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/26.jpg)
26
Forensic Q&A
How long has behavior been active? Historical Traffic ReportWhich hosts have a compromised host “touched?” Top Peers (filtered to Internal or Critical)Has this attack happened in the past? Flow Table on available data pointsHow long has this attacker been lurking around the network? Historical Traffic on Host
![Page 27: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/27.jpg)
27
SQL Injection
![Page 28: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/28.jpg)
28
SQL Injection
![Page 29: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/29.jpg)
29
SQL Injection
![Page 30: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/30.jpg)
30
Data Theft
Beron’s abnormal disclosure
![Page 31: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/31.jpg)
31
Data Theft
What did Beron send? Who received it?
![Page 32: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/32.jpg)
32
Data Theft
Where could have Beron gotten the data?
![Page 33: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/33.jpg)
33
Data Theft
![Page 34: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/34.jpg)
34
Data Theft
Why did Beron do it?
![Page 35: ADVANCED THREAT DETECTION AND FORENSICS VIA … · •Project Managed by Carnegie Mellon CERT 10. iSiLK 11. iSiLK 12. PySiLK 13. Commercial Solutions • Arbor PeakFlow • IBM Qradar](https://reader035.fdocuments.in/reader035/viewer/2022071110/5fe5bb3c938b9e1960213848/html5/thumbnails/35.jpg)
• Webwww.lancope.com (Company)f15h.co (Personal)
• Twitter@Lancope (Company)@netflowninjas (Company Blog)@charlesherring (Personal)
• Charles HerringSr. Systems Engineer, [email protected]