Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers,...
Transcript of Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers,...
Slide - 1
Network Security – FOR FREE
Slide - 2
• A10 Networks, Akamai, AlienVault, Appriver, At-Bay, Avecto, Axiomatics
• BeyondTrust, BluVector
• Carbon Black, Centrify, CGS, Check Point, CheckMarx, CloudBees, Comodo, Corero Network Security,
Cyxtera
• Darktrace, DeepInstinct, DomainTools, Dyadic
• eSentire, Experian
• F-Secure, FireEye, Forcepoint, ForeScout, Forrester, Fortinet, Fujitsu
• Gigamon, GigaTrust, GlobalSign
• Herjavec Group
• IBM Resilient, iboss, Illumio, Imperva, Informatica
• Kaspersky Lab, KnowBe4, KPMG
• Lawfare, LogRhythm
• Malwarebytes, McAfee, MediaMath, Mimecast, MobileIron
• NordVPN, Nozomi Networks, NSS Labs, NTT Security, Nuvias Group
• ObserveIT
• Palo Alto Networks, Panda, Portnox, Proofpoint
• Qubic
• Radial, Radware, Rapid7, RiskIQ
• SAP, Secureworks, Semafone, SentinelOne, Sonatype, Sophos, Splunk, Symantec
• Thales, Trend Micro, Tripwire
• Varonis, Veridium, Voxpro,
• WatchGuard, Webroot
• ZeroFOX, ZScaler
Security Companies A – Z, etc.
Slide - 3
Assessment and Fundamentals
• All types of bad actors are trying to break into your
network today
• Start monitoring your network TODAY
• Understand how to track them using an Analyzer
looking for Indicators of Compromise
• 24 hour period:
Country Attempts
United States 241
Canada 115
Taiwan 87
China 70
Slide - 4
• The Boy Scout Motto - BE PREPARED
• Gain total network visibility by capturing all of the
packets 24 x 7 and using NetFlow data
• Know the “normal” path of your packets
• Gather the Log files from Firewalls, Servers, IDS,
DLP, Antivirus, etc.
The Importance of Packets
Slide - 5
• Cost of Attacks
• Resource time (Investigations, Monitoring, Mitigate)
• Security Controls
• HIPPA / SCADA / Other Regulatory Fines
• Data Breach
• $100 to $500 per record
• 1000 records = $1M to $5M
• Business, Health, Finance, Government, Education
Why are Attacks a Concern?
Slide - 6
• Endpoint protection is not adequate any longer
• WannaCry / Petya
• Windows desktops represent the weakest link in the
chain
• Software as a Service means no endpoint visibility
• Most defense enhancements come first on the
NETWORK – speed and scalability
Prevent
Slide - 7
• Monitor both inside and outside of the Internet
Firewall
• Monitor any other inbound link, VPN, Branch
office, dedicated link other than Internet
• Key locations need to be monitored for attacks
• Monitor for both outside and inside threats
The Path of the Packet is Important
Slide - 8
Identify the Indicators
1) Observing the
initial download
at the perimeter
2) Observing the
use of the
Exploit on my
internal network
3) Observing the
movement of the
malware on my
local network
Ways to Identify these Attacks on my network
1
2
3
Slide - 9
Security Onion
Slide - 10
What are your Indicators?
• All indicators have value, some greater than others
• You see a mail server has initiated an outbound FTP session to a
host in Russia - an indicator.
• You see a spike in the amount of Internet Control Message Protocol
(ICMP) traffic at 2 A.M. - an indicator.
• You see a Host sending RAR files to a host in San Diego – an
indicator.
• You see SMBv1 traffic on your network – an indicator.
• Which are your biggest concerns?
• Prioritize the indicator value
Slide - 11
Trojan / Worm Indicators
• Number of SYN’s Sent / Number of SYN+ACK’s
• Generally should be 1:1
• Trojans and worms always send large amounts of TCP SYN packets to
establish connections with other hosts on the LOCAL subnet.
• Look at Top Talkers by Packets
• Trojans and worms usually send out a large number of SMALL packets.
• Filter for DNS – Export to CSV – Comma delimited with packet
summary
• Analyze using keywords
• Compare to Top 1 million (Alexa or Cisco Umbrella)
• Use a specific filter – POP3, Readme.exe and PSEXEC.EXE
Slide - 12
Filter for SYN + ACK
• Filter for SYN + ACK – See what Servers and
Applications are accepting connections
• Should they? / Any surprises? / Workstations?
Slide - 13
Filter for SMBv1, SMBv2 and SMBv3
• Filter for SMBv1 – See what devices are vulnerable
• WannaCry / Petya
SMBv2 hex Pattern is 0x424d53fe
SMBv3 hex Pattern is 0x424d53fd
Slide - 14
Filter for HTTP Credentials
• Filter for HTTP Authorization Type Basic:
• Yields Credentials
Slide - 15
• Explore and understand both Ingress and Egress
traffic flows and patterns
• Don’t assume
• Validate
• TAP / Packet Broker
• There could be several paths into the Data Center
depending on Trusted User, Untrusted User or
Customer
The Path of the Packet is Important
Slide - 16
Limit the outbound Path of the Packet
Set Your Internal DB servers and App Servers that don’t need to
communicate outside of your Datacenter (IP TTL = 1/2)
Slide - 17
Investigation using NetFlow and Packets
• Some of the most commonly used data elements generated by NetFlow or Network Trending data include:
• Source IP Address
• Destination IP Address
• Source Port
• Destination Port
• Protocol
• Timestamps for the flow start and conclusion
• Amount of data transferred
Slide - 18
Log Files
Country Attempts
United States 151+90 = 241
Canada 115
Taiwan 87
China 70
Slide - 19
• Analysis equipment must be able to keep up:
• 1 Gbps @ 25% utilization is 1.875 GBytes / Min
➢ 112 GBytes / HR
• 10 Gbps @ 25% utilization is 10.875 GBytes / Min
➢ 1.12 TBytes / HR
• 40 Gbps @ 25% utilization is 43.5 GBytes / Min
➢ 4.5 TBytes / HR
• 100 Gbps @ 25% utilization is 108.75 GBytes / Min
➢ 11. 2 TBytes / HR
• Data Center will require stream to disk hardware capable of
10G to 40G link speeds and higher
• Potential to use Packet Broker to gain total network visibility
Capturing all of the Packets
Slide - 20
Ability to go “Back in Time”
• Assemble the complete picture of the attack / compromise
• Ability to see the evolution of the compromise
• Facility to pinpoint the time of the attack / compromise
• Determine what other systems were affected
Slide - 21
The Unfamiliar
• We can be sure an attack is eminent – our firewall
logs tell us they are probing, waiting to find the
chink in our armor
• We must be familiar with flows and patterns
• Determine what is different or unknown
• Different Pattern? File transfers outbound?
• RAR files transferred outbound?
Slide - 22
Attack Recognition
• Have we Baselined the network?
• What is normal?
• Protocols:• Connection Oriented
• Connectionless
• Applications
• Remote Locations
• After the compromise
• What was the scope?
Slide - 23
Baseline
• Need to know
what is normal
• Deviations could
indicate a
compromise
• Needs to be
updated as traffic
and applications
change
Slide - 24
Normal or Abnormal?
• FTP is allowed through Firewall – Did they get in?
• What do the packets show – FTP service is down
Slide - 25
Filter out Normal
• Once you have defined and validated “Normal” –
start filtering out the normal protocols / applications
/ subnets / domains
• Easier to filter out the hay stack and find a needle
among the needles
• Easily identify your normal established connections
• Filter for SYN + ACK – See what Servers and
Applications are accepting connections
• VALIDATE no WORKSTATIONS
Slide - 26
Forensic Analysis
Observe the use of the Exploit on your internal network
• Both WannaCry and Petya used recently released EternalBlue
exploit to propagate
• Snort rules to detect EternalBlue were available as of May 3,
2017 (a week before the initial WannaCry attack and a month
before Petya)
• Once a new zero-day exploit is unveiled, it is faster to write a
snort rule to detect it on the network than to add variant to
endpoint malware detection software
Slide - 27
GigaStor / Uila and SNORT
• Create different profiles for different SNORT rules
Slide - 28
Perimeter Defenses
• Port Scan your perimeter – know what ports are open
• Perform a penetration test / vulnerability scan
• Find your weaknesses / vulnerabilities before they do
• Look for abnormal outbound data transfers
• Develop your plan – refine, refine, refine
Slide - 29
Validate your Firewall rules
• Don’t presume that your Firewall(s) are doing their
job(s)
• Review your firewall rules
• Make sure a business case exists for each rule
• Capture both sides of Firewall to validate your UDP
rules
Slide - 30
Scope of Attack / Penetration
• Range of the Attack / Penetration vectors
• Internal or External?
• Foreign entity or Competing Company?
• Recall Major League Baseball?
• 1/30/2017 - Cardinals hacked the Astros
• Email and Scouting Database
• Inside their system from 2012 - 2014
• Fined $2M plus other penalties
Slide - 31
Reporting / Validating
Clearly document the attack / compromise
• What was compromised
• Servers
• Hosts
• Network Hardware
• Credentials (UID / Password)
• What methods were used to exfiltrate the data?
• Save all logs and capture files
• Can we put countermeasures in place to keep this
type of compromise from happening again?
• Notify management
Slide - 32
What can you do?
Configuration Management (CSC-9)
Patch as soon as practical
Follow-up on vulnerability scanning
Documenting all exceptions
Communicate
No tolerance for allowing unauthorized computers
on the network
Application review and Peer reviews
Slide - 33
Conclusion
Identify security threats through packet analysis
Ensure you have all of the packets (GigaStor)
If you can’t see all of the paths, how do you know
you have all of the information
Use of a packet broker and TAP’s can help with
24x7 total network visibility