The Needle in the Haystack

Slides:



Advertisements
Similar presentations
Case study : The curious mr. x
Advertisements

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.
Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
COEN 252: Computer Forensics Router Investigation.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
FIREWALL Mạng máy tính nâng cao-V1.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
COEN 252 Computer Forensics Collecting Network-based Evidence.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO x4242 Cloud Network Defense.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
© ETH Zürich | ID-KOM/NSG Simple Anomaly Detection via Netflows.
Real-time Ingestion of telemetry into Hadoop to respond to Zero-Day Attacks Vipul Sawant, Pallav Jakhotiya.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
NPM and Security Forensics Mark Cromley Solutions Engineer Viavi Solutions, Inc.
Security fundamentals
DISA Cyclops Program.
SIEM Rotem Mesika System security engineering
Market Engagement – security update
IoT Security Part 2, The Malware
Latency and Communication Challenges in Automated Manufacturing
Determining Topology from a Capture File
DNS Security Advanced Network Security Peter Reiher August, 2014
47th IETF - Adelaide Chris Lonvick
Intercept X Early Access Program Root Cause Analysis
The Game has Changed… Ready or Not! Andrew Willetts Technologies, Inc.
Lesson Objectives Aims You should be able to:
Outline Introduction Characteristics of intrusion detection systems
Unit 5: Providing Network Services
System Management MAS.
Troubleshooting IP Communications
ADVANCED PERSISTENT THREATS (APTs) - Simulation
StealthWatch: Network Visibility & Security Intelligence BATTLE CARD
XML and Databases.
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
COTS testing Tor Stålhane.
2018 Real Cisco Dumps IT-Dumps
Tips to pass your Check Point CCSA exam Pass your exam successfully html.
Securing your Company’s Assets with Packets
DATA COLLECTION, MANAGEMENT AND ANALYSIS
Challenges in Network Troubleshooting In big scale networks, when an issue like latency or packet drops occur its very hard sometimes to pinpoint.
Information Security Session October 24, 2005
AKAMAI INTELLIGENT PLATFORM™
Intercept X Early Access Program Root Cause Analysis
Shifting from “Incident” to “Continuous” Response
– Chapter 3 – Device Security (B)
Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Firewalls Jiang Long Spring 2002.
Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,
Motivation and Problem Statement
COMPUTER NETWORKS PRESENTATION
Justin Brady Malware Forensics.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
4.01 How Web Pages Work.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Tonight – Finishing off workshop
Presentation transcript:

The Needle in the Haystack Jasper Bongertz 17 June 2015

The Needle in the Haystack In an incident response situation at least one Indicator of Compromise has been found already The haystack is all of the IT infrastructure that needs to be checked: Clients Servers Network ISP uplinks 20 November 2018

Looking for the Needle The challenge: The Needle in the Haystack Looking for the Needle The challenge: Telling what systems have really been compromised So how do we usually do that? Looking at: file systems log files firewall rule tables sensor hits (IDS/IPS/NSM/AV/Sandboxes) documentation 20 November 2018

The Needle in the Haystack Looking at the network Network forensics can be an effective way to spot potential „Needles“ No matter how good malware hides, it‘ll use the network sooner or later „No place to hide“ if sniffing packets at the right spot Challenges: Sniffing packets at the „right spot“ Scanning through gazillions of packets, looking for IoCs Bild: CDS 20 November 2018

Best practices Looking at Internet uplinks The Needle in the Haystack Best practices Looking at Internet uplinks Usually there are only a couple of them Problem: undocumented/“rogue“ uplinks Inspecting DNS Can be stored a long time, e.g. using PassiveDNS Finding CnC patterns: Answers containing Loopback addresses High amount of errors like „no such name“ Domain Generation Algorithms Still need to sort out false positives Bild: Generic Brochure 20 November 2018

Best practices Leveraging NetFlow The Needle in the Haystack Best practices Leveraging NetFlow Long term storage of metadata of communication flows Helps tracking lateral movement of attackers and building timelines Can also be used for event correlation Baselining suspicious systems Record everything it does Using SPAN ports/TAPs Pinpoint assets that require file system forensics Bild: Advanced Forensics 20 November 2018

The Needle in the Haystack Demo 20 November 2018

Thank you! Questions? 20 November 2018