HUNTING ATTACKERS WITH
NETWORK AUDIT TRAILS
Tom Cross
tcross@lancope.com
1
WHAT IS DIGITAL FORENSICS?
WHAT IS INCIDENT RESPONSE?
2
WHAT IS FORENSICS?
3
Visibility through out the Kill Chain
4
Recon
Exploitation
(Social Engineering?)
Initial
Infection
Internal
Pivot
Data
Pre...
Intrusion Audit Trails
1:06:15 PM:
Internal Host
Visits Malicious
Web Site
1:06:30 PM:
Malware Infection
Complete, Accesse...
Audit Trail Sources
• Firewall logs
– Are you logging everything or just denies?
• Internal & Host IPS systems
– HIPS pote...
DMZ
VPN
Internal
Network
Internet
3G
Internet
3G
Internet
Tradeoffs
Tradeoffs
8
NetFlow
R
I
C
H
N
E
S
S
Disk Space Required
Full Packet Capture
8© 2013 Lancope, Inc. All rights reserved.
NETWORK AUDIT LOG DETECTION
9
10
©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Realtime Netflow Monitoring
Loss of Protected Data
What Can Behavioral NetFlow Analysis Do?
Reveal Recon
What Can Behavioral NetFlow Analysis Do?
What can you detect with the audit log?
Reveal BotNet Hosts
Layer 3 Layer 4
and URL
FORENSIC INVESTIGATIONS USING THE
NETWORK AUDIT TRAIL
14
APT1
15
Best Practice – Running Reports in StealthWatch
• Always run Flow Traffic or Top reports before the Flow Table for flow qu...
17
Following IOC
Waterhole campaign
targeting your industry
has been publicly
disclosed.
A quick search of your
network au...
18
Following IOC
Check host details around that time
Suspicious HTTP connections right after contact- good candidate for a...
19
Following IOC
Attacker recons your network. Investigate any hosts contacted by the compromised host.
Additionally- look...
20
Following IOC
Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we
Should check to see ...
21
SQL Injection
Large data transfer from your web server to an outside host was detected
22
SQL Injection
Where did the data go?
23
SQL Injection
Look for suspicious activity targeting the web server and your DMZ
• IT cannot address insider threat by itself
– People have a tendency to think that IT is solely responsible for all compu...
25
Following the User
Sometimes
investigations start
with user intelligence
26
Following the User
27
Beron’s abnormal disclosure
One of your users has uploaded a large amount of data to the internet.
Data Theft
28
What did Beron send? Who received it?
Data Theft
29
Where could have Beron gotten the data?
Data Theft
30
Data Theft
31
Why did Beron do it?
Data Theft
The Five W’s
• Who did this?
– Usernames, IP Addresses
• What did they do?
– What behavior did they engage in?
• Where did...
Tom Cross
Director of Research, Lancope
tcross@lancope.com
www.lancope.com
@Lancope (company)
@netflowninjas (company blog...
Upcoming SlideShare
Loading in …5
×

Hunting Attackers with Network Audit Trails

4,191 views
4,134 views

Published on

Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time.

Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary.

Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic.

Lancope will demonstrate how to these records can be used to:

Discover active attacks in each phase of the attacker’s “kill chain.”
Determine the scope of successful breaches and document the timeline of the attacks

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,191
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hunting Attackers with Network Audit Trails

  1. 1. HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com 1
  2. 2. WHAT IS DIGITAL FORENSICS? WHAT IS INCIDENT RESPONSE? 2
  3. 3. WHAT IS FORENSICS? 3
  4. 4. Visibility through out the Kill Chain 4 Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 4© 2013 Lancope, Inc. All rights reserved.
  5. 5. Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating? 5© 2013 Lancope, Inc. All rights reserved.
  6. 6. Audit Trail Sources • Firewall logs – Are you logging everything or just denies? • Internal & Host IPS systems – HIPS potentially has a lot of breadth – Can be expensive to deploy – Signature based • Log Management Solutions/SIEM – Are you collecting everything? – You can only see what gets logged • Netflow – Lots of breadth, less depth – Lower disk space requirements • Full Packet Capture – Deep but not broad – Expensive – High disk space requirements 6 Tradeoffs: • Record everything vs only bad things • Breadth vs Depth • Time vs Depth • Privacy 6© 2013 Lancope, Inc. All rights reserved.
  7. 7. DMZ VPN Internal Network Internet 3G Internet 3G Internet Tradeoffs
  8. 8. Tradeoffs 8 NetFlow R I C H N E S S Disk Space Required Full Packet Capture 8© 2013 Lancope, Inc. All rights reserved.
  9. 9. NETWORK AUDIT LOG DETECTION 9
  10. 10. 10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Realtime Netflow Monitoring
  11. 11. Loss of Protected Data What Can Behavioral NetFlow Analysis Do?
  12. 12. Reveal Recon What Can Behavioral NetFlow Analysis Do?
  13. 13. What can you detect with the audit log? Reveal BotNet Hosts Layer 3 Layer 4 and URL
  14. 14. FORENSIC INVESTIGATIONS USING THE NETWORK AUDIT TRAIL 14
  15. 15. APT1 15
  16. 16. Best Practice – Running Reports in StealthWatch • Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing The Flow Traffic and Top reports are a summary of the flow data and much quicker to process It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from. 16
  17. 17. 17 Following IOC Waterhole campaign targeting your industry has been publicly disclosed. A quick search of your network audit trail reveals an internal host that accessed the disclosed site.
  18. 18. 18 Following IOC Check host details around that time Suspicious HTTP connections right after contact- good candidate for a drive-by download Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
  19. 19. 19 Following IOC Attacker recons your network. Investigate any hosts contacted by the compromised host. Additionally- look for any other hosts scanning for 445 and 135.
  20. 20. 20 Following IOC Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we Should check to see if that host has touched the network anywhere else. Another host showing a reverse shell
  21. 21. 21 SQL Injection Large data transfer from your web server to an outside host was detected
  22. 22. 22 SQL Injection Where did the data go?
  23. 23. 23 SQL Injection Look for suspicious activity targeting the web server and your DMZ
  24. 24. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? Combating Insider Threat is a multidisciplinary challenge 2424© 2013 Lancope, Inc. All rights reserved. IT HR Legal
  25. 25. 25 Following the User Sometimes investigations start with user intelligence
  26. 26. 26 Following the User
  27. 27. 27 Beron’s abnormal disclosure One of your users has uploaded a large amount of data to the internet. Data Theft
  28. 28. 28 What did Beron send? Who received it? Data Theft
  29. 29. 29 Where could have Beron gotten the data? Data Theft
  30. 30. 30 Data Theft
  31. 31. 31 Why did Beron do it? Data Theft
  32. 32. The Five W’s • Who did this? – Usernames, IP Addresses • What did they do? – What behavior did they engage in? • Where did they go? – What hosts on my network were accessed? • When? – Have we investigated the full intrusion timeline? • Why? What is their objective? 32
  33. 33. Tom Cross Director of Research, Lancope tcross@lancope.com www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas

×