AdvancedAttackDetection<br />TheOpenSource Way :-)<br />Dominique KargAlienVault / OSSIMBSidesSF 2010<br />
Whatthistalkisnotabout<br />
The Play<br />(AAA)<br />Selfreminder: don‘tforgettellingwhatthisis all going to beabout.<br />
Actors<br />(Presentingtheplayers)<br />
ZEUS<br />Askyourlocalmalwareprovider.<br />
TrojanEmulation/Analisys<br />AlienVRTjaime.blasco@alienvault.com<br />
NIDS<br />http://www.snort.org<br />
Host behavior/Anomalies<br />Spade/Spada<br />AlienVRTjaime.blasco@alienvault.com<br />
HIDS<br />Trend... http://www.ossec.net<br />
Windows Policies<br />Snare<br />http://www.intersectalliance.org<br />
Flows<br />...<br />NFDump/NFSen<br />Heavilymodifiedfor OSSIM<br />
TrafficBehavior<br />NTop<br />http://www.ntop.org<br />
Correlation<br />OSSIM<br />http://www.alienvault.com<br />
Attack<br />(Whattheuserdoes *not* see)<br />
Installation<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
System informationgathering<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
CredentialStealing<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
Environmentdiscovery<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
Callinghome<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
Web pageinjection<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
Analysis<br />(Whathappensbehindthescenes)<br />
NIDS Events<br />(Unreliable, signaturebased, false positives)<br />
Host Behavior/Anomalies<br />(Misconfiguredservices cause those)<br />
HIDS Events<br />(False positives, lessdangerousstuff, signaturebased)<br />
Windows Policies<br />592 – Processcreation<br />593 – Processdestruction<br />577 – Privsystemcalls<br />(Noisy to filter...
Flows<br />(Malware mightcontactnon-RBNhosts)<br />
Trafficbehavior<br />(Hard to tune, tons of false positives)<br />
Correlation<br />(The Key to success)<br />
Conclusion<br />(Obtainingreliablesecuritythroughbruteforce)<br />
No single Pointof Failure<br />
Easilyaddnewcomponents<br />
Free!<br />Cheap!<br />
What to do next<br /><ul><li> Download OSSIM
Trythis out
Upcoming SlideShare
Loading in …5
×

Dominique Karg - Advanced Attack Detection using OpenSource tools

2,310 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,310
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Dominique Karg - Advanced Attack Detection using OpenSource tools

  1. 1. AdvancedAttackDetection<br />TheOpenSource Way :-)<br />Dominique KargAlienVault / OSSIMBSidesSF 2010<br />
  2. 2. Whatthistalkisnotabout<br />
  3. 3. The Play<br />(AAA)<br />Selfreminder: don‘tforgettellingwhatthisis all going to beabout.<br />
  4. 4. Actors<br />(Presentingtheplayers)<br />
  5. 5. ZEUS<br />Askyourlocalmalwareprovider.<br />
  6. 6. TrojanEmulation/Analisys<br />AlienVRTjaime.blasco@alienvault.com<br />
  7. 7. NIDS<br />http://www.snort.org<br />
  8. 8. Host behavior/Anomalies<br />Spade/Spada<br />AlienVRTjaime.blasco@alienvault.com<br />
  9. 9. HIDS<br />Trend... http://www.ossec.net<br />
  10. 10. Windows Policies<br />Snare<br />http://www.intersectalliance.org<br />
  11. 11. Flows<br />...<br />NFDump/NFSen<br />Heavilymodifiedfor OSSIM<br />
  12. 12. TrafficBehavior<br />NTop<br />http://www.ntop.org<br />
  13. 13. Correlation<br />OSSIM<br />http://www.alienvault.com<br />
  14. 14. Attack<br />(Whattheuserdoes *not* see)<br />
  15. 15. Installation<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  16. 16. System informationgathering<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  17. 17. CredentialStealing<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  18. 18. Environmentdiscovery<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  19. 19. Callinghome<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  20. 20. Web pageinjection<br />Descriptiondetailesbased on:<br />http://www.noryak.net/papers/zeus.pdf<br />
  21. 21. Analysis<br />(Whathappensbehindthescenes)<br />
  22. 22. NIDS Events<br />(Unreliable, signaturebased, false positives)<br />
  23. 23. Host Behavior/Anomalies<br />(Misconfiguredservices cause those)<br />
  24. 24. HIDS Events<br />(False positives, lessdangerousstuff, signaturebased)<br />
  25. 25. Windows Policies<br />592 – Processcreation<br />593 – Processdestruction<br />577 – Privsystemcalls<br />(Noisy to filter out)<br />
  26. 26. Flows<br />(Malware mightcontactnon-RBNhosts)<br />
  27. 27. Trafficbehavior<br />(Hard to tune, tons of false positives)<br />
  28. 28. Correlation<br />(The Key to success)<br />
  29. 29. Conclusion<br />(Obtainingreliablesecuritythroughbruteforce)<br />
  30. 30. No single Pointof Failure<br />
  31. 31. Easilyaddnewcomponents<br />
  32. 32. Free!<br />Cheap!<br />
  33. 33. What to do next<br /><ul><li> Download OSSIM
  34. 34. Trythis out
  35. 35. Improveit
  36. 36. Share it
  37. 37. Havefun</li></li></ul><li>Thanks a lot !<br />Dominique Karg<br />dk@alienvault.com<br />dkarg @ twitter<br />Cheers to mylovelyfiancéwhomakesme a betterpersoneveryday :*<br />

×