Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunting Attackers with Network Audit Trails


Published on

Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time.

Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary.

Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic.

Lancope will demonstrate how to these records can be used to:

Discover active attacks in each phase of the attacker’s “kill chain.”
Determine the scope of successful breaches and document the timeline of the attacks

Published in: Technology
  • Be the first to comment

Hunting Attackers with Network Audit Trails

  4. 4. Visibility through out the Kill Chain 4 Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 4© 2013 Lancope, Inc. All rights reserved.
  5. 5. Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating? 5© 2013 Lancope, Inc. All rights reserved.
  6. 6. Audit Trail Sources • Firewall logs – Are you logging everything or just denies? • Internal & Host IPS systems – HIPS potentially has a lot of breadth – Can be expensive to deploy – Signature based • Log Management Solutions/SIEM – Are you collecting everything? – You can only see what gets logged • Netflow – Lots of breadth, less depth – Lower disk space requirements • Full Packet Capture – Deep but not broad – Expensive – High disk space requirements 6 Tradeoffs: • Record everything vs only bad things • Breadth vs Depth • Time vs Depth • Privacy 6© 2013 Lancope, Inc. All rights reserved.
  7. 7. DMZ VPN Internal Network Internet 3G Internet 3G Internet Tradeoffs
  8. 8. Tradeoffs 8 NetFlow R I C H N E S S Disk Space Required Full Packet Capture 8© 2013 Lancope, Inc. All rights reserved.
  10. 10. 10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Realtime Netflow Monitoring
  11. 11. Loss of Protected Data What Can Behavioral NetFlow Analysis Do?
  12. 12. Reveal Recon What Can Behavioral NetFlow Analysis Do?
  13. 13. What can you detect with the audit log? Reveal BotNet Hosts Layer 3 Layer 4 and URL
  15. 15. APT1 15
  16. 16. Best Practice – Running Reports in StealthWatch • Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing The Flow Traffic and Top reports are a summary of the flow data and much quicker to process It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from. 16
  17. 17. 17 Following IOC Waterhole campaign targeting your industry has been publicly disclosed. A quick search of your network audit trail reveals an internal host that accessed the disclosed site.
  18. 18. 18 Following IOC Check host details around that time Suspicious HTTP connections right after contact- good candidate for a drive-by download Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
  19. 19. 19 Following IOC Attacker recons your network. Investigate any hosts contacted by the compromised host. Additionally- look for any other hosts scanning for 445 and 135.
  20. 20. 20 Following IOC Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we Should check to see if that host has touched the network anywhere else. Another host showing a reverse shell
  21. 21. 21 SQL Injection Large data transfer from your web server to an outside host was detected
  22. 22. 22 SQL Injection Where did the data go?
  23. 23. 23 SQL Injection Look for suspicious activity targeting the web server and your DMZ
  24. 24. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? Combating Insider Threat is a multidisciplinary challenge 2424© 2013 Lancope, Inc. All rights reserved. IT HR Legal
  25. 25. 25 Following the User Sometimes investigations start with user intelligence
  26. 26. 26 Following the User
  27. 27. 27 Beron’s abnormal disclosure One of your users has uploaded a large amount of data to the internet. Data Theft
  28. 28. 28 What did Beron send? Who received it? Data Theft
  29. 29. 29 Where could have Beron gotten the data? Data Theft
  30. 30. 30 Data Theft
  31. 31. 31 Why did Beron do it? Data Theft
  32. 32. The Five W’s • Who did this? – Usernames, IP Addresses • What did they do? – What behavior did they engage in? • Where did they go? – What hosts on my network were accessed? • When? – Have we investigated the full intrusion timeline? • Why? What is their objective? 32
  33. 33. Tom Cross Director of Research, Lancope @Lancope (company) @netflowninjas (company blog)