SlideShare a Scribd company logo

Detecting Abnormal Network Behavior and Traffic Anomalies Using NBAD

Download as PPTX, PDF
Lancope, Inc.
Lancope, Inc.

Signature detection of attacks requires an understanding of what is “bad” traffic. Unfortunately, advanced attackers are crafting innovative and persistent attacks that create a new brand of “bad” that has no signature. Today’s organizations must instead embrace more forward-thinking security measures such as behavioral analysis in order to identify threats that bypass conventional defenses. Join this complimentary webinar to learn how real-world breaches over the last couple of years were detected by looking at traffic deviating from normal patterns via metadata/NetFlow analysis. Discover how: - Sophisticated attackers are bypassing conventional, signature-based security solutions - NetFlow analysis can detect both known and unknown threats by identifying anomalous behaviors that could signify an attack - Leveraging flow data can significantly improve threat detection, incident response and network forensics

Technology
1 of 37
Looking for the Weird: Detecting "Bad" Traffic and Abnormal Network Behavior C H A R L E S H E R R I N G @C H A R L E S H E R R I N G H T T P : / / F 1 5 H B 0WN . C OM C H E R R I N G@L A N C O P E . C OM
Agenda Definitions NBAD Specific Detection Approaches Example Breaches
Overview - Definitions What is NBAD? What is NetFlow? Detection Schools
What is NBAD? Network Behavioral Anomaly Detection Data source = Network MetaData (NetFlow) Probe locations = Core or deeper Quantity/Metric Centric (not Pattern/Signature Centric) Sometimes used to refer to NetFlow Security Tools
OSS NBAD - SilK/PySiLK 5
Commercial Solutions Arbor PeakFlow IBM Qradar Invea-Tech FlowMon Lancope StealthWatch ManageEngine McAfee NTBA Plixer Scrutinizer ProQSys FlowTraq Riverbed Cascade (formerly Mazu) * For comparison see Gartner Network Behavior Analysis Market December 2012 (G00245584) 6
Network Logging Standards NetFlow v9 (RFC-3950) IPFIX (RFC-5101) Rebranded NetFlow ◦ Jflow – Juniper ◦ Cflowd – Juniper/Alcatel-Lucent ◦ NetStream – 3Com/Huawei ◦ Rflow – Ericsson ◦ AppFlow - Citrix 8 Basic/Common Fields
Detection Methods Signature = Inspect Object against blacklist ◦ IPS ◦ Antivirus ◦ Content Filter Behavioral = Inspect Victim behavior against blacklist ◦ Malware Sandbox ◦ NBAD/UBAD ◦ HIPS ◦ SEIM Anomaly = Inspect Victim behavior against whitelist ◦ NBAD/UBAD
Comparison of Detection Methods Signature Behavior Anomaly Known Exploits Best Good Limited 0-Day Exploits Limited Best Good Credential Abuse Limited Limited Best
Overview – NBAD Detection Approaches Signature Behavioral Anomaly
NBAD Detection - Signature Segmentation Enforcement Policy Violations C&C Connections Pro’s: Certainty can be established; Easy to set up; Deep visibility (without probes) Con’s: Only detects “Known Threats”
Boolean Detection IDS Signature? VA marked vulnerable? NetFlow shows returned data? Trigger Breach Alarm 13 • Requires understanding of “bad” scenario • Dependent on reliable (non-compromised) data sources • Data sources rely on signature (known bad) detection • NetFlow usage limited to communication tracking
NBAD Detection - Behavioral Scanning SYN Flood Flag Sequences Pro’s: Doesn’t need to know exploit Con’s: Must establish host counters
NBAD Detection – Anomaly Pro’s: Can Catch Sophisticated/Targeted/Unknown Threats Con’s: ◦ Requires Host and User Profiles ◦ Requires Specific Baselines/Policies ◦ Output requires interpretation ◦ Requires massive data collection/processing ◦ Requires Algorithmic Calculation
Algorithmic Detection 16 Abnormal connections: Add 425,000 Host Concern Index = 1,150,000 Slow Scanning Activity : Add 325,000 Internal pivot activity: Add 400,000 • Based on knowing normal • Dependent on raw NetFlow MetaData (multiple sources) • Does not require understanding of attack • Output is security indices focused on host activity
NBAD Detection – Anomaly Types Service Traffic Threshold Anomaly Service Type Anomaly Geographic Traffic Anomaly Time of Day Anomaly Geographic User Anomaly Data Hoarding Data Disclosure
NBAD Detection - Anomaly Service Traffic Threshold Anomaly
NBAD Detection - Anomaly Service Type Anomaly
NBAD Detection - Anomaly Geographic Traffic Anomaly
NBAD Detection - Anomaly Time of Day Anomaly
NBAD Detection - Anomaly Geographic User Anomaly
NBAD Detection - Anomaly Data Hoarding
NBAD Detection - Anomaly Data Disclosure
Overview – Specific NBAD Breaches Health Care vs. State Sponsored State/Local Government vs. Organized Crime Agriculture vs. State Sponsored Higher Education vs. State Sponsored Manufacture vs. Activists
Patient Data to East Asia Victim Vertical: Healthcare Probable Assailant: State Sponsored Objective: Theft of patient healthcare records Motivation: Geopolitical/Martial Methodology: ◦ Keylogging Malware ◦ Configuration change of infrastructure NBAD Type: Enforcement Monitoring
Geographical Anomaly
Cardholder Data to East Europe Victim Vertical: State/Local Government Probable Assailant: Organized Crime Objective: Theft of cardholder data Motivation: Profit Methodology: ◦ Coldfusion exploit of payment webserver ◦ Recoded Application ◦ Staged data on server; uploaded to East Europe FTP server NBAD Type: ◦ Geographic Anomaly ◦ Traffic Anomaly
Geographical Traffic Anomaly
Intellectual Property to East Asia Victim Vertical: Agriculture Probable Assailant: State Sponsored Objective: Theft of food production IP Motivation: Profit/National Competition Methodology: ◦ Spearphish of administrator ◦ Pivot via VPN ◦ Pivot via monitoring servers ◦ Direct exfiltration NBAD Type: ◦ Geographic Traffic Anomaly ◦ Geographic User Anomaly ◦ Traffic Anomaly
Recon from Monitoring Servers
Geographical Anomaly
Theft of Research Data Victim Vertical: Higher Education Probable Assailant: State Sponsored Objective: Theft sensitive research data Motivation: Geopolitical/Martial Methodology: ◦ Direct access to exposed RDP Servers ◦ Bruteforce of credentials NBAD Type: ◦ Service Traffic Anomaly ◦ Geographic Traffic Anomaly
Traffic Anomaly
Theft of Customer Data Victim Vertical: Manufacturing Probable Assailant: Activist Objective: Publish stolen customer data Motivation: Embarrassing Victim Methodology: ◦ SQL Injection to Customer Portal NBAD Type: ◦ Recon detection ◦ Traffic Anomaly to Internet ◦ Traffic Anomaly to Webserver from DB
Recon before SQLi
Anomalous Data Exfiltration
Catching Breaches with NBAD C H A R L E S H E R R I N G @C H A R L E S H E R R I N G H T T P : / / F 1 5 H B 0WN . C OM C H E R R I N G@L A N C O P E . C OM Questions?

Recommended

Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEC-Council
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
GraphTalks Copenhagen - Analyzing Fraud with Graph Databases
GraphTalks Copenhagen - Analyzing Fraud with Graph DatabasesGraphTalks Copenhagen - Analyzing Fraud with Graph Databases
GraphTalks Copenhagen - Analyzing Fraud with Graph DatabasesNeo4j
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfBSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfStevenJoeBiago
 
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankRisk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankPriyanka Aash
 
Vasiliy Sabirov, Lead Analyst, Devtodev
Vasiliy Sabirov, Lead Analyst, DevtodevVasiliy Sabirov, Lead Analyst, Devtodev
Vasiliy Sabirov, Lead Analyst, DevtodevWhite Nights Conference
 
Vasiliy sabirov presentation 2
Vasiliy sabirov presentation 2Vasiliy sabirov presentation 2
Vasiliy sabirov presentation 2Vasiliy Sabirov
 

Recommended

Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEC-Council
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
GraphTalks Copenhagen - Analyzing Fraud with Graph Databases
GraphTalks Copenhagen - Analyzing Fraud with Graph DatabasesGraphTalks Copenhagen - Analyzing Fraud with Graph Databases
GraphTalks Copenhagen - Analyzing Fraud with Graph DatabasesNeo4j
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfBSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfStevenJoeBiago
 
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankRisk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
Risk-Based Approach to Deployment of Omnichannel Biometrics in SberbankPriyanka Aash
 
Vasiliy Sabirov, Lead Analyst, Devtodev
Vasiliy Sabirov, Lead Analyst, DevtodevVasiliy Sabirov, Lead Analyst, Devtodev
Vasiliy Sabirov, Lead Analyst, DevtodevWhite Nights Conference
 
Vasiliy sabirov presentation 2
Vasiliy sabirov presentation 2Vasiliy sabirov presentation 2
Vasiliy sabirov presentation 2Vasiliy Sabirov
 
Separate the wheat from the chaff
Separate the wheat from the chaff�Separate the wheat from the chaff�
Separate the wheat from the chaffdevtodev
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Data driven approach to KYC
Data driven approach to KYCData driven approach to KYC
Data driven approach to KYCPankaj Baid
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
OFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANKOFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANKibankuk
 
OFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANKOFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANKibankuk
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - MagnifierJisc
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
How to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security ManagementHow to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security ManagementAlienVault
 
Next Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4jNext Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4jNeo4j
 
Proposal for System Analysis and Desing
Proposal for System Analysis and DesingProposal for System Analysis and Desing
Proposal for System Analysis and DesingMd Khaza Main Uddin
 
Mobile Security Risks & Mitigations
Mobile Security Risks & MitigationsMobile Security Risks & Mitigations
Mobile Security Risks & MitigationsNeelu Tripathy
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 

More Related Content

Similar to Detecting Abnormal Network Behavior and Traffic Anomalies Using NBAD

Separate the wheat from the chaff
Separate the wheat from the chaff�Separate the wheat from the chaff�
Separate the wheat from the chaffdevtodev
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Data driven approach to KYC
Data driven approach to KYCData driven approach to KYC
Data driven approach to KYCPankaj Baid
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
OFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANKOFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANKibankuk
 
OFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANKOFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANKibankuk
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - MagnifierJisc
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
How to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security ManagementHow to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security ManagementAlienVault
 
Next Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4jNext Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4jNeo4j
 
Proposal for System Analysis and Desing
Proposal for System Analysis and DesingProposal for System Analysis and Desing
Proposal for System Analysis and DesingMd Khaza Main Uddin
 
Mobile Security Risks & Mitigations
Mobile Security Risks & MitigationsMobile Security Risks & Mitigations
Mobile Security Risks & MitigationsNeelu Tripathy
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 

Similar to Detecting Abnormal Network Behavior and Traffic Anomalies Using NBAD (20)

Separate the wheat from the chaff
Separate the wheat from the chaff�Separate the wheat from the chaff�
Separate the wheat from the chaff
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Data driven approach to KYC
Data driven approach to KYCData driven approach to KYC
Data driven approach to KYC
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
 
OFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANKOFSAA - BIGDATA - IBANK
OFSAA - BIGDATA - IBANK
 
OFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANKOFSAA - BIG DATA - IBANK
OFSAA - BIG DATA - IBANK
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - Magnifier
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
How to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security ManagementHow to Simplify Audit Compliance with Unified Security Management
How to Simplify Audit Compliance with Unified Security Management
 
Next Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4jNext Generation Fraud Solutions using Neo4j
Next Generation Fraud Solutions using Neo4j
 
Proposal for System Analysis and Desing
Proposal for System Analysis and DesingProposal for System Analysis and Desing
Proposal for System Analysis and Desing
 
Mobile Security Risks & Mitigations
Mobile Security Risks & MitigationsMobile Security Risks & Mitigations
Mobile Security Risks & Mitigations
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 

More from Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Detecting Abnormal Network Behavior and Traffic Anomalies Using NBAD

  • 1. Looking for the Weird: Detecting "Bad" Traffic and Abnormal Network Behavior C H A R L E S H E R R I N G @C H A R L E S H E R R I N G H T T P : / / F 1 5 H B 0WN . C OM C H E R R I N G@L A N C O P E . C OM
  • 2. Agenda Definitions NBAD Specific Detection Approaches Example Breaches
  • 3. Overview - Definitions What is NBAD? What is NetFlow? Detection Schools
  • 4. What is NBAD? Network Behavioral Anomaly Detection Data source = Network MetaData (NetFlow) Probe locations = Core or deeper Quantity/Metric Centric (not Pattern/Signature Centric) Sometimes used to refer to NetFlow Security Tools
  • 5. OSS NBAD - SilK/PySiLK 5
  • 6. Commercial Solutions Arbor PeakFlow IBM Qradar Invea-Tech FlowMon Lancope StealthWatch ManageEngine McAfee NTBA Plixer Scrutinizer ProQSys FlowTraq Riverbed Cascade (formerly Mazu) * For comparison see Gartner Network Behavior Analysis Market December 2012 (G00245584) 6
  • 7. Network Logging Standards NetFlow v9 (RFC-3950) IPFIX (RFC-5101) Rebranded NetFlow ◦ Jflow – Juniper ◦ Cflowd – Juniper/Alcatel-Lucent ◦ NetStream – 3Com/Huawei ◦ Rflow – Ericsson ◦ AppFlow - Citrix 8 Basic/Common Fields
  • 8. Detection Methods Signature = Inspect Object against blacklist ◦ IPS ◦ Antivirus ◦ Content Filter Behavioral = Inspect Victim behavior against blacklist ◦ Malware Sandbox ◦ NBAD/UBAD ◦ HIPS ◦ SEIM Anomaly = Inspect Victim behavior against whitelist ◦ NBAD/UBAD
  • 9. Comparison of Detection Methods Signature Behavior Anomaly Known Exploits Best Good Limited 0-Day Exploits Limited Best Good Credential Abuse Limited Limited Best
  • 10. Overview – NBAD Detection Approaches Signature Behavioral Anomaly
  • 11. NBAD Detection - Signature Segmentation Enforcement Policy Violations C&C Connections Pro’s: Certainty can be established; Easy to set up; Deep visibility (without probes) Con’s: Only detects “Known Threats”
  • 12. Boolean Detection IDS Signature? VA marked vulnerable? NetFlow shows returned data? Trigger Breach Alarm 13 • Requires understanding of “bad” scenario • Dependent on reliable (non-compromised) data sources • Data sources rely on signature (known bad) detection • NetFlow usage limited to communication tracking
  • 13. NBAD Detection - Behavioral Scanning SYN Flood Flag Sequences Pro’s: Doesn’t need to know exploit Con’s: Must establish host counters
  • 14. NBAD Detection – Anomaly Pro’s: Can Catch Sophisticated/Targeted/Unknown Threats Con’s: ◦ Requires Host and User Profiles ◦ Requires Specific Baselines/Policies ◦ Output requires interpretation ◦ Requires massive data collection/processing ◦ Requires Algorithmic Calculation
  • 15. Algorithmic Detection 16 Abnormal connections: Add 425,000 Host Concern Index = 1,150,000 Slow Scanning Activity : Add 325,000 Internal pivot activity: Add 400,000 • Based on knowing normal • Dependent on raw NetFlow MetaData (multiple sources) • Does not require understanding of attack • Output is security indices focused on host activity
  • 16. NBAD Detection – Anomaly Types Service Traffic Threshold Anomaly Service Type Anomaly Geographic Traffic Anomaly Time of Day Anomaly Geographic User Anomaly Data Hoarding Data Disclosure
  • 17. NBAD Detection - Anomaly Service Traffic Threshold Anomaly
  • 18. NBAD Detection - Anomaly Service Type Anomaly
  • 19. NBAD Detection - Anomaly Geographic Traffic Anomaly
  • 20. NBAD Detection - Anomaly Time of Day Anomaly
  • 21. NBAD Detection - Anomaly Geographic User Anomaly
  • 22. NBAD Detection - Anomaly Data Hoarding
  • 23. NBAD Detection - Anomaly Data Disclosure
  • 24. Overview – Specific NBAD Breaches Health Care vs. State Sponsored State/Local Government vs. Organized Crime Agriculture vs. State Sponsored Higher Education vs. State Sponsored Manufacture vs. Activists
  • 25. Patient Data to East Asia Victim Vertical: Healthcare Probable Assailant: State Sponsored Objective: Theft of patient healthcare records Motivation: Geopolitical/Martial Methodology: ◦ Keylogging Malware ◦ Configuration change of infrastructure NBAD Type: Enforcement Monitoring
  • 27. Cardholder Data to East Europe Victim Vertical: State/Local Government Probable Assailant: Organized Crime Objective: Theft of cardholder data Motivation: Profit Methodology: ◦ Coldfusion exploit of payment webserver ◦ Recoded Application ◦ Staged data on server; uploaded to East Europe FTP server NBAD Type: ◦ Geographic Anomaly ◦ Traffic Anomaly
  • 29. Intellectual Property to East Asia Victim Vertical: Agriculture Probable Assailant: State Sponsored Objective: Theft of food production IP Motivation: Profit/National Competition Methodology: ◦ Spearphish of administrator ◦ Pivot via VPN ◦ Pivot via monitoring servers ◦ Direct exfiltration NBAD Type: ◦ Geographic Traffic Anomaly ◦ Geographic User Anomaly ◦ Traffic Anomaly
  • 32. Theft of Research Data Victim Vertical: Higher Education Probable Assailant: State Sponsored Objective: Theft sensitive research data Motivation: Geopolitical/Martial Methodology: ◦ Direct access to exposed RDP Servers ◦ Bruteforce of credentials NBAD Type: ◦ Service Traffic Anomaly ◦ Geographic Traffic Anomaly
  • 34. Theft of Customer Data Victim Vertical: Manufacturing Probable Assailant: Activist Objective: Publish stolen customer data Motivation: Embarrassing Victim Methodology: ◦ SQL Injection to Customer Portal NBAD Type: ◦ Recon detection ◦ Traffic Anomaly to Internet ◦ Traffic Anomaly to Webserver from DB
  • 37. Catching Breaches with NBAD C H A R L E S H E R R I N G @C H A R L E S H E R R I N G H T T P : / / F 1 5 H B 0WN . C OM C H E R R I N G@L A N C O P E . C OM Questions?