SlideShare a Scribd company logo
1 of 17
Download to read offline
OFFENSIVE IDS
OVERVIEW
VERSION: 1.4a
DATE: 27/02/2019
AUTHOR: SYLVAIN MARTINEZ
REFERENCE: ESC14-MUSCL
CLASSIFICATION: PUBLIC
{elysiumsecurity}
cyber protection & response
2
CONTENTS
PUBLIC
{elysiumsecurity}
cyber protection & response
• IDS Introduction;
• Topology Example;
• IDS Benefits;
• Offensive IDS
Overview;
• Topology Revisited;
• Benefits Revisited;
• Capturing traffic;
• Core Components;
• Tweaking;
• Finding the needle;
• Free credentials;
• IDS Dashboard
example;
BEYONDUSE CASESSETUPCONCEPTCONTEXT
• Not just defence;
• Resources.
3PUBLIC
{elysiumsecurity}
cyber protection & response IDS INTRODUCTION
ANALYSIS OPTIONS
SIGNATURES
PATTERNS &
BEHAVIOURS
ACTIVE PASSIVE
CONFIGURATION OPTIONS
NIDS
HIDS
IDS IPS
IDS HIGH LEVEL CONCEPT
TRAFFIC &
EVENTS
ANALYSIS
ALERTS &
ACTIONS
Icons from the Noun Project unless specified otherwise
BEYONDUSE CASESSETUPCONCEPTCONTEXT
4PUBLIC
{elysiumsecurity}
cyber protection & response TOPOLOGY EXAMPLE
GUEST WIFI
USERS SERVERS
DMZ
DUPLICATED TRAFFIC
EXTERNAL
DUPLICATED TRAFFIC
INTERNAL
INTERNET
TRAFFIC
ANALYSIS
SIGNATURES
PATTERNS /
BEHAVIOURS
SECURITY ALERTS
Icons from VMWARE
IDS
BEYONDUSE CASESSETUPCONCEPTCONTEXT
5PUBLIC
{elysiumsecurity}
cyber protection & response IDS MAIN BENEFITS
CYBER SECURITY ATTACKS ALERTS
(PORT SCANS, C2C, BRUTE FORCE, ETC)
CYBER SECURITY ISSUES ALERTS
(CLEAR TEXT PASSWORD, OUTDATED APP, ETC)
VULNERABLE HOSTS ALERTS
(CVE, EXPLOITS, ETC.)
VULNERABLE APPLICATIONS ALERTS
(CVE, EXPLOITS, ETC.)
NETWORK ACTIVITY VIEW
(IP SOURCE & DESTINATION, PORTS, PROTOCOLS)
NETWORK DATA FLOW VIEW
(NETWORK ENTITY RELATIONSHIPS)
NETWORK ANOMALIES VIEW
(SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME)
NETWORK CONTENT VIEW
(HTTP, FTP, SMB, ETC.)
ALERTS
INVESTIGATION
BEYONDUSE CASESSETUPCONCEPTCONTEXT
6PUBLIC
{elysiumsecurity}
cyber protection & response OFFENSIVE IDS OVERVIEW
TO USE THE POWER OF IDS TO HELP FIND INTERESTING TIMELINE,
VULNERABILITIES AND SENSITIVE DATA
GOAL
TO HELP GOING THROUGH LARGE VOLUME OF CAPTURED DATA
AND RE-PURPOSE THE BENEFITS OF IDS
WHY
CAPTURING TRAFFIC AND EVENTS IN A PCAP FILE AND REPLAY IT
INTO A STANDALONE IDS IN A VM
HOW
BEYONDUSE CASESSETUPCONCEPTCONTEXT
7PUBLIC
{elysiumsecurity}
cyber protection & response NETWORK TOPOLOGY - REVISITED
GUEST WIFI
USERS SERVERS
DMZ
INTERNET
DUPLICATED
TRAFFIC
PCAP FILES
DUPLICATED
TRAFFIC
PCAP FILES
TRAFFIC
ANALYSIS
SIGNATURES
PATTERNS /
BEHAVIOURS
SECURITY ALERTS, FILES,
PASSWORDS, ETC.
FILES
EXTRACTION
PCAP FILES IDS
BEYONDUSE CASESSETUPCONCEPTCONTEXT
8PUBLIC
{elysiumsecurity}
cyber protection & response IDS MAIN BENEFITS - REVISITED
CYBER SECURITY ATTACKS ALERTS
(PORT SCANS, C2C, BRUTE FORCE, ETC)
CYBER SECURITY ISSUES ALERTS
(CLEAR TEXT PASSWORD, OUTDATED APP, ETC)
VULNERABLE HOSTS ALERTS
(CVE, EXPLOITS, ETC.)
VULNERABLE APPLICATIONS ALERTS
(CVE, EXPLOITS, ETC.)
NETWORK ACTIVITY VIEW
(IP SOURCE & DESTINATION, PORTS, PROTOCOLS)
NETWORK DATA FLOW VIEW
(NETWORK ENTITY RELATIONSHIPS)
NETWORK ANOMALIES VIEW
(SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME)
NETWORK CONTENT VIEW
(HTTP, FTP, SMB, ETC.)
SPEED UP NETWORK TRAFFIC ANALYSIS
IDENTIFY INTERESTING TIMELINES
IDENTIFY VULNERABILITIES TO EXPLOIT
IDENTIFY TARGETS OF INTEREST
EXTRACT SENSITIVE INFORMATION
PROFILE USERS AND APPLICATIONS
BEYONDUSE CASESSETUPCONCEPTCONTEXT
9PUBLIC
{elysiumsecurity}
cyber protection & response CAPTURING TRAFFIC
NO OPERATIONAL
IMPACT
PHYSICAL ACCESS REQUIRED IN MOST CASES
TAP TRAFFIC AGAINST KEY TARGETS
POWERED/UNPOWERED SOLUTIONS
DUMMY CAPTURE DEVICES:
- SMALL ROUTER;
- THROWING STAR LAN;
INTELLIGENT CAPTURE DEVICES:
- RASPBERRY PI;
- HAK5 PACKET SQUIRREL.
BEYONDUSE CASESSETUPCONCEPTCONTEXT
10PUBLIC
{elysiumsecurity}
cyber protection & response CORE COMPONENTS
BEYONDUSE CASESSETUPCONCEPTCONTEXT
USE TCPREPLAY
YOU CAN ACCELERATE IF YOU DON’T MIND ABOUT TIMELINE.
REPLAY TRAFFIC
DECIDE WHICH ENGINE TO USE: SURICATA OR SNORT
IDS ENGINE
USE A FREE IDS DISTRIBUTION SUCH AS SECURITY ONION OR SELKS
SET IT UP AS A STANDALONE VM
VIRTUAL MACHINE
11PUBLIC
{elysiumsecurity}
cyber protection & response TWEAKING
BEYONDUSE CASESSETUPCONCEPTCONTEXT
LOOPBACK NIC DOES NOT WORK WITH TCPREPLAY ON A VM
USE A DUMMY NIC INSTEAD
CONFIGURE YOUR IDS TO MONITOR THAT NIC
12PUBLIC
{elysiumsecurity}
cyber protection & response FINDING THE NEEDLE
BEYONDUSE CASESSETUPCONCEPTCONTEXT
• FIND THE SECRET CONTRACT XYZ
• YOU ARE ONLY GIVEN 3 EMPLOYEES NAME
SCENARIO
• 50GB OF INTERCEPTED TRAFFIC OVER A WEEK PERIOD
• YOU DON’T KNOW WHERE TO LOOK
• WIRESHARK DOESN’T LIKE THAT FILE SIZE SO MUCH…CHALLENGES
• REPLAYED THE 50GB OF DATA TO A STANDALONE IDS
• ABLE TO PINPOINT DAYS AND TIME OF PEAK ACTIVITY AND TYPE OF
ACTIVITY (FILE TRANSFER)
• GO BACK TO WIRESHARK WITHIN A MUCH SMALLER TIMEFRAME AND
FIND THE DOCUMENT!
IDS TO THE RESCUE
13PUBLIC
{elysiumsecurity}
cyber protection & response FREE CREDENTIALS
BEYONDUSE CASESSETUPCONCEPTCONTEXT
• ACCESS THE ACCOUNT OF A TOP EXECUTIVE
SCENARIO
• THE EXECUTIVE IS PARANOID AND DID NOT FALL FOR PHISHING
• THE EXECUTIVE IS VERY CAREFUL WITH HER SOCIAL MEDIA PRESENCE
• HER LAPTOP IS FULLY PATCHED
• NETWORK TRAFFIC INTERCEPTED IS TOO BIG TO BE USEFULCHALLENGES
• REPLAYED NETWORK TRAFFIC TO A STANDALONE IDS
• ALERT FOR A PASSWORD SENT IN CLEAR TEXT
• THE EXECUTIVE IS UPDATING A CHARITY BLOG USING AN ALIAS
• SHE USES THE SAME PASSWORD ON HER CORPORATE ACCOUNTIDS TO THE RESCUE
14PUBLIC
{elysiumsecurity}
cyber protection & response IDS DASHBOARD EXAMPLE
BEYONDUSE CASESSETUPCONCEPTCONTEXT
15PUBLIC
{elysiumsecurity}
cyber protection & response NOT JUST DEFENSE
BEYONDUSE CASESSETUPCONCEPTCONTEXT
DETECT
ATTACKINVESTIGATE
ALERT
IDS ENVIRONMENT, LIKE MOST SECURITY DEFENSE TOOLS
ENVIRONMENT, CONTAINS SENSITIVE DATA AND MUST BE
PROTECTED SO THEIR INFORMATION IS NOT USED AGAINST YOU!
16PUBLIC
{elysiumsecurity}
cyber protection & response RESOURCES
BEYONDUSE CASESSETUPCONCEPTCONTEXT
SNORT BASED ENGINE: HTTPS://WWW.SNORT.ORG/
SURICATA BASED ENGINE: HTTPS://SURICATA-IDS.ORG/
IDS VIRTUAL MACHINE DISTRIBUTION
- SECURITY ONION (SO): HTTPS://SECURITYONION.NET/
- SELKS: HTTPS://WWW.STAMUS-NETWORKS.COM/OPEN-SOURCE/
GREAT COMMUNITY IS HERE TO HELP;
SO AND SELKS AUTHORS ARE VERY ACTIVE;
PROFESSIONAL SUPPORT AVAILABLE FROM THEM TOO;
VARIOUS INSTALL GUIDE AVAILABLE:
HTTPS://WWW.ELYSIUMSECURITY.COM/BLOG/GUIDES/POST7.HTML
{elysiumsecurity}
cyber protection & response
© 2015-2019 ELYSIUMSECURITY LTD
ALL RIGHTS RESERVED
HTTPS://WWW.ELYSIUMSECURITY.COM
ABOUT ELYSIUMSECURITY LTD.
ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY
VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE
RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE
SECURITY AWARENESS THROUGH AN ORGANIZATION.
ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED
THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE
INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST
SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES.
ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL
SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER
SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING
DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS.
ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE,
A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR
BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A
PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

What's hot

PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSylvain Martinez
 
Ict conf td-evs_pcidss-final
Ict conf td-evs_pcidss-finalIct conf td-evs_pcidss-final
Ict conf td-evs_pcidss-finalDejan Jeremic
 
2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident PreparationCimation
 
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015   saga - cisco cybersecurity rešenja- Viktor VargaIct 2015   saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015 saga - cisco cybersecurity rešenja- Viktor VargaDejan Jeremic
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksBGA Cyber Security
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrimeDejan Jeremic
 
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...Internetwork Engineering (IE)
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response TeamBGA Cyber Security
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 

What's hot (20)

PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolOpen Source IDS - How to use them as a powerful fee Defensive and Offensive tool
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
 
Ict conf td-evs_pcidss-final
Ict conf td-evs_pcidss-finalIct conf td-evs_pcidss-final
Ict conf td-evs_pcidss-final
 
2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation2015 ISA Calgary Show: IACS Cyber Incident Preparation
2015 ISA Calgary Show: IACS Cyber Incident Preparation
 
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015   saga - cisco cybersecurity rešenja- Viktor VargaIct 2015   saga - cisco cybersecurity rešenja- Viktor Varga
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrime
 
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 

Similar to OFFENSIVE IDS

INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecuritySymantec
 
Cyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrCyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrZYMR, INC.
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity Zymr Cloud
 
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE - ATT&CKcon
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)CSCJournals
 
A Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecurityA Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecuritySébastien Tandel
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation SecurityBGA Cyber Security
 
Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)Michael Swinarski
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxMandy Sidana
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerPriyanka Aash
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesANSItunCERT
 

Similar to OFFENSIVE IDS (20)

INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
Cyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - ZymrCyber Security Services & Solutions - Zymr
Cyber Security Services & Solutions - Zymr
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity
 
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
 
International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)International Journal of Computer Science and Security Volume (1) Issue (3)
International Journal of Computer Science and Security Volume (1) Issue (3)
 
A Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive SecurityA Tale of Software-Defined & Adaptive Security
A Tale of Software-Defined & Adaptive Security
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
 
Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)Information Security: We are all InfoSec (updated for 2018)
Information Security: We are all InfoSec (updated for 2018)
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptx
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence services
 

More from Sylvain Martinez

More from Sylvain Martinez (11)

INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?
 
GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
 
Risk on Crypto Currencies
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
 
Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
INCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONS
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
Talk1 muscl club_v1_2
Talk1 muscl club_v1_2Talk1 muscl club_v1_2
Talk1 muscl club_v1_2
 

Recently uploaded

Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 

Recently uploaded (20)

Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 

OFFENSIVE IDS

  • 1. OFFENSIVE IDS OVERVIEW VERSION: 1.4a DATE: 27/02/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC14-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
  • 2. 2 CONTENTS PUBLIC {elysiumsecurity} cyber protection & response • IDS Introduction; • Topology Example; • IDS Benefits; • Offensive IDS Overview; • Topology Revisited; • Benefits Revisited; • Capturing traffic; • Core Components; • Tweaking; • Finding the needle; • Free credentials; • IDS Dashboard example; BEYONDUSE CASESSETUPCONCEPTCONTEXT • Not just defence; • Resources.
  • 3. 3PUBLIC {elysiumsecurity} cyber protection & response IDS INTRODUCTION ANALYSIS OPTIONS SIGNATURES PATTERNS & BEHAVIOURS ACTIVE PASSIVE CONFIGURATION OPTIONS NIDS HIDS IDS IPS IDS HIGH LEVEL CONCEPT TRAFFIC & EVENTS ANALYSIS ALERTS & ACTIONS Icons from the Noun Project unless specified otherwise BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 4. 4PUBLIC {elysiumsecurity} cyber protection & response TOPOLOGY EXAMPLE GUEST WIFI USERS SERVERS DMZ DUPLICATED TRAFFIC EXTERNAL DUPLICATED TRAFFIC INTERNAL INTERNET TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS Icons from VMWARE IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 5. 5PUBLIC {elysiumsecurity} cyber protection & response IDS MAIN BENEFITS CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) ALERTS INVESTIGATION BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 6. 6PUBLIC {elysiumsecurity} cyber protection & response OFFENSIVE IDS OVERVIEW TO USE THE POWER OF IDS TO HELP FIND INTERESTING TIMELINE, VULNERABILITIES AND SENSITIVE DATA GOAL TO HELP GOING THROUGH LARGE VOLUME OF CAPTURED DATA AND RE-PURPOSE THE BENEFITS OF IDS WHY CAPTURING TRAFFIC AND EVENTS IN A PCAP FILE AND REPLAY IT INTO A STANDALONE IDS IN A VM HOW BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 7. 7PUBLIC {elysiumsecurity} cyber protection & response NETWORK TOPOLOGY - REVISITED GUEST WIFI USERS SERVERS DMZ INTERNET DUPLICATED TRAFFIC PCAP FILES DUPLICATED TRAFFIC PCAP FILES TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS, FILES, PASSWORDS, ETC. FILES EXTRACTION PCAP FILES IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 8. 8PUBLIC {elysiumsecurity} cyber protection & response IDS MAIN BENEFITS - REVISITED CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) SPEED UP NETWORK TRAFFIC ANALYSIS IDENTIFY INTERESTING TIMELINES IDENTIFY VULNERABILITIES TO EXPLOIT IDENTIFY TARGETS OF INTEREST EXTRACT SENSITIVE INFORMATION PROFILE USERS AND APPLICATIONS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 9. 9PUBLIC {elysiumsecurity} cyber protection & response CAPTURING TRAFFIC NO OPERATIONAL IMPACT PHYSICAL ACCESS REQUIRED IN MOST CASES TAP TRAFFIC AGAINST KEY TARGETS POWERED/UNPOWERED SOLUTIONS DUMMY CAPTURE DEVICES: - SMALL ROUTER; - THROWING STAR LAN; INTELLIGENT CAPTURE DEVICES: - RASPBERRY PI; - HAK5 PACKET SQUIRREL. BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 10. 10PUBLIC {elysiumsecurity} cyber protection & response CORE COMPONENTS BEYONDUSE CASESSETUPCONCEPTCONTEXT USE TCPREPLAY YOU CAN ACCELERATE IF YOU DON’T MIND ABOUT TIMELINE. REPLAY TRAFFIC DECIDE WHICH ENGINE TO USE: SURICATA OR SNORT IDS ENGINE USE A FREE IDS DISTRIBUTION SUCH AS SECURITY ONION OR SELKS SET IT UP AS A STANDALONE VM VIRTUAL MACHINE
  • 11. 11PUBLIC {elysiumsecurity} cyber protection & response TWEAKING BEYONDUSE CASESSETUPCONCEPTCONTEXT LOOPBACK NIC DOES NOT WORK WITH TCPREPLAY ON A VM USE A DUMMY NIC INSTEAD CONFIGURE YOUR IDS TO MONITOR THAT NIC
  • 12. 12PUBLIC {elysiumsecurity} cyber protection & response FINDING THE NEEDLE BEYONDUSE CASESSETUPCONCEPTCONTEXT • FIND THE SECRET CONTRACT XYZ • YOU ARE ONLY GIVEN 3 EMPLOYEES NAME SCENARIO • 50GB OF INTERCEPTED TRAFFIC OVER A WEEK PERIOD • YOU DON’T KNOW WHERE TO LOOK • WIRESHARK DOESN’T LIKE THAT FILE SIZE SO MUCH…CHALLENGES • REPLAYED THE 50GB OF DATA TO A STANDALONE IDS • ABLE TO PINPOINT DAYS AND TIME OF PEAK ACTIVITY AND TYPE OF ACTIVITY (FILE TRANSFER) • GO BACK TO WIRESHARK WITHIN A MUCH SMALLER TIMEFRAME AND FIND THE DOCUMENT! IDS TO THE RESCUE
  • 13. 13PUBLIC {elysiumsecurity} cyber protection & response FREE CREDENTIALS BEYONDUSE CASESSETUPCONCEPTCONTEXT • ACCESS THE ACCOUNT OF A TOP EXECUTIVE SCENARIO • THE EXECUTIVE IS PARANOID AND DID NOT FALL FOR PHISHING • THE EXECUTIVE IS VERY CAREFUL WITH HER SOCIAL MEDIA PRESENCE • HER LAPTOP IS FULLY PATCHED • NETWORK TRAFFIC INTERCEPTED IS TOO BIG TO BE USEFULCHALLENGES • REPLAYED NETWORK TRAFFIC TO A STANDALONE IDS • ALERT FOR A PASSWORD SENT IN CLEAR TEXT • THE EXECUTIVE IS UPDATING A CHARITY BLOG USING AN ALIAS • SHE USES THE SAME PASSWORD ON HER CORPORATE ACCOUNTIDS TO THE RESCUE
  • 14. 14PUBLIC {elysiumsecurity} cyber protection & response IDS DASHBOARD EXAMPLE BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 15. 15PUBLIC {elysiumsecurity} cyber protection & response NOT JUST DEFENSE BEYONDUSE CASESSETUPCONCEPTCONTEXT DETECT ATTACKINVESTIGATE ALERT IDS ENVIRONMENT, LIKE MOST SECURITY DEFENSE TOOLS ENVIRONMENT, CONTAINS SENSITIVE DATA AND MUST BE PROTECTED SO THEIR INFORMATION IS NOT USED AGAINST YOU!
  • 16. 16PUBLIC {elysiumsecurity} cyber protection & response RESOURCES BEYONDUSE CASESSETUPCONCEPTCONTEXT SNORT BASED ENGINE: HTTPS://WWW.SNORT.ORG/ SURICATA BASED ENGINE: HTTPS://SURICATA-IDS.ORG/ IDS VIRTUAL MACHINE DISTRIBUTION - SECURITY ONION (SO): HTTPS://SECURITYONION.NET/ - SELKS: HTTPS://WWW.STAMUS-NETWORKS.COM/OPEN-SOURCE/ GREAT COMMUNITY IS HERE TO HELP; SO AND SELKS AUTHORS ARE VERY ACTIVE; PROFESSIONAL SUPPORT AVAILABLE FROM THEM TOO; VARIOUS INSTALL GUIDE AVAILABLE: HTTPS://WWW.ELYSIUMSECURITY.COM/BLOG/GUIDES/POST7.HTML
  • 17. {elysiumsecurity} cyber protection & response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.