Successfully reported this slideshow.
Your SlideShare is downloading. ×

Scaling Network Incident Response

Ad

Scaling Network
Incident Response
Md Nahidul kibria
Co-Founder, Beetles

Ad

The cyber threats are evolving

Ad

Mirai: An IoT DDoS Botnet
Researcher analysis indicated as few as 100,000 Mirai IoT botnet nodes were enlisted in the inci...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Ethical hacking
Ethical hacking
Loading in …3
×

Check these out next

1 of 29 Ad
1 of 29 Ad
Advertisement

More Related Content

Slideshows for you (19)

More from Bangladesh Network Operators Group (20)

Advertisement

Scaling Network Incident Response

  1. 1. Scaling Network Incident Response Md Nahidul kibria Co-Founder, Beetles
  2. 2. The cyber threats are evolving
  3. 3. Mirai: An IoT DDoS Botnet Researcher analysis indicated as few as 100,000 Mirai IoT botnet nodes were enlisted in the incident and reported attack rates up to 1.2 Tbps.
  4. 4. Ransomware and spears
  5. 5. Incident Response
  6. 6. Incident Response
  7. 7. Proactive security
  8. 8. Host based and Network based detection Complement Each Other
  9. 9. Artifacts PCAPs: traffic capture, packet capture NetFlow : Information (metadata) about packets Logs: Events about host or network
  10. 10. Typical packet capture and analysis. tshark -r nssal-capture-1.pcap -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0 and dns.qry.name contains google.com" 137.30.123.78 google.com 137.30.123.78 www.google.com
  11. 11. More challenges ● Rules: assets or liability ● Need to process data with threat intelligence ● Real time alert machine learning
  12. 12. Tons of data from different source
  13. 13. Distributed File System
  14. 14. Service bus/distributed streaming platform.
  15. 15. Stream processing
  16. 16. Managing dataflow
  17. 17. Reliable distributed coordination
  18. 18. Modern Security operation center
  19. 19. Happy Hunting! @nahidupa

Editor's Notes

  • The threat is change is change over time,
    Cybercriminals Hacktivists Nation state Insiders
  • Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident.
    The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
  • If kernel level rootkit install host based detection may not work
    Not every single details can be derived from network based detection
  • nfdump -R /var/log/netflow -q -O tstart -b -c 10 -o 'fmt:%ts %sap %dap %byt %flg' 'ip 192.168.11.104 and ip 192.168.11.101 and flags SA' | cut -c 12- | awk 'BEGIN{ printf "%12s %22s %18s %11s %5s\n", "Start time", "Source", "Dest", "Bytes", "flags"};{print};' Start time Source Dest Bytes flags 16:03:41.759 192.168.11.101:135 192.168.11.104:49297 72 .A..SF 16:03:41.813 192.168.11.101:139 192.168.11.104:49301 52 .A..SF
  • http://www.metistream.com/comparing-hadoop-mapreduce-spark-flink-storm/

×