Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SecureSet WarGames - Logging and Packet Capture Training

563 views

Published on

Slides from a course on Packet Capture and Log Management for the SecureSet WarGames curriculum.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SecureSet WarGames - Logging and Packet Capture Training

  1. 1. ©2015 SecureSet, LLC Active Defense PCAP and Log DetectionTechniques Instructor: Greg Foss December 08, 2015
  2. 2. ©2015 SecureSet, LLC # whoami  Greg.Foss@LogRhythm.com  @heinzarelli  Security OperationsTeam Lead  Sr. Security Research Engineer  OSCP, GAWN, GPEN, GCIH, CEH, Cyber APT
  3. 3. ©2015 SecureSet, LLC
  4. 4. ©2015 SecureSet, LLC Logging and Packet Capture…
  5. 5. ©2015 SecureSet, LLC Why this content matters  You already have everything you need for security monitoring within your corporate infrastructure.  Logging and Packet Capture are the cornerstones to incident response and cyber investigations.  Detailed evidence that can help to show what exactly happened within an environment.  Valuable to Operations and Security alike
  6. 6. ©2015 SecureSet, LLC How it fits into cybersecurity  Every single computer investigation can be aided by supporting log and packet capture data.  If you ever want to work on an incident response team or help monitor the security of an organization, you must have an understand logging, packet capture analysis and event correlation.
  7. 7. ©2015 SecureSet, LLC What you should learn tonight  Introduction to Logging and Log Management  Actively Detecting Attacks Using Log Data  Introduction to Packet Capture and Net Flow  Packet Dissection and Data Exfiltration Detection  Packet Capture Challenge!  http://omg.endoftheinternet.org/
  8. 8. ©2015 SecureSet, LLC Why I love this industry
  9. 9. ©2015 SecureSet, LLC Breaking into computers for a living!
  10. 10. ©2015 SecureSet, LLC It’s also fun to go hunting…
  11. 11. ©2015 SecureSet, LLC TITLE
  12. 12. ©2015 SecureSet, LLC Logging
  13. 13. ©2015 SecureSet, LLC What are ‘Logs’…  “A record of performance, events, or day-to-day activities”  MerriamWebster, 2015
  14. 14. ©2015 SecureSet, LLC Log Data = Log Message Meaning  Informational – Generally benign events  Debug – Software development  Warning – Dependencies may be absent  Error – Indication that something is not right  Alert – Often security related. Highlight interesting info  Logging and Log Management, 2012
  15. 15. ©2015 SecureSet, LLC Log Formats  Flat File  Database  CSV  Linux Syslog  Generic Syslog  Windows System, Event, Security, etc…
  16. 16. ©2015 SecureSet, LLC Standard Logging Locations  Linux  /var/log/  Windows  EventViewer
  17. 17. ©2015 SecureSet, LLC Log Management  Store the logs in a centralized location  Replicating logs across to a log management system  Back up the logs to ensure integrity of the data and maintain compliance standards
  18. 18. ©2015 SecureSet, LLC Log Parsing (Normalization)  To gain value from your SIEM, data must be normalized  Varies depending on the log management solution  Regular Expressions  Data Categorization  Common Event Generation  General Classification
  19. 19. ©2015 SecureSet, LLC Endpoint Monitoring  User Activity  File Integrity and Hashing  Processes Details  Network Connections  Registry Modification  Document and/or Web BugTracking
  20. 20. ©2015 SecureSet, LLC Event Correlation  Leveraging actionable metadata allows you to understand the full picture.  Key when attempting to reconstruct a scenario
  21. 21. ©2015 SecureSet, LLC Security Information Event Management  Bringing it all together  Dashboards  Automated Alerting  Automated Response  Central Log Storage  Enterprise Correlation
  22. 22. ©2015 SecureSet, LLC SIEMTools  Commercial  LogRhythm  Splunk  Open Source  Logstash and Kibana  Graylog
  23. 23. ©2015 SecureSet, LLC Advanced Logging  PowerShell  Command Line Logging  Extracting Logs using PowerShell  PS C:> Get-EventLog Security  Honeypot Event Correlation  TTY Log Replay  Web Bugs  Open Source DocumentTracking and Event Correlation
  24. 24. ©2015 SecureSet, LLC DEMO
  25. 25. ©2015 SecureSet, LLC
  26. 26. ©2015 SecureSet, LLC TITLE
  27. 27. ©2015 SecureSet, LLC Packet Capture (PCAP)
  28. 28. ©2015 SecureSet, LLC
  29. 29. ©2015 SecureSet, LLC
  30. 30. ©2015 SecureSet, LLC OSI Model  Complete record of network activity : Layers 2-7
  31. 31. ©2015 SecureSet, LLC Transport Layer Protocols  Transmission Control Protocol (TCP)  Stateful – HTTP, SSH, SMTP, etc.  Used to establish interactive sessions  User Datagram Protocol (UDP)  Stateless / Connectionless transmission model  Easy to spoof origin  No delivery guarantee  Can be used to exfiltrate data via DNS
  32. 32. ©2015 SecureSet, LLC HowTo Capture NetworkTraffic  Local  Using tcpdump,Wireshark, NetworkMiner, Ettercap, etc.  In-Line Device  Often commercial but there are free tools as well.  Mirror off Firewalls  Split datapassed through firewalls and push to appliance.  Offensive – MiTM, Arp Poisoning, EvilTwin, etc.
  33. 33. ©2015 SecureSet, LLC Packet Capture Appliances  LogRhythm Network Monitor  FreemiumVersion – https://support.logrhythm.com  FireEye PX Series  NetScout  NetWitness  Riverbed  Etc.
  34. 34. ©2015 SecureSet, LLC NetworkTap  A networkTap can be as simple as a hub. Hubs allow you to see all data transmitted, as opposed to switches.  Raspberry Pi  Beaglebone Black  LANTurtle  Wi-Fi Pineapple
  35. 35. ©2015 SecureSet, LLC Capturing NetworkTraffic  Simple Network  Many Options
  36. 36. ©2015 SecureSet, LLC Capturing NetworkTraffic  Basic Network, MultipleVLANs
  37. 37. ©2015 SecureSet, LLC Offensive Network Capture  ARP Poisoning  Convince host that our MAC is the router, traffic begans to pass through our system.  EvilTwinWi-Fi Attacks  https://www.youtube.com/watch?v=86bvUV92Ek8  We’ll talk about this more soon…  Attack Switches, Routers, Gateways, etc.
  38. 38. ©2015 SecureSet, LLC Sniffing Packets  Many protocols are in plain text  Easy to understand and dissect  HTTP, DNS, FTP,Telnet, SMTP, etc.  TLS is becoming more prevalent  Making traffic inspection more difficult  HTTPS, SSH, SFTP, FTPS, etc.  Malware often uses encrypted tunnels
  39. 39. ©2015 SecureSet, LLC Viewing Encrypted Packets  SSL Interception Proxies Source: https://logrhythm.com/blog/network-monitor-and-ssl-proxy-integration/
  40. 40. ©2015 SecureSet, LLC Offensive MiTM AgainstTLS / SSL  SSLStrip – Older but still works  https://github.com/moxie0/sslstrip  SSLSplit –TransparentTLS/SSL Interception Proxy  Terminates one session then creates its own  https://github.com/droe/sslsplit  NetRipper –Windows API Hooking  https://github.com/NytroRST/NetRipper
  41. 41. ©2015 SecureSet, LLC Attacking Users – A Case Study
  42. 42. ©2015 SecureSet, LLC EvilTwin
  43. 43. ©2015 SecureSet, LLC EvilTwin source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
  44. 44. ©2015 SecureSet, LLC
  45. 45. ©2015 SecureSet, LLC
  46. 46. ©2015 SecureSet, LLC
  47. 47. ©2015 SecureSet, LLC
  48. 48. ©2015 SecureSet, LLC DEMO
  49. 49. ©2015 SecureSet, LLC We’ve only just scratched the surface…
  50. 50. ©2015 SecureSet, LLC WantTo Learn More and Practice?  http://www.netresec.com/?page=PcapFiles  Publicly Available PCAP Files  http://malware-traffic-analysis.net/  PCAP Files and Malware Samples  https://www.vthreat.com/  Simulate threats, data exfiltration, etc.  VirusTotal Professional
  51. 51. ©2015 SecureSet, LLC PCAP Challenge
  52. 52. ©2015 SecureSet, LLC
  53. 53. ©2015 SecureSet, LLC Using Log Data toTrack Winners 
  54. 54. ©2015 SecureSet, LLC References  Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management:The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. Print.  Bejtlich, Richard. TheTao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison-Wesley, 2005. Print.
  55. 55. ©2015 SecureSet, LLC CLOSING  Careers in this area of security  The work – LogRhythm is hiring!  The rewards – Great benefits!  How to pursue  https://logrhythm.com/about/careers/  greg.foss@logrhythm.com
  56. 56. ©2015 SecureSet, LLC  Provides aspiring security talent with a powerful & direct path into cybersecurity  “Career Promise”  www.secureset.com/academy  Next Denver session: January 2016
  57. 57. ©2015 SecureSet, LLC Did you know? More than 209,000 cybersecurity jobs in the US are unfilled.* * www.peninsulapress.com/2015
  58. 58. ©2015 SecureSet, LLC wargames.secureset.com wargames@secureset.com Secure your future in Cyber! SecureSet Academy Starts January 2016

×