stackArmor Security MicroSummit
Deep Packet Inspection on AWS by Niksun:
Shivank Dua will talk about how Deep Packet Inspection on AWS provides critical capabilities required to detect data breaches, malware and other threat scenarios. The ability to reconstruct the packet stream and perform forensics is critical to speedy incident response protecting from emerging and dynamic threat patterns. Topics will include:
Threat scenarios and the need for Deep Packet Inspection / Deep Content Inspection
Limitations of flow and log-based analysis techniques
Use cases for ‘knowing the unknown’ via deep packet and content inspection
7. What is needed?
• Video camera (surveillance)
• Sensor detec0on (laser beams)
• Image recogni0on (easy search for forensics, incident response)
Why are flows limited?
• Generally only provide informa0on at layer 3
• Lack good support for correlated flows (FTP, Mobility, even web pages, etc.)
• Lack of broader Threat Intelligence support (files, domains, cer0ficates,
etc.)
Why are logs limited?
• Developers choose what logs to record. Can’t know about a^acks that
have not even occurred yet
What is Network Monitoring?
NIKSUN, Inc. CONFIDENTIAL. -- See confiden0ality restric0ons on 0tle page. Slide 7
11. Fast Macro-to-Micro Analysis
Slide 11 NIKSUN Inc., CONFIDENTIAL. See confidentiality restrictions on title page
Global Visibility
Regional View
Specific
Session
Single
Packet
NIKSUN, Inc. CONFIDENTIAL -- See confidentiality restrictions on title page. Slide 11
16. Trending informa0on to tune Firewalls
TCP-SYN rate (common firewall metric)
Fragmented packet rate (IPv4, IPv6)
UDP, ICMP, DNS, NTP, etc. packet rates
Bandwidth
In-depth analysis of a^ack a^empts
Resolve issues with firewalls
FW vendors/users oken need packets to tune against an a^ack
Comprehensive Intelligence on DDoS a^acks
Isolate bad traffic from good
Threat Intelligence (did any bad URLs make it past the FW?)
Analyze Firewall effec0veness (Retrospec0ve IDS)
Replay traffic to test new FW rules
Use Case - Firewall Monitoring
NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 16
Inline systems may face
latency and complexity
constraints, requiring a
reduction in the deployed
ruleset
• Monitoring becomes
invaluable for a
constant pulse on
critical infrastructure
26. Discover compliance level with traffic monitoring
Faster than Pen Tes0ng
Validate security pre and post changes
Firewalls, networks, servers
Evidence
Raw data captures
Instantly iden0fy insecure communica0ons
Who is using non compliant: SSL 2.0, SSL 3.0, TLS 1.0
Who is using which ciphers – strong or weak?
What Cer0ficates are in use? Cert Organiza0ons?
Clear text protocols, SSN
Use Case: Compliance - PCI/Fed/Gov
NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page.
Slide 26
32. Spear-phishing a^ack lured employees to go to their bank to
update their info
They were redirected to a BAD site
Difficult to trace as the DNS server fixed itself aker some
amount of 0me so the problem could not be iden0fied by
tradi0onal methods
Forensic analysis
Discovered that the “window of opportunity” was transient
Gave IP address of all those that were lured to the wrong site
Reconstructed the a^ack and traced the a^acker’s moves step-by-step
Damage was minimized due to rapid idenMficaMon and
immediate remediaMon
Use Case: DNS Server Hacked
NIKSUN, Inc. CONFIDENTIAL -- See confiden0ality restric0ons on 0tle page. Slide 32