SlideShare a Scribd company logo

Cisco CSIRT Case Study: Forensic Investigations with NetFlow

Lancope, Inc.
Lancope, Inc.

Cisco CSIRT uses NetFlow to collect 16 billion flows from Cisco’s 175TB of traffic observed daily. The data is used to monitor, investigate, and contain incidents using 3 key playbook “plays” each day. Two leaders from Cisco's Computer Security Incident Response Team (CSIRT) will review a real cyber incident and the resulting investigation leveraging NetFlow collected via the StealthWatch System. Participants will learn how to use NetFlow and the StealthWatch System to: Investigate top use cases: C&C discovery, data loss and DOS attacks Gain contextual awareness of network activity Accelerate incident response Minimize costly outages and downtime from threats Protect the evolving network infrastructure Provide forensic evidence to prosecute adversaries

Technology
1 of 47
Download to read offline
© 2014 Lancope, Inc. All rights reserved. Cisco CSIRT: Security Analytics and Forensics with NetFlow Presented by: Michael Scheck, Information Security Manager, Cisco Paul Eckstein, CSIRT Engineering Manager, Cisco
© 2014 Lancope, Inc. All rights reserved. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by SSL April 8, 2014: Heartbleed Vulnerability
© 2014 Lancope, Inc. All rights reserved. Cisco CSIRT Response to Heartbleed • Preparation • Scanned 1.2M vulnerable servers - 300 needed repair • Helped develop signatures for Sourcefire and Cisco IDS • Deployed signatures to IDS • Monitoring and response • Discovered 25 attacks: 21 benign, 4 malicious • Researched attack via NetFlow analysis to discern normal connections from those that were anomalous and malicious 3
© 2014 Lancope, Inc. All rights reserved. Heartbleed Benign Host 4
© 2014 Lancope, Inc. All rights reserved. Heartbleed Malicious Host 5
© 2014 Lancope, Inc. All rights reserved. NetFlow@Cisco History
© 2014 Lancope, Inc. All rights reserved. A B C C B A C A B NetFlow Basics 7
© 2014 Lancope, Inc. All rights reserved. NetFlow Collection and Analysis Solutions 8 OSU FlowTools nfdump Lancope StealthWatch License Open source from Ohio State Open source from SourceForge Commercial NetFlow versions V5 v5 and up v5 and up IPv6 ready? Yes Yes Yes Syntax Command-line, like ACLs Command-line, like tcpdump GUI Support Ad-hoc via Google Code Up-to-date Up-to-date
© 2014 Lancope, Inc. All rights reserved. NetFlow at Cisco Before StealthWatch • OSU FlowTools • 25+ systems running in parallel - Speeds up query time, but routers have to point at each collector •20+ Tb of physical storage -Files were stored in native nfdump/flowtools compressed format •No flow aggregation •Some connections passed through multiple devices, causing duplicate flows •Routers splitting up long running flows 9
© 2014 Lancope, Inc. All rights reserved. NetFlow Challenge:Support • Support of open source tools • OS support • Training staff • Feature requests • Protocol changes (NetFlow and IP) • Difficult to monitor for flow loss 10
© 2014 Lancope, Inc. All rights reserved. NetFlow Investigation with OSU FlowTools Query bot.acl file uses familiar ACL syntax. create a list named ‘bot’ [mynfchost]$ head bot.acl ip access-list standard bot permit host 69.50.180.3 ip access-list standard bot permit host 66.182.153.176 [mynfchost]$ flow-cat /var/local/flows/data/2007-02-12/ft* | flow-filter -Sbot -o -... Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP 0213.08:39:49.911 0213.08:40:34.519 58 10.10.71.100 8343 98 69.50.180.3 31337 0213.08:40:33.590 0213.08:40:42.294 98 69.50.180.3 31337 58 10.10.71.100 83 11
© 2014 Lancope, Inc. All rights reserved. NetFlow Investigation with OSU FlowTools Custom NetFlow Report Generator
© 2014 Lancope, Inc. All rights reserved. Our Installation
© 2014 Lancope, Inc. All rights reserved. Internet Data Center ISP Gateways NetFlow Collector DC Gateways Corporate Backbone NetFlow exported at network choke points NetFlow Export at Cisco Collect at chokepoints for egress detection 14
© 2014 Lancope, Inc. All rights reserved. NetFlow Collection at Cisco with StealthWatch 15
© 2014 Lancope, Inc. All rights reserved. Common collection infrastructure • Redundant forwarding • Regional storage • Global search • Applies to netflow, log collection 16
© 2014 Lancope, Inc. All rights reserved. Lancope Devices and Count StealthWatch Management Console FlowReplicator FlowSensor FlowCollector 2 2 10 13 17
© 2014 Lancope, Inc. All rights reserved. NetFlow Retention 18 SJC 4-18 months RCDN 10 months RTP 4 months LON 26 months BGL 5-9 months
© 2014 Lancope, Inc. All rights reserved. Problems Solved
© 2014 Lancope, Inc. All rights reserved. 30s 30s 30s NetFlow Challenge: Flow Timeouts One 90s flow creates 6 flows 30s timeout 90/30 = 3 x 2 collectors 30s 30s 30s NetFlow creates 3 flows NetFlow creates 3 flows Lab gateway ISP gateway 20
© 2014 Lancope, Inc. All rights reserved. Business Benefit #1 Storage Capacity 30s 30s 30s 30s 30s 30s NetFlow creates 3 flows NetFlow creates 3 flows Lab gateway ISP gateway 21
© 2014 Lancope, Inc. All rights reserved. Business Benefit #2 Ease of support • IPv4/IPv6 both supported • NetFlow v5/v9 both supported • All supported on the same system, on the same port! • No system administration required • Alarms built in for monitoring of lost flows 22
© 2014 Lancope, Inc. All rights reserved. Business Benefit #3 Ease of use 24
© 2014 Lancope, Inc. All rights reserved. • Other variables: host groups, time range, interfaces, ports • Defaults to 2000 flow records returned • Much simpler than syntax for CLI (example below) Flow Table Query 1. Create a file called‘flow.acl’with a named access list: linux-machine# cat ip access-list standard botnet permit ip 10.31.33.7 >flow.acl 2. Run a query for the time period you are interested in using the ACL linux-machine# flow-cat /var/local/flows/data/2006-12-01/ft* | flow-filter -f ~/flow.acl -Sbotnet -o -Dbotnet | flow- print -f5 25
© 2014 Lancope, Inc. All rights reserved. Flow Table Output 26
© 2014 Lancope, Inc. All rights reserved. FlowTable Results Server, DNS, and Country Traffic Type & Volume 27
© 2014 Lancope, Inc. All rights reserved. NetFlow Challenge: Limited Detection Capability • No concept of host groups for query • Effective for forensics • Can do basic DOS detection • Any other queries required writing algorithms 29
© 2014 Lancope, Inc. All rights reserved. Suspected Data Loss High File Sharing Index Max Flows Served Business Benefit #4: Analytics 30
© 2014 Lancope, Inc. All rights reserved. Use Cases
© 2014 Lancope, Inc. All rights reserved. NetFlow CNC discovery 32 2. Investigate other internal hosts communicating with the same CnC 1. Detect host communicating with external Command-and-Control 3. Uncover other malicious, external entities from the compromised hosts
Targeted Monitoring: DoS Detection 33
34 Targeted Monitoring – Data Loss
35 Targeted Monitoring: Data Loss
© 2014 Lancope, Inc. All rights reserved. StealthWatch Host Locking 36 Send syslog for any traffic seen between insides hosts and known C&C servers
© 2014 Lancope, Inc. All rights reserved. StealthWatch Host Locking 37 Modify known C&C server list via API
© 2014 Lancope, Inc. All rights reserved. CRiTs crits@mitre.org 38
© 2014 Lancope, Inc. All rights reserved. CRiTS Indicator Actions 39 Prevent DNS RPZ host IDS BGP Detect Syslog In Progress passive DNS Share Govt Current Future CSIRT Mandiant ESA HIPS LUPA/ PCAP WSA Partner CRITS MD5 IPV4 Regkey AV SBG CDSA Lancope
CRiTS NetFlow Alarms 40
© 2014 Lancope, Inc. All rights reserved. Splunk Integration – SMC Alarms Requirement: integrate flow events with other logs for a single investigation interface Solution: send relevant alarms as syslog messages to in-house Splunk™ architecture
© 2014 Lancope, Inc. All rights reserved. StealthWatch Splunk Alerts Link to StealthWatch host snapshot
© 2014 Lancope, Inc. All rights reserved. API Use Cases Requirement Problem API Script Solution Pull all flows for given time period SMC Flow Collector query limit Run consecutive, small queries then concatenate Keep SMC host groups up to date Manual configuration, old data Query internal source of truth, push subnet lists to host groups automatically Look up events for a particular IP for a specific timeframe No user attribution (yet) Find IP and lease time from internal source of truth, query StealthWatch for related events 43
© 2014 Lancope, Inc. All rights reserved. Network Subnets Mapped from IPAM
© 2014 Lancope, Inc. All rights reserved. Network Subnets Map to Lancope Zones 45
© 2014 Lancope, Inc. All rights reserved. Splunk integration: getFlows Find NetFlow events via Lancope API with the respective src/dst
© 2014 Lancope, Inc. All rights reserved. Splunk Integration - getFlows 47
© 2014 Lancope, Inc. All rights reserved. Next Steps How to get started: 1. Find a collection/query system for NetFlow 2. Export NetFlow from chokepoints 3. Map your network context from IPAM into zones for query 4. Configure alarms for specific zones 5. Setup performance monitoring to mitigate flow loss from exporters 6. Integrate with your portfolio via API 7. Train your users and administrators – attend Lancope webinars and training 48
© 2014 Lancope, Inc. All rights reserved. Contact information: Mike: mscheck@cisco.com Paul: peckstei@cisco.com

Recommended

Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDSMichael Boman
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 

Recommended

Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDSMichael Boman
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Bangladesh Network Operators Group
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
VPN
VPNVPN
VPNSwarup Kumar Mall
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 

More Related Content

What's hot

Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 

What's hot (20)

Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
VPN
VPNVPN
VPN
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto Networks
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issues
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 

Viewers also liked

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk Splunk
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
Manageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightManageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightSai Sundhar Padmanabhan
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Russia
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Informationjenkoon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 

Viewers also liked (20)

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
Netflow slides
Netflow slidesNetflow slides
Netflow slides
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
 
Estrategia de acompañamiento 2015
Estrategia de acompañamiento 2015Estrategia de acompañamiento 2015
Estrategia de acompañamiento 2015
 
Manageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An InsightManageengine Netflow analyzer - An Insight
Manageengine Netflow analyzer - An Insight
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 

Similar to Cisco CSIRT Case Study: Forensic Investigations with NetFlow

AIDevWorldApacheNiFi101
AIDevWorldApacheNiFi101AIDevWorldApacheNiFi101
AIDevWorldApacheNiFi101Timothy Spann
 
HP Protects Massive, Global Network with StealthWatch
HP Protects Massive, Global Network with StealthWatchHP Protects Massive, Global Network with StealthWatch
HP Protects Massive, Global Network with StealthWatchLancope, Inc.
 
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...Ian Choi
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)Kirill Tsym
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingKernel TLV
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer TrainingSolarWinds
 
Composing services with Kubernetes
Composing services with KubernetesComposing services with Kubernetes
Composing services with KubernetesBart Spaans
 
Janet-hosted test tools
Janet-hosted test toolsJanet-hosted test tools
Janet-hosted test toolsJisc
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructureFernando Lopez Aguilar
 
Mission to NARs with Apache NiFi
Mission to NARs with Apache NiFiMission to NARs with Apache NiFi
Mission to NARs with Apache NiFiHortonworks
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Canada
 
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...Indonesia Network Operators Group
 

Similar to Cisco CSIRT Case Study: Forensic Investigations with NetFlow (20)

AIDevWorldApacheNiFi101
AIDevWorldApacheNiFi101AIDevWorldApacheNiFi101
AIDevWorldApacheNiFi101
 
HP Protects Massive, Global Network with StealthWatch
HP Protects Massive, Global Network with StealthWatchHP Protects Massive, Global Network with StealthWatch
HP Protects Massive, Global Network with StealthWatch
 
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...
한국통신학회 워크샵: SDN/NFV for Secure Services - Understanding Open Source SDN Contr...
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer Training
 
Composing services with Kubernetes
Composing services with KubernetesComposing services with Kubernetes
Composing services with Kubernetes
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
 
Janet-hosted test tools
Janet-hosted test toolsJanet-hosted test tools
Janet-hosted test tools
 
OpenStack with OpenDaylight
OpenStack with OpenDaylightOpenStack with OpenDaylight
OpenStack with OpenDaylight
 
L2 and L3 agent restructure
L2 and L3 agent restructureL2 and L3 agent restructure
L2 and L3 agent restructure
 
Spark+flume seattle
Spark+flume seattleSpark+flume seattle
Spark+flume seattle
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
Mission to NARs with Apache NiFi
Mission to NARs with Apache NiFiMission to NARs with Apache NiFi
Mission to NARs with Apache NiFi
 
SRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdfSRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdf
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
 
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
07 (IDNOG02) SDN Research activity in Institut Teknologi Bandung by Affan Bas...
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 

More from Lancope, Inc. (16)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Cisco CSIRT Case Study: Forensic Investigations with NetFlow

  • 1. © 2014 Lancope, Inc. All rights reserved. Cisco CSIRT: Security Analytics and Forensics with NetFlow Presented by: Michael Scheck, Information Security Manager, Cisco Paul Eckstein, CSIRT Engineering Manager, Cisco
  • 2. © 2014 Lancope, Inc. All rights reserved. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by SSL April 8, 2014: Heartbleed Vulnerability
  • 3. © 2014 Lancope, Inc. All rights reserved. Cisco CSIRT Response to Heartbleed • Preparation • Scanned 1.2M vulnerable servers - 300 needed repair • Helped develop signatures for Sourcefire and Cisco IDS • Deployed signatures to IDS • Monitoring and response • Discovered 25 attacks: 21 benign, 4 malicious • Researched attack via NetFlow analysis to discern normal connections from those that were anomalous and malicious 3
  • 4. © 2014 Lancope, Inc. All rights reserved. Heartbleed Benign Host 4
  • 5. © 2014 Lancope, Inc. All rights reserved. Heartbleed Malicious Host 5
  • 6. © 2014 Lancope, Inc. All rights reserved. NetFlow@Cisco History
  • 7. © 2014 Lancope, Inc. All rights reserved. A B C C B A C A B NetFlow Basics 7
  • 8. © 2014 Lancope, Inc. All rights reserved. NetFlow Collection and Analysis Solutions 8 OSU FlowTools nfdump Lancope StealthWatch License Open source from Ohio State Open source from SourceForge Commercial NetFlow versions V5 v5 and up v5 and up IPv6 ready? Yes Yes Yes Syntax Command-line, like ACLs Command-line, like tcpdump GUI Support Ad-hoc via Google Code Up-to-date Up-to-date
  • 9. © 2014 Lancope, Inc. All rights reserved. NetFlow at Cisco Before StealthWatch • OSU FlowTools • 25+ systems running in parallel - Speeds up query time, but routers have to point at each collector •20+ Tb of physical storage -Files were stored in native nfdump/flowtools compressed format •No flow aggregation •Some connections passed through multiple devices, causing duplicate flows •Routers splitting up long running flows 9
  • 10. © 2014 Lancope, Inc. All rights reserved. NetFlow Challenge:Support • Support of open source tools • OS support • Training staff • Feature requests • Protocol changes (NetFlow and IP) • Difficult to monitor for flow loss 10
  • 11. © 2014 Lancope, Inc. All rights reserved. NetFlow Investigation with OSU FlowTools Query bot.acl file uses familiar ACL syntax. create a list named ‘bot’ [mynfchost]$ head bot.acl ip access-list standard bot permit host 69.50.180.3 ip access-list standard bot permit host 66.182.153.176 [mynfchost]$ flow-cat /var/local/flows/data/2007-02-12/ft* | flow-filter -Sbot -o -... Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP 0213.08:39:49.911 0213.08:40:34.519 58 10.10.71.100 8343 98 69.50.180.3 31337 0213.08:40:33.590 0213.08:40:42.294 98 69.50.180.3 31337 58 10.10.71.100 83 11
  • 12. © 2014 Lancope, Inc. All rights reserved. NetFlow Investigation with OSU FlowTools Custom NetFlow Report Generator
  • 13. © 2014 Lancope, Inc. All rights reserved. Our Installation
  • 14. © 2014 Lancope, Inc. All rights reserved. Internet Data Center ISP Gateways NetFlow Collector DC Gateways Corporate Backbone NetFlow exported at network choke points NetFlow Export at Cisco Collect at chokepoints for egress detection 14
  • 15. © 2014 Lancope, Inc. All rights reserved. NetFlow Collection at Cisco with StealthWatch 15
  • 16. © 2014 Lancope, Inc. All rights reserved. Common collection infrastructure • Redundant forwarding • Regional storage • Global search • Applies to netflow, log collection 16
  • 17. © 2014 Lancope, Inc. All rights reserved. Lancope Devices and Count StealthWatch Management Console FlowReplicator FlowSensor FlowCollector 2 2 10 13 17
  • 18. © 2014 Lancope, Inc. All rights reserved. NetFlow Retention 18 SJC 4-18 months RCDN 10 months RTP 4 months LON 26 months BGL 5-9 months
  • 19. © 2014 Lancope, Inc. All rights reserved. Problems Solved
  • 20. © 2014 Lancope, Inc. All rights reserved. 30s 30s 30s NetFlow Challenge: Flow Timeouts One 90s flow creates 6 flows 30s timeout 90/30 = 3 x 2 collectors 30s 30s 30s NetFlow creates 3 flows NetFlow creates 3 flows Lab gateway ISP gateway 20
  • 21. © 2014 Lancope, Inc. All rights reserved. Business Benefit #1 Storage Capacity 30s 30s 30s 30s 30s 30s NetFlow creates 3 flows NetFlow creates 3 flows Lab gateway ISP gateway 21
  • 22. © 2014 Lancope, Inc. All rights reserved. Business Benefit #2 Ease of support • IPv4/IPv6 both supported • NetFlow v5/v9 both supported • All supported on the same system, on the same port! • No system administration required • Alarms built in for monitoring of lost flows 22
  • 23. © 2014 Lancope, Inc. All rights reserved. Business Benefit #3 Ease of use 24
  • 24. © 2014 Lancope, Inc. All rights reserved. • Other variables: host groups, time range, interfaces, ports • Defaults to 2000 flow records returned • Much simpler than syntax for CLI (example below) Flow Table Query 1. Create a file called‘flow.acl’with a named access list: linux-machine# cat ip access-list standard botnet permit ip 10.31.33.7 >flow.acl 2. Run a query for the time period you are interested in using the ACL linux-machine# flow-cat /var/local/flows/data/2006-12-01/ft* | flow-filter -f ~/flow.acl -Sbotnet -o -Dbotnet | flow- print -f5 25
  • 25. © 2014 Lancope, Inc. All rights reserved. Flow Table Output 26
  • 26. © 2014 Lancope, Inc. All rights reserved. FlowTable Results Server, DNS, and Country Traffic Type & Volume 27
  • 27. © 2014 Lancope, Inc. All rights reserved. NetFlow Challenge: Limited Detection Capability • No concept of host groups for query • Effective for forensics • Can do basic DOS detection • Any other queries required writing algorithms 29
  • 28. © 2014 Lancope, Inc. All rights reserved. Suspected Data Loss High File Sharing Index Max Flows Served Business Benefit #4: Analytics 30
  • 29. © 2014 Lancope, Inc. All rights reserved. Use Cases
  • 30. © 2014 Lancope, Inc. All rights reserved. NetFlow CNC discovery 32 2. Investigate other internal hosts communicating with the same CnC 1. Detect host communicating with external Command-and-Control 3. Uncover other malicious, external entities from the compromised hosts
  • 31. Targeted Monitoring: DoS Detection 33
  • 32. 34 Targeted Monitoring – Data Loss
  • 34. © 2014 Lancope, Inc. All rights reserved. StealthWatch Host Locking 36 Send syslog for any traffic seen between insides hosts and known C&C servers
  • 35. © 2014 Lancope, Inc. All rights reserved. StealthWatch Host Locking 37 Modify known C&C server list via API
  • 36. © 2014 Lancope, Inc. All rights reserved. CRiTs crits@mitre.org 38
  • 37. © 2014 Lancope, Inc. All rights reserved. CRiTS Indicator Actions 39 Prevent DNS RPZ host IDS BGP Detect Syslog In Progress passive DNS Share Govt Current Future CSIRT Mandiant ESA HIPS LUPA/ PCAP WSA Partner CRITS MD5 IPV4 Regkey AV SBG CDSA Lancope
  • 39. © 2014 Lancope, Inc. All rights reserved. Splunk Integration – SMC Alarms Requirement: integrate flow events with other logs for a single investigation interface Solution: send relevant alarms as syslog messages to in-house Splunk™ architecture
  • 40. © 2014 Lancope, Inc. All rights reserved. StealthWatch Splunk Alerts Link to StealthWatch host snapshot
  • 41. © 2014 Lancope, Inc. All rights reserved. API Use Cases Requirement Problem API Script Solution Pull all flows for given time period SMC Flow Collector query limit Run consecutive, small queries then concatenate Keep SMC host groups up to date Manual configuration, old data Query internal source of truth, push subnet lists to host groups automatically Look up events for a particular IP for a specific timeframe No user attribution (yet) Find IP and lease time from internal source of truth, query StealthWatch for related events 43
  • 42. © 2014 Lancope, Inc. All rights reserved. Network Subnets Mapped from IPAM
  • 43. © 2014 Lancope, Inc. All rights reserved. Network Subnets Map to Lancope Zones 45
  • 44. © 2014 Lancope, Inc. All rights reserved. Splunk integration: getFlows Find NetFlow events via Lancope API with the respective src/dst
  • 45. © 2014 Lancope, Inc. All rights reserved. Splunk Integration - getFlows 47
  • 46. © 2014 Lancope, Inc. All rights reserved. Next Steps How to get started: 1. Find a collection/query system for NetFlow 2. Export NetFlow from chokepoints 3. Map your network context from IPAM into zones for query 4. Configure alarms for specific zones 5. Setup performance monitoring to mitigate flow loss from exporters 6. Integrate with your portfolio via API 7. Train your users and administrators – attend Lancope webinars and training 48
  • 47. © 2014 Lancope, Inc. All rights reserved. Contact information: Mike: mscheck@cisco.com Paul: peckstei@cisco.com