APNIC Senior Network Analyst/Technical Trainer Warren Finch presents on packet analysis for network security at the MMIX Peering Forum and MMNOG 2020 in Yangon, Myanmar, from 13 to 17 January 2020.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.
GTKlondike (Twitter: @GTKlondike) GTKlondike is a hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working in the industry as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms.
This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.
GTKlondike (Twitter: @GTKlondike) GTKlondike is a hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working in the industry as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms.
This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
For your final step, you will synthesize the previous steps and laShainaBoling829
For your final step, you will synthesize the previous steps and labs to summarize the major findings from this project.
Specifically, you will prepare a technical report that summarizes your findings including:
1. Provide a table of common ports for protocols we studied. Discuss how security devices can be used to within a larger network to control subnets and devices within those subnets.
2. Discuss network diagnostic tools you used in this lab. Summarize their functionality and describe specifically how you used each tool. Discuss the results you used to assist in both the discovery phase and protocol analysis of the sites you analyzed. What tools impressed you the most and would be most useful for an analyst to employ in the daily activities? What other functionality do you think would be useful to cyber operations analysts?
3. Research and discuss the ethical use of these tools. For example, if you discover a serious vulnerability, what you should you do? What communications should you have with site owners prior to conducting vulnerability scans?
The report should include a title page, table of contents, list of tables and figures (as applicable), content organized into sections. Be sure to properly cite your sources throughout, and include a list of references, formatted in accordance with APA style.
Final Technical Report
31 January 2022
Llyjerylmye Amos
COP 620 Project 1 Final Technical Report
Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority
(IANA) base on the default services that are associated with the assigned ports. Administrators may
obfuscate services that are running on well-known ports by configuring services to be utilized on unused
ephemeral ports. However, the default configuration of well-known ports allow tech savvy personnel
and software vendors to speak a common language when configuring networking devices, information
systems (IS)s and or software applications. Within this lesson, 22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80-
HTTP, 110-POP3 and 443-HTTPS were the common ports and protocols that were reviewed, table 1.
Port Protocol
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 HTTPS
Table 1. Common ports studies.
Firewalls are the most common network security devices installed on information systems (IS).
According to Cisco (n.d.), “a firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a defined set of security
rules”. Security rules may be applied to specific ISs, host-based firewalls, or to the entire network,
network-based firewalls to scan emails, hard drives for malware or to allow traffic on certain sections of
the subnet. Firewalls are also categorized into specific type such as, proxy firewalls, stateful inspection
firewalls, unified threat management firewalls, next-generation firewalls (NGFW), ...
Automated prevention of ransomware with machine learning and gposPriyanka Aash
This talk will highlight a signature-less method to detect malicious behavior before the delivery of the ransomware payload can infect the machine. The ML-driven detection method is coupled with the automated generation of a Group Policy Object and in this way we demonstrate an automated way to take action and create a policy based on observed IOC’s detected in a zero-day exploit pattern.
( Source : RSA Conference USA 2017)
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
2. Agenda
• Why Network Security?
• Attack Frameworks
• Detection analysis techniques
• List of Free Open Source Software (F.O.S.S)
• Overview of Security Onion
• Demo Time
2
3. Amount of attacks – SSH attack
3
• APNIC 46 Network security workshop, deployed 7
honeypots to a cloud service
• 21,077 attacks in 24 hours
• Top 5 sensors
– training06 (8,431 attacks)
– training01 (5,268 attacks)
– training04 (2,208 attacks)
– training07 (2,025 attacks)
– training03 (1,850 attacks)
4. Time of attack – RDP attack
4
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-rdp-exposed-the-threats-thats-already-at-your-door-
wp.pdf last accessed 24/07/2019
The 10 RDP honeypots logged a
combined 4,298,513 failed login attempts
over a 30-day period
5. Legislative requirements
• Government intervention and regulation
– Europe, GDPR (General Data Protection Regulation)
– Australia, Notifiable Data Breaches (NDB) scheme
– United States, various State data breach notification Statutes
– India, Personal Data Protection Bill (Early 2020)
– China, Cybersecurity Law & draft Data Security Administrative
Measures
• Data protection laws of the world
– https://www.dlapiperdataprotection.com
5
7. Mitigate Cyber Security incidents
Relative
security
effectiveness
rating
Mitigation strategy Potential
user
resistance
Upfront cost
(staff,
equipment,
technical
complexity)
Ongoing
maintenance
cost (mainly
staff)
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with
automated immediate analysis of centralised time-
synchronised logs of permitted and denied: computer events,
authentication, file access and network activity.
Low Very high Very high
Very good Host-based intrusion detection/prevention system to
identify anomalous behaviour during program execution e.g.
process injection, keystroke logging, driver loading and
persistence.
Low Medium Medium
Very good Endpoint detection and response software on all
computers to centrally log system behaviour and facilitate
incident response. Microsoft’s free SysMon tool is an entry-
level option.
Low Medium Medium
Very good Hunt to discover incidents based on knowledge of
adversary tradecraft. Leverage threat intelligence consisting
of analysed threat data with context enabling mitigating
action, not just indicators of compromise.
Low Very high Very high
Limited Network-based intrusion detection/prevention
system using signatures and heuristics to identify anomalous
traffic both internally and crossing network perimeter
boundaries.
Low High Medium
Limited Capture network traffic to and from corporate computers
storing important data or considered as critical assets, and
network traffic traversing the network perimeter, to perform
incident detection and analysis.
Low High Medium
7
https://www.cyber.gov.au/sites/default/files/2019-03/Mitigation_Strategies_2017.pdf
9. NIST Cybersecurity Framework
• Anomalies and Events (AE) in the Detect (DE) functional
area, there are five subcategories:
– DE.AE-1: A baseline of network operations and expected data flows
for users and systems is established and managed
– DE.AE-2: Detected events are analyzed to understand attack targets
and methods
– DE.AE-3: Event data are aggregated and correlated from multiple
sources and sensors
– DE.AE-4: Impact of events is determined
– DE.AE-5: Incident alert thresholds are established
9
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
10. NIST Cybersecurity Framework
• DE.AE-2: Detected events are analyzed to understand attack
targets and methods
– CIS CSC 3, 6, 13, 15
– COBIT 5 DSS05.07
– ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
– ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9,
SR 6.1, SR 6.2
– ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4
– NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
• AU-6 - Audit Review, Analysis, and Reporting;
• CA-7 – Continious Monitoring;
• IR-4 – Incident Hadling;
• SI-4 – Information System monitoring eg IDS, Automated tools, Alerts.
10
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
11. ATT&CK Matrix for Enterprise
https://attack.mitre.org – accessed 12th Nov 2018
12. ATT&CK Matrix for Enterprise
https://attack.mitre.org – accessed 12th Nov 2018
14. Signature analysis
• Distinctive marks of known bad traffic used to generate alerts.
– virus detection,
– malicious website or
– malware files.
• Distinctive marks include:
– IP addresses
– Hostnames
– Offsets – for example, memory related exploit
– Debug information
– “Ego” strings (strings left in the code)
– Header information
15. Signature analysis
• An example could be detecting a nmap scan of a
network by looking at the User-Agent string.
alert tcp $EXTERNAL_NET any -> any any (msg:"Nmap User-Agent
Observed"; flow:to_server,established; content:"User-Agent|3a|";
http_header; content:"|20|Nmap"; sid:1000001; rev:3;)
16. Session analysis
• Utilises the session metadata to determine what is
happening during a session.
– which devices causing the traffic
– the type of traffic or
– what data is being transferred.
• Looks at the behaviour of the sessions and looks for
behaviour that is not normal.
17. Session analysis
• An example is once a network has been
compromised, Domain Name Services (DNS) may
be used to exfiltrate data.
https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Wireshark filter: “dns.qry.name.len > 20”
18. Which technique?
• Signature analysis
– can be used to create the alert; then
• Session analysis
– can help investigate the alert further.
20. Log Management
• Logstash
– used to gather data from multiple sources and transform it
for storage.
• Elasticsearch
– distributed, RESTful search and analytics engine.
• Kibana
– Visualisation tool for Elasticsearch and other data sets
https://www.elastic.co/products/
21. Intrusion Detection tools
• Snort
– Intrusion detection system (IDS).
• Suricata
– Intrusion detection system (IDS).
22. Network Monitoring
• Zeek (formerly Bro)
– Network traffic analysis tool
• Sguil
– collection of free software components for Network Security
Monitoring (NSM) and event driven analysis of IDS alerts
• Squert
– web application that is used to query and view event data
stored in a Sguil database.
23. Packet capture
• TCPdump
– command line utility used to capture and analyse packets on
network interfaces.
• Wireshark
– utility used to capture and analyse packets on network
interfaces.
• Cloudshark
– web-based utility used to analyse packet captures.
28. TCPdump command example
# cd /opt/samples/mta
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile 'port 53' | grep -Ev
'(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-z]'; done;
Check for plain text passwords in pcap files
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile port http or port
ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=
|password=|pass:|user:|username:|password:|login:|pass |user '; done;
-l = force line buffered mode
-A = include ascii strings from the capture
29. Security Onion
• Linux-based open source network monitoring and
log management toolkit.
• Can be installed as a Virtual Machine (VM) or on a
physical machine.
• Best practice is to use two network interfaces:
1. Management Network
2. Monitored Network
https://securityonion.net