You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers

1,282 views

Published on

When you suspect an attack, you need to answer the questions who, what, when and how - fast. Network forensics is the answer. In this webinar, you'll learn from our special guest, Keatron Evans, how network forensics—network traffic recording along with powerful search and analysis tools—can enable your in–house security team to track down, verify, and characterize attacks. Keatron will walk you through a few real-world security breach scenarios and demonstrate live best practices for attack analysis using network forensics to find the proof you need quickly to take action.

Special Guest: Keatron Evans:
Keatron, one of the two lead authors of "Chained Exploits: Advanced Hacking Attacks From Start to Finish", is regularly engaged in training and consulting for members of the United States intelligence community, military, and federal law enforcement agencies. Keatron specializes in penetration testing, network forensics, and malware analysis. Keatron serves as Senior Security Researcher and Principle of Blink Digital Security which performs penetration tests and forensics for government and corporations.

Published in: Internet
  • Be the first to comment

You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers

  1. 1. www.wildpackets.com© WildPackets, Inc. You Suspect a Security Breach Network Forensic Analysis Gives You the Answers December 2014 Keatron Evans Senior Security Researcher Principle of Blink Digital Security
  2. 2. © WildPackets, Inc. 2 Administration • All callers are on mute ‒ If you have problems, please let us know via the Chat window • There will be Q&A ‒ Feel free to type a question at any time • Slides and recording will be available ‒ Notification within 48 hours via a follow-up email
  3. 3. © WildPackets, Inc. 3 Agenda • The Bad Guys Are Winning • Security Attack Analysis with Network Forensics
  4. 4. www.wildpackets.com© WildPackets, Inc. The Bad Guys Are Winning
  5. 5. © WildPackets, Inc. 5 “The Bad Guys Are Winning”* • Cyber espionage up 3X • Insiders stealing intellectual property • Average time in 2012 to discover and resolve a data breach: 123 days • 86% of security professionals consider incident detection time too slow * Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report
  6. 6. © WildPackets, Inc. 6 Challenges • IDS/IPS and other tools raise alerts • But security teams need details ‒ Who, what, where, when ‒ Answers require network visibility • Network visibility declining overall ‒ Last-generation network analysis tools can’t keep up with 10G, 40G, and 100G networks ‒ Market trend for high-level stats such as NetFlow and traffic sampling leave security analysts with generalities not specifics
  7. 7. © WildPackets, Inc. 7 WildPackets Attack Analysis • Benefits ‒ Give security teams evidence and insight • A comprehensive record of network activity • Powerful search and filtering tools for zeroing in on anomalies and attack details ‒ Enable security teams to act quickly • Find proof of attacks • Characterize attacks and stop them ‒ Who, what, where, when • Solution: Packet Capture + Network Forensics ‒ Record, store, and analyze traffic ‒ Uncover and understand attacks so they can be stopped ‒ Tools include deep packet inspection, searches, filters, graphs, etc. Full visibility into everything going in and out of your network
  8. 8. www.wildpackets.com© WildPackets, Inc. Network Forensics in Action
  9. 9. © WildPackets, Inc. 9 Most Common Breaches • User action i.e. visiting a malicious website • Downloading malicious files. • Web Application Attacks (SQL Injection,CSRF, etc.)
  10. 10. © WildPackets, Inc. 10 Network Forensics • Find needles in haystacks by removing all the hay. • Once the needles are found put “some” hay back to gain context (what, when, where, how). • Put together the pieces. • Operating Systems and Host based forensics tools can be made to lie (Anti-Forensics Techniques/Rootkits) • Packets always tell the truth
  11. 11. © WildPackets, Inc. 11 Timeline of Events • Something has happened! ‒ FireEye ‒ BlueCoat ‒ Cisco IDS/IPS • What has happened and where’s the evidence? ‒ Omnipeek and OmniPliances ‒ Custom Scripts • Let’s examine the evidence in detail and keep this from happening again. ‒ IDA Pro ‒ Malware Reverse Engineering ‒ File and Data Analysis
  12. 12. © WildPackets, Inc. 12 What I’ll demonstrate • Rootkit being used for covert exfiltration • Web Server being taken over by SQL Injection • Then forensics on both using just packet data (pcaps) and Omnipeek.
  13. 13. © WildPackets, Inc. 13 Summary • We need to stop the “Bad Guys” from winning. ‒ Improve capability to investigate attacks. • Attack Analysis = Packet Capture + Network Forensics ‒ Provides comprehensive evidence of all attack activity within a set period. ‒ Provides an irrefutable record of user, network, and application activity, including transactions. ‒ Enables security teams to characterize and trace attacks. • WildPackets Omnipliances offer unmatched performance and precision for attack analysis. ‒ Complements existing security toolset with performance network recording, storage, and analysis.
  14. 14. www.wildpackets.com© WildPackets, Inc. Q&A Thank You! WildPackets, Inc. 1340 Treat Boulevard, Suite 500 Walnut Creek, CA 94597 (925) 937-3200

×