SlideShare a Scribd company logo

Hunting Attackers with Network Audit Trails

Lancope, Inc.
Lancope, Inc.

Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time. Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary. Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic. Lancope will demonstrate how to these records can be used to: Discover active attacks in each phase of the attacker’s “kill chain.” Determine the scope of successful breaches and document the timeline of the attacks

Technology
1 of 33
Download to read offline
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com 1
WHAT IS DIGITAL FORENSICS? WHAT IS INCIDENT RESPONSE? 2
WHAT IS FORENSICS? 3
Visibility through out the Kill Chain 4 Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 4© 2013 Lancope, Inc. All rights reserved.
Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating? 5© 2013 Lancope, Inc. All rights reserved.
Audit Trail Sources • Firewall logs – Are you logging everything or just denies? • Internal & Host IPS systems – HIPS potentially has a lot of breadth – Can be expensive to deploy – Signature based • Log Management Solutions/SIEM – Are you collecting everything? – You can only see what gets logged • Netflow – Lots of breadth, less depth – Lower disk space requirements • Full Packet Capture – Deep but not broad – Expensive – High disk space requirements 6 Tradeoffs: • Record everything vs only bad things • Breadth vs Depth • Time vs Depth • Privacy 6© 2013 Lancope, Inc. All rights reserved.
DMZ VPN Internal Network Internet 3G Internet 3G Internet Tradeoffs
Tradeoffs 8 NetFlow R I C H N E S S Disk Space Required Full Packet Capture 8© 2013 Lancope, Inc. All rights reserved.
NETWORK AUDIT LOG DETECTION 9
10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Realtime Netflow Monitoring
Loss of Protected Data What Can Behavioral NetFlow Analysis Do?
Reveal Recon What Can Behavioral NetFlow Analysis Do?
What can you detect with the audit log? Reveal BotNet Hosts Layer 3 Layer 4 and URL
FORENSIC INVESTIGATIONS USING THE NETWORK AUDIT TRAIL 14
APT1 15
Best Practice – Running Reports in StealthWatch • Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing The Flow Traffic and Top reports are a summary of the flow data and much quicker to process It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from. 16
17 Following IOC Waterhole campaign targeting your industry has been publicly disclosed. A quick search of your network audit trail reveals an internal host that accessed the disclosed site.
18 Following IOC Check host details around that time Suspicious HTTP connections right after contact- good candidate for a drive-by download Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
19 Following IOC Attacker recons your network. Investigate any hosts contacted by the compromised host. Additionally- look for any other hosts scanning for 445 and 135.
20 Following IOC Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we Should check to see if that host has touched the network anywhere else. Another host showing a reverse shell
21 SQL Injection Large data transfer from your web server to an outside host was detected
22 SQL Injection Where did the data go?
23 SQL Injection Look for suspicious activity targeting the web server and your DMZ
• IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? Combating Insider Threat is a multidisciplinary challenge 2424© 2013 Lancope, Inc. All rights reserved. IT HR Legal
25 Following the User Sometimes investigations start with user intelligence
26 Following the User
27 Beron’s abnormal disclosure One of your users has uploaded a large amount of data to the internet. Data Theft
28 What did Beron send? Who received it? Data Theft
29 Where could have Beron gotten the data? Data Theft
30 Data Theft
31 Why did Beron do it? Data Theft
The Five W’s • Who did this? – Usernames, IP Addresses • What did they do? – What behavior did they engage in? • Where did they go? – What hosts on my network were accessed? • When? – Have we investigated the full intrusion timeline? • Why? What is their objective? 32
Tom Cross Director of Research, Lancope tcross@lancope.com www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas

Recommended

Presentation1
Presentation1Presentation1
Presentation1Abhishek Malhotra
 
Bh europe 2013_wilhoit
Bh europe 2013_wilhoitBh europe 2013_wilhoit
Bh europe 2013_wilhoitKyle Wilhoit
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 

Recommended

Presentation1
Presentation1Presentation1
Presentation1Abhishek Malhotra
 
Bh europe 2013_wilhoit
Bh europe 2013_wilhoitBh europe 2013_wilhoit
Bh europe 2013_wilhoitKyle Wilhoit
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of ThingsLohith Haravu Chandrashekar
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Current Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in TaiwanCurrent Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in TaiwanAPNIC
 
Security tools
Security toolsSecurity tools
Security toolsGreater Noida Institute Of Technology
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 

More Related Content

What's hot

CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewSam Bowne
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Current Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in TaiwanCurrent Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in TaiwanAPNIC
 

What's hot (20)

CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking Overview
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICS
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoS
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulip
 
DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Current Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in TaiwanCurrent Conditions and Challenges of Cybersecurity in Taiwan
Current Conditions and Challenges of Cybersecurity in Taiwan
 
Security tools
Security toolsSecurity tools
Security tools
 

Viewers also liked

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per SecondAmazon Web Services
 
Definite and Indefinite and Zero Articles
Definite and Indefinite and Zero ArticlesDefinite and Indefinite and Zero Articles
Definite and Indefinite and Zero ArticlesAsmae Azzamouri
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
Forbes Middle East - February 2017 - Anghami Coverage
Forbes Middle East - February 2017 - Anghami CoverageForbes Middle East - February 2017 - Anghami Coverage
Forbes Middle East - February 2017 - Anghami CoverageAnghami
 
Deviant behavior
Deviant behaviorDeviant behavior
Deviant behaviorjuvy_pascua
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Creative Out of Home Media
Creative Out of Home MediaCreative Out of Home Media
Creative Out of Home MediaKenton Larsen
 
Deviant behavior
Deviant behaviorDeviant behavior
Deviant behaviorjuvy_pascua
 
Types of Deviance
Types of DevianceTypes of Deviance
Types of DevianceGulzadaaa
 
ゆるく学ぼう!現在のフロントエンドまとめ
ゆるく学ぼう!現在のフロントエンドまとめゆるく学ぼう!現在のフロントエンドまとめ
ゆるく学ぼう!現在のフロントエンドまとめ将一 深見
 
Natural vegetation and wildlife
Natural vegetation and wildlifeNatural vegetation and wildlife
Natural vegetation and wildlifeSaket Jain
 

Viewers also liked (19)

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second
(BDT323) Amazon EBS & Cassandra: 1 Million Writes Per Second
 
Budget scenario
Budget scenarioBudget scenario
Budget scenario
 
Definite and Indefinite and Zero Articles
Definite and Indefinite and Zero ArticlesDefinite and Indefinite and Zero Articles
Definite and Indefinite and Zero Articles
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
自作GPUへの道
自作GPUへの道自作GPUへの道
自作GPUへの道
 
Forbes Middle East - February 2017 - Anghami Coverage
Forbes Middle East - February 2017 - Anghami CoverageForbes Middle East - February 2017 - Anghami Coverage
Forbes Middle East - February 2017 - Anghami Coverage
 
Deviant behavior
Deviant behaviorDeviant behavior
Deviant behavior
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
TLC de Honduras vigentes y no vigentes
TLC de Honduras vigentes y no vigentesTLC de Honduras vigentes y no vigentes
TLC de Honduras vigentes y no vigentes
 
Creative Out of Home Media
Creative Out of Home MediaCreative Out of Home Media
Creative Out of Home Media
 
Phổ uv vis
Phổ uv visPhổ uv vis
Phổ uv vis
 
Deviant behavior
Deviant behaviorDeviant behavior
Deviant behavior
 
Types of Deviance
Types of DevianceTypes of Deviance
Types of Deviance
 
Deviance
DevianceDeviance
Deviance
 
ゆるく学ぼう!現在のフロントエンドまとめ
ゆるく学ぼう!現在のフロントエンドまとめゆるく学ぼう!現在のフロントエンドまとめ
ゆるく学ぼう!現在のフロントエンドまとめ
 
Natural vegetation and wildlife
Natural vegetation and wildlifeNatural vegetation and wildlife
Natural vegetation and wildlife
 

Similar to Hunting Attackers with Network Audit Trails

Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Threats to network
Threats to networkThreats to network
Threats to networkQ4Points.com
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 

Similar to Hunting Attackers with Network Audit Trails (20)

Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
hacking
hackinghacking
hacking
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Threats to network
Threats to networkThreats to network
Threats to network
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 

More from Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Hunting Attackers with Network Audit Trails

  • 1. HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com 1
  • 2. WHAT IS DIGITAL FORENSICS? WHAT IS INCIDENT RESPONSE? 2
  • 4. Visibility through out the Kill Chain 4 Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 4© 2013 Lancope, Inc. All rights reserved.
  • 5. Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware Infection Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: Multiple internal infected hosts 1:07:00 PM: Gateway malware analysis identifies the transaction as malicious 1:14:00 PM: Administrators manually disconnect the initial infected host Do you know what went on while you were mitigating? 5© 2013 Lancope, Inc. All rights reserved.
  • 6. Audit Trail Sources • Firewall logs – Are you logging everything or just denies? • Internal & Host IPS systems – HIPS potentially has a lot of breadth – Can be expensive to deploy – Signature based • Log Management Solutions/SIEM – Are you collecting everything? – You can only see what gets logged • Netflow – Lots of breadth, less depth – Lower disk space requirements • Full Packet Capture – Deep but not broad – Expensive – High disk space requirements 6 Tradeoffs: • Record everything vs only bad things • Breadth vs Depth • Time vs Depth • Privacy 6© 2013 Lancope, Inc. All rights reserved.
  • 8. Tradeoffs 8 NetFlow R I C H N E S S Disk Space Required Full Packet Capture 8© 2013 Lancope, Inc. All rights reserved.
  • 9. NETWORK AUDIT LOG DETECTION 9
  • 10. 10 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution) Realtime Netflow Monitoring
  • 11. Loss of Protected Data What Can Behavioral NetFlow Analysis Do?
  • 12. Reveal Recon What Can Behavioral NetFlow Analysis Do?
  • 13. What can you detect with the audit log? Reveal BotNet Hosts Layer 3 Layer 4 and URL
  • 14. FORENSIC INVESTIGATIONS USING THE NETWORK AUDIT TRAIL 14
  • 16. Best Practice – Running Reports in StealthWatch • Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing The Flow Traffic and Top reports are a summary of the flow data and much quicker to process It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from. 16
  • 17. 17 Following IOC Waterhole campaign targeting your industry has been publicly disclosed. A quick search of your network audit trail reveals an internal host that accessed the disclosed site.
  • 18. 18 Following IOC Check host details around that time Suspicious HTTP connections right after contact- good candidate for a drive-by download Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
  • 19. 19 Following IOC Attacker recons your network. Investigate any hosts contacted by the compromised host. Additionally- look for any other hosts scanning for 445 and 135.
  • 20. 20 Following IOC Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we Should check to see if that host has touched the network anywhere else. Another host showing a reverse shell
  • 21. 21 SQL Injection Large data transfer from your web server to an outside host was detected
  • 23. 23 SQL Injection Look for suspicious activity targeting the web server and your DMZ
  • 24. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? Combating Insider Threat is a multidisciplinary challenge 2424© 2013 Lancope, Inc. All rights reserved. IT HR Legal
  • 25. 25 Following the User Sometimes investigations start with user intelligence
  • 27. 27 Beron’s abnormal disclosure One of your users has uploaded a large amount of data to the internet. Data Theft
  • 28. 28 What did Beron send? Who received it? Data Theft
  • 29. 29 Where could have Beron gotten the data? Data Theft
  • 31. 31 Why did Beron do it? Data Theft
  • 32. The Five W’s • Who did this? – Usernames, IP Addresses • What did they do? – What behavior did they engage in? • Where did they go? – What hosts on my network were accessed? • When? – Have we investigated the full intrusion timeline? • Why? What is their objective? 32
  • 33. Tom Cross Director of Research, Lancope tcross@lancope.com www.lancope.com @Lancope (company) @netflowninjas (company blog) https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedburner.com/NetflowNinjas