Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time.
Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary.
Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic.
Lancope will demonstrate how to these records can be used to:
Discover active attacks in each phase of the attacker’s “kill chain.”
Determine the scope of successful breaches and document the timeline of the attacks
16. Best Practice – Running Reports in StealthWatch
• Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to
summarize the results and the most efficient processing
The Flow Traffic and Top reports are a summary of the flow data and much quicker to process
It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know
where to drop your line and pull the fish (data) back from.
16
17. 17
Following IOC
Waterhole campaign
targeting your industry
has been publicly
disclosed.
A quick search of your
network audit trail
reveals an internal host
that accessed the
disclosed site.
18. 18
Following IOC
Check host details around that time
Suspicious HTTP connections right after contact- good candidate for a drive-by download
Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
19. 19
Following IOC
Attacker recons your network. Investigate any hosts contacted by the compromised host.
Additionally- look for any other hosts scanning for 445 and 135.
20. 20
Following IOC
Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), we
Should check to see if that host has touched the network anywhere else.
Another host showing a reverse shell
32. The Five W’s
• Who did this?
– Usernames, IP Addresses
• What did they do?
– What behavior did they engage in?
• Where did they go?
– What hosts on my network were accessed?
• When?
– Have we investigated the full intrusion timeline?
• Why? What is their objective?
32
33. Tom Cross
Director of Research, Lancope
tcross@lancope.com
www.lancope.com
@Lancope (company)
@netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas