Applied Detection and Analysis Using Network Flow Data

Similar documents
Network Profiling Using Flow

Network Analysis with isilk

Flow Based Traffic Analysis

Wireshark Developer and User Conference

Missing the Obvious: Network Security Monitoring for ICS

Scalable Extraction, Aggregation, and Response to Network Intelligence

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

FlowViewer. Maintaining NASA s Earth Science Traffic Situational Awareness

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag

Connecting North Carolina s Future Today. Application Monitoring: ClassScape Case Study. NCSU Centennial Networking Lab

More Netflow Tools: For Performance and Security

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Network Monitoring and Management NetFlow Overview

Introduction to Netflow

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Netflow Collection with AlienVault Alienvault 2013

NfSen Plugin Supporting The Virtual Network Monitoring

Network Monitoring for Cyber Security

$100 SiLK Network Flow Sensor

Analyzing large flow data sets using. visualization tools. modern open-source data search and. FloCon Max Putas

Overview of Network Traffic Analysis

Fluke Networks NetFlow Tracker

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Network Management & Monitoring

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Ixia xstream TM 10. Aggregation, Filtering, and Load Balancing for qgbe/10gbe Networks. Aggregation and Filtering DATA SHEET

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network Security Monitoring

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Overview - Using ADAMS With a Firewall

Flow Visualization Using MS-Excel

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

Protographs: Graph-Based Approach to NetFlow Analysis. Jeff Janies RedJack FloCon 2011

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

NetFlow Auditor Manual Getting Started

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Get Your FIX: Flow Information export Analysis and Visualization

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Indexing Full Packet Capture Data With Flow

NFQL: A Tool for Querying Network Flow Records [6]

Network Monitoring Comparison

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

An overview of traffic analysis using NetFlow

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Data Analysis Load Balancer

INTRODUCTION TO FIREWALL SECURITY

and reporting Slavko Gajin

Structured Threats 21 External Threats 22 Internal Threats 22 Network Attacks 22 Reconnaissance Attacks 22 Access Attacks 23 Data Retrieval 23 System

Analysis of a DDoS Attack

Using Argus to analyse network flows. David Ford OxCERT Oxford University Computer Services

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Network Security Monitoring

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Internet Management and Measurements Measurements

NetFlow FlowAnalyzer Overview

The Value of Flow Data for Peering Decisions

Overview - Using ADAMS With a Firewall

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

Flow Monitor for WhatsUp Gold v16.2 User Guide

Network Probe. Figure 1.1 Cacti Utilization Graph

UKCMG Industry Forum November 2006

What happens when you use nmap or a fuzzer on an ICS?

Netflow Overview. PacNOG 6 Nadi, Fiji

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept

Lab Characterizing Network Applications

Network Metrics Content Pack for VMware vrealize Log Insight

Intrusion Detection in AlienVault

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Network security Exercise 10 Network monitoring

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Edge Configuration Series Reporting Overview

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Policy Based Forwarding

Traffic Monitoring : Experience

Flow Monitor for WhatsUp Gold v16.1 User Guide

Network Forensics Network Traffic Analysis

PANDORA FMS NETWORK DEVICES MONITORING

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

TITANXR Multi-Switch Management Software

NetFlow Analytics for Splunk

Intrusion Detection Systems (IDS)

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Flexible Web Visualization for Alert-Based Network Security Analytics

Nfsight: NetFlow-based Network Awareness Tool

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

AppSec DC November 13, The OWASP Foundation Custom Intrusion Detection Techniques for Monitoring Web Applications

Network Traffic Analysis using HADOOP Architecture. Zeng Shan ISGC2013, Taibei

ΕΠΛ 674: Εργαστήριο 5 Firewalls

How To Identify Different Operating Systems From A Set Of Network Flows

Configuring Static and Dynamic NAT Simultaneously

Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

Monitoring and analyzing audio, video, and multimedia traffic on the network

Features Overview Guide About new features in WhatsUp Gold v14

Transcription:

Applied Detection and Analysis Using Network Flow Data Chris Sanders and Jason Smith TAP Intel-Based Detection Mandiant, a FireEye Company Chris Sanders Christian & Husband Kentuckian and South Carolinian MS, GSE, et al. Non-Profit Director BBQ Pit Master 2

Jason Smith Kentuckian Car Aficionado Raspberry Pi enthusiast Junkyard Engineer 3 Applied Network Security Monitoring This book should be required reading for all intrusion analysts and those looking to develop a security monitoring program. Written by analysts, for analysts. - Amazon Reviewers 4

Agenda Flow Data! Why it s important How you can collect it What you can do with it Tools that can help Why/How to use Flow Data in NSM/IR 5 Network Security Monitoring The collection, detection, and analysis of network security data. The goal of NSM is escalation, or to declare that an incident has occurred so that incident response can occur. Network Security Monitoring Incident Response 6

The NSM Cycle Collection Analysis Detection 7 Evolution of NSM Emphasis Past Detection Era Present Collection Era Future Analysis Era 8

NSM/IR Challenges of the Present We All Want Full PCAP Collection Easy to Capture / Filter Stream Data Detection Major Detection Tools are PCAP Oriented Analysis Gives us Who, Where, When, and What 9 NSM/IR Challenges of the Present But, It s not Feasible for Every Goal Collection Not Scalable for Extended Retention Detection Not Ideal of Hunting / Rapid Pivoting Analysis Not a Great Starting Point 10

Full PCAP vs. Flow Data PCAP Data Flow Data 11 Flow Data Often Called Flow / Session / NetFlow Summary of Network Communications Aggregated Record of Packets Gives Us Who, Where, When Based on the 5-tuple + Timing/Data Stats Source IP Source Port Dest IP Dest Port Protocol 192.168.5.1 48293 8.8.8.8 53 UDP Start Time End Time Bytes 2014/09/22T00:03:58.756 2014/09/22T00:04:58.756 76 12

Flow Data Example stime sip dport dip dport pro bytes 2014/09/22T00:03:58.756 10.10.120.1 53 10.1.179.5 53 17 72 2014/09/22T00:03:58.999 10.10.120.1 53 10.1.188.5 53 17 89 2014/09/22T00:08:59.012 10.10.120.1 53 10.1.179.5 53 17 72 2014/09/22T00:08:59.466 10.10.120.1 53 10.1.188.5 53 17 89 2014/09/22T00:03:58.756 10.10.120.1 53 10.1.179.5 53 17 72 2014/09/22T00:03:58.999 10.10.120.1 53 10.1.188.5 53 17 89 2014/09/22T00:08:59.012 10.10.120.1 53 10.1.179.5 53 17 72 2014/09/22T00:08:59.466 10.10.120.1 53 10.1.188.5 53 17 89 13 Building Flow Records Records are Defined by Unique 5-tuples Data is added to the 5-tuple Record until a termination condition is met. 14

Flow Record Termination Conditions Natural Timeout End of communication per protocol (ex. TCP RST/FIN) Idle Timeout No data received for 30 seconds Active Timeout Thirty minute max timeout (configurable) 15 Collection with Flow Data

Generating Flow Data Generation Routers Sensors Fprobe YAF Multiple Types: NetFlow (v5,v9) IPFIX jflow More 17 Collecting Flow Data Popular Platforms Argus + Reliable + Fast Collection - Not Well Supported NFDump + Easy to Setup and Use - Not in Wide Use SiLK + Exceptional Analysis Tools - More Involved Setup 18

SiLK The System for Internet-Level Knowledge CERT NetSA Team Two Major Components: Packing Suite Collection and parsing of flow data Analysis Suite Filter, display, sort, count, group, mate, and more Excellent Documentation & Community https://tools.netsa.cert.org/silk/docs.html 19 SiLK Collection Architecture 20

SiLK What You Need Flow Sources Hardware: Routers, Switches Software: YAF, fprobe SiLK Server Rwflowpack Will also have SiLK analysis suite installed Analyst Workstation Access SiLK server directly Locally mirrored database 21 SiLK Analysis Suite rwfilter - Filters through data based on conditions. rwcut - Converts flow binary data to a human readable format. rwstats - Generates statistics from flow data rwcount - Summarizes total network traffic over time 22

SiLK Analysis rwfilter / rwcut (1) Display all records from the beginning the current day until the current time: rwfilter --type=all --proto=0-255 --pass=stdout rwcut 23 SiLK Analysis rwfilter / rwcut (2) Display all records of communication to or from Chinese IP addresses over a specific week to one local CIDR range: rwfilter --type=all --start-date=2014/08/01 --enddate=2014/08/07 --any-address=192.168.1.0/24 --any-cc=cn --pass=stdout rwcut -- fields=stime,sip,dip,sport,dport,type 24

SiLK Analysis rwstats (1) Display statistics for the total amount of bytes transferred by protocol (top 10): rwfilter --type=all --proto=0-255 --pass=stdout rwstats --top --count=10 --fields=proto -- value=bytes 25 SiLK Analysis rwstats (2) Show the top 10 sip,dip pairs for valid conversations (top 10) rwfilter --type=all --proto=0-255 --packets=4, -- pass=stdout rwstats --top --count=10 -- fields=sip,dip --value=bytes 26

SiLK Analysis rwstats (3) Show the top 10 outbound destination country codes by records: rwfilter --type=out,outweb --proto=0-255 -- pass=stdout rwstats --top --count=10 --fields=dcc 27 SiLK Analysis Real World Examples Rwstats to discover potential ZeroAccess victims rwfilter --type=all --dport=16464,16465,16470,16471 -- pass=stdout rwstats --top --fields=sip -- value=distinct:dcc --threshold=3 28

SiLK Analysis Real World Examples Discovering outbound data to applications using nonstandard ports. rwfilter Sampledata/sample.rw \ --plugin=app-mismatch.so \ --type=out,outweb --proto=6 \ --sport=1024- \ --packets=4- \ --flags-initial=s/surfpace \ --pass=stdout \ rwstats --fields=application,dport --count=100 \ --distinct:dport 29 Collecting Intelligence Data Friendly Intelligence Gathering Identify Services on the Network Identify Normal Behaviors of Hosts Identify Friends and Family Friends: Who a host communicates with outside the network Family: Who a host communicates with inside the network 30

Identifying Services Identify SSH Servers rwfilter --type=out --protocol=6 --packets=4- - -ack-flag=1 --sport=22 --pass=stdout rwcut -- fields=sip Identify Web Servers rwfilter --type=outweb --protocol=6 -- packets=4- --ack-flag=1 --sport=80,443,8080 -- pass=stdout rwcut --fields=sip 31 Identifying Friends and Family Identify Friends rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout rwfilter --input-pipe=stdin -- dcidr=192.168.0.0/24 --fail=stdout Identify Family rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout rwfilter --input-pipe=stdin -- dipset=local --fail=stdout 32

Detection with Flow Data Flow for Detection Signature- Based Reputation- Based Behavior- Based Statistics- Based 34

FlowPlotter Generates Visualizations from the Output of Flow Tools Useful for Detection-Oriented Statistics Written in BASH Flexible/Tweakable/Minimal Free/Open Source - Maintained in GitHub Browser Independent 35 FlowPlotter - GeoMap rwfilter../sampledata/sample.rw --dcc=us,cn,-- --fail=stdout./flowplotter.sh geomap dcc bytes > geomap.html 36

FlowPlotter - LineChart rwfilter --type=all --proto=0-255 --pass=stdout./flowplotter.sh linechart 600 bytes > linechart.html 37 FlowPlotter - TreeMap rwfilter../sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=out --pass=stdout./flowplotter.sh treemap dip records > treemap.html 38

FlowPlotter - Pie/Bar/Column Chart rwfilter../sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=all --pass=stdout./flowplotter.sh piechart dip bytes > piechart.html 39 FlowPlotter - BubbleChart rwfilter../sampledata/sample.rw --type=all --proto=0-255 -- pass=stdout./flowplotter.sh bubblechart sip > bubblechart.html 40

FlowPlotter - Timeline rwfilter --proto=0- --type=out --sport=41142 --pass=stdout./flowplotter.sh timeline dip sip > timeline.html 41 FlowPlotter - Force Directed rwfilter../sampledata/sample.rw --scc=kr --proto=0- --type=all -- pass=stdout./flowplotter.sh forceopacity sip dip distinct:dport 100 > forcetest.html 42

FlowPlotter - AssetDiscovery rwfilter../sampledata/sample.rw --proto=0- --type=all --pass=stdout./flowplotter.sh assetdiscovery > assettest.html 43 Analysis with Flow

Flow in Analysis PCAP Only Validate Signature TP < 1% Scoping Relevant Time Range 5% Find Related Events in Time Range 10% Reduce Data Set 35% Analyze / Make Decisions ~ 50% * Based on the First Hour of Analysis 45 Flow in Analysis - Improved Validate Signature TP < 1% Scoping Relevant Time Range 5% Find Related Events in Time Range 10% Expand Data Set as Needed 5% Analyze / Make Decisions ~ 80% * Based on the First Hour of Analysis 46

Flow Barriers to Entry Be Prepared to Look at a LOT of Line-Based Data Very Command Line Oriented Not Welcoming to Junior-Level Analysts Hard to Display/Interpret Data Visually 47 SiLK Data Output 48

49 Flow Basic Analysis Tool Graphical Front-End to SiLK Easy Two-Step Install on SiLK Capable Box Install Locally to SiLK Box Install Remotely and Interact via SSH w/ Keys Rapid Pivoting Between Data Graphing Ability By Analysts, for Analysts 50

Getting Data with FlowBAT (CLI Mode) 51 Getting Data with FlowBAT (Guided Mode) 52

Manipulating FlowBAT Data 53 Pivoting with FlowBAT Data 54

Generating Stats with FlowBAT 55 Generating Stats with FlowBAT 56

Conclusion Flow Data is Underused and Underrated Easy to Collect, Enhances Detection & Analysis Minimal Barriers to Entry SiLK (Easy to Install on SO) Argus (Already Installed on SO) Bro (Already Installed on SO) 57 Thanks Folks! Questions? Chris Sanders chris@chrissanders.org Jason Smith jason.smith.webmail@gmail.com Blog / Book http://www.appliednsm.com FlowPlotter http://www.github.com/automayt/flowplotter/ FlowBAT http://www.flowbat.com 58

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information