Invisible attacks visible in your network. How to see and follow the tracks?

Similar documents
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

The Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure

NetFlow Security Monitoring with Cisco Threat Defense Matthew Robertson, Security Technical Marketing Engineer BRKSEC-2073

Cisco IOS Flexible NetFlow Technology

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Configuring Flexible NetFlow

NetFlow-Lite offers network administrators and engineers the following capabilities:

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

STEALTHWATCH MANAGEMENT CONSOLE

Threat Defense with Full NetFlow

Threat Defense with Full NetFlow

STEALTHWATCH MANAGEMENT CONSOLE

Network as an Sensor & Enforcer

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

NetFlow/IPFIX Various Thoughts

Introduction to Cisco IOS Flexible NetFlow

How-To Configure NetFlow v5 & v9 on Cisco Routers

NetFlow The De Facto Standard for Traffic Analytics

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Scalable Extraction, Aggregation, and Response to Network Intelligence

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

NetFlow 101 Seminar Series, 2012

Take the NetFlow Challenge!

Network Management & Monitoring

About the Authors. About the Authors

Concierge SIEM Reporting Overview

Network Performance + Security Monitoring

Networking for Caribbean Development

Using Lancope StealthWatch for Information Security Monitoring

Contents. Lancope The Leader in NetFlow Collection & Analysis. Cisco NetFlow Configuration. Cisco IOS NetFlow Configuration Guide

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

How To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet (Netnet) On An Uniden (Netlan

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Unknown threats in Sweden. Study publication August 27, 2014

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Securing and Monitoring BYOD Networks using NetFlow

Security and Access Control Lists (ACLs)

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

BEFORE. DURING. AFTER. CISCO'S INTEGRATED SECURITY STRATEGY NIALL MOYNIHAN CISCO EMEAR

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Flow Based Traffic Analysis

How to Get NetFlow from Cisco 3750s. Joe Buchanan System Engineer Manager

WhatsUpGold. v15.0. Flow Monitor User Guide

Flow Analysis Versus Packet Analysis. What Should You Choose?

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen

WhatsUpGold. v14.4. Flow Monitor User Guide

Netflow Overview. PacNOG 6 Nadi, Fiji

Network Flow Analysis. egambit, your defensive cyber-weapon system. You have the players. We have the game.

- Multiprotocol Label Switching -

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Introduction to Netflow

Cisco Performance Monitor Commands

Flow Monitor for WhatsUp Gold v16.1 User Guide

Flow Monitor for WhatsUp Gold v16.2 User Guide

and reporting Slavko Gajin

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

CISCO IOS NETFLOW AND SECURITY

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Introducing IBM s Advanced Threat Protection Platform

Cisco IOS Flexible NetFlow Command Reference

Symantec Advanced Threat Protection: Network

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Maximize Network Visibility with NetFlow Technology. Andy Wilson Senior Systems Engineer Lancope

RETHINK SECURITY FOR UNKNOWN ATTACKS

Configuring NetFlow-lite

Security Toolsets for ISP Defense

CNS-301-3I ~ Citrix NetScaler 11 Advanced Implementation

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

INTRODUCTION TO FIREWALL SECURITY

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Business and IT are Changing Like Never Before

Securing Cisco Network Devices (SND)

Metric Matters. Dain Perkins, CISSP

Implementing Cisco IOS Network Security

DDoS Mitigation Techniques

NetFlow v9 Export Format

Gateway Security at Stateful Inspection/Application Proxy

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Network Monitoring and Management NetFlow Overview

NetFlow Analytics for Splunk

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Cisco Cyber Threat Defense - Visibility and Network Prevention

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

Secure Cloud-Ready Data Centers Juniper Networks

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Scalable Secure Remote Access Solutions

AT&T Real-Time Network Security Overview

Transcription:

Invisible attacks visible in your network. How to see and follow the tracks? Jochen Belke - Regional Technical Director at Lancope, CISSP Mariusz Sawczuk - Manager of Technical Sales Support Team at Sevenet

Agenda Part 1 Invisible threat Part 2 Network as a source of information Part 3 Detection and telemetry Part 4 Live Demo

Part 1 Invisible threat

Invisible threat: Anatomy of APT attack Compromised Web server Callback Server 0 Reconnaissance Scanning Social engineering; Facebook, LinkedIn, etc. Dummy attacks, DDoS DC Servers 1 1 Exploitation 1 4 0-day vulnerability Obfuscated JavaScript code Weaponized pdf file DMZ DC Servers 2 FW 2 Dropper xor or Packer 3 Comand and control IPS Blogs, well known web pages 5 2 3 4 Data Loss Using outbound port 443 (SSL) 5 Malware propagation

Invisible threat: Phase1 - Exploit Web browser execute obfuscated JavaScript hidden in RAW html. Exploit uses vulnerability in the web browser.

Invisible threat: Phase1 - Exploit The exploit has performed a heap-spray attack and exploits vulnerability in web browser. It has manipulating the memoryspace reserved for the application and the files that it opens. The exploit code now tells the system to download a new file.

Invisible threat: Phase 2 - Dropper Decoded (xor) binary file. The decode key is contained within the shellcode of the exploit. Legacy Security Never Saw It Coming. When the xor decode key is applied, the random looking binary now becomes a exectuable file and since the host is compromised, it is easy to get this file to run.

Invisible threat: Invisible Techniques Exploit - Obfuscated JavaScrpit code - Heap spray - Weaponized pdf file - Code injection - Process migration Dropper (binary/executable) - xor or Packer CallBacks - Blogs, well known web pages Data Loss - Using outbound port 443 (SSL)

How to see invisible threats and follow the tracks?

Part 2 Network as a source of information

Network: The source of information 3560-X San Jose New York Atlanta NetFlow NetFlow WAN NetFlow 3925 ISR NetFlow NetFlow Cat6k ASR-1000 NetFlow ASA Internet NetFlow DMZ NetFlow Cat6k NetFlow NetFlow NetFlow NetFlow Datacenter Cat4k Access NetFlow NetFlow UCS with Nexus 1000v NetFlow NetFlow 3850 Stack(s)

Network: NetFlow

NetFlow v9 160+ fields to choose from, including IPv6 and payload sections Network: NetFlow

Network: NetFlow NetFlow has many versions Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Flexible NetFlow (FNF) IP Flow Information Export (IPFIX) AKA NetFlow V10 NSEL (ASA only) Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Standardized RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume Even less common Only supported on a few Cisco platforms Missing many standard fields Limited support by collectors

Network: Configuring Flexible NetFlow 1. Configure the Exporter Router(config)# flow exporter my-exporter Router(config-flow-exporter)# destination 1.1.1.1 2. Configure the Flow Record Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination address Router(config-flow-record)# match ipv4 source address Router(config-flow-record)# collect counter bytes 3. Configure the Flow Monitor Router(config)# flow monitor my-monitor Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record 4. Apply to an Interface Router(config)# interface s3/0 Router(config-if)# ip flow monitor my-monitor input

Network: Switch Flow Record configuration! flow record CYBER_3KX_FLOW_RECORD match datalink mac source-address match datalink mac destination-address match datalink mac source-vlan-id match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input snmp collect interface output snmp collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

! flow record CYBER_ISR_RECORD match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name! Network: Router Flow Record configuration

Network: Firewall (ASA) NSEL configuration! flow record CYBER_3KX_FLOW_RECORD match datalink mac source-address match datalink mac destination-address match datalink mac source-vlan-id match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input snmp collect interface output snmp collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

Part 3 Detection and telemetry

Detection: The evolution of Cyber Threats Viruses (1990s) Defence: Anti-Virus, Firewalls Worms (2000s) Defence: Intrusion Detection & Prevention Botnets (late 2000s to current) Defence: Reputation, DLP, App.-aware Firewalls Directed Attacks (APTs) (today) Strategy: Visibility and Context ILOVEYOU Melissa Anna Kournikova Nimda SQL Slammer Conficker Tedroo Rustock Conficker Aurora Shady Rat Duqu

Polar Bear Detection: Hiding in plain sight

Detection: Concept OODA Loop Unfolding circumstances Implicit guidance Outside information Unfolding interaction with environment Cultural Traditions Genetic Heritage Analysis & Synthesis New information Previous Experiences Observe Orient Decide Act Feedback Feedback http://en.wikipedia.org/wiki/ooda_loop Unfolding interaction with environment

Detection: Know the Attacker Who? What? When? Where? Why? How? Nation-state? Competitor? Individual? What is the target? Is there a time when the attacker is most active? Where is the attacker? Where are they successful? Why are they attacking what is their goal? How are they attacking Zeroday? Known-passwords? Insider?

Detection: Flow Based Anomaly using NetFlow

Detection: Behaviour Based Analysis

Detection: Components StealthWatch Management Console Reputation Feed (Optional) Other tools/collectors StealthWatch Labs Information Center StealthWatch FlowReplicator StealthWatch FlowCollector Cisco ISE NetFlow NetFlow StealthWatch FlowSensor NBAR NSEL Cisco Network StealthWatch FlowSensor VE Users/Devices

Detection: Where to launch NetFlow? Each network layer offers unique NetFlow capabilities Access Distributi on & Core Edge Catalyst 3560/3750-X Catalyst 4500 ISR Catalyst 4500 Catalyst 6500 ASA ASR

Detection: Providing Scalable Visibility Drilling into a Single Flow Yields a Wealth of Information 29

Detection: Identifying Reconnaissance Activity Long and slow activity to discover resources and vulnerabilities What to analyse: High number of flows High client byte ratio One-way or unanswered flows Flows within the subnet/host group Flows to non-existent IP s Flow patterns Abnormal behaviour StealthWatch Method of Detection: Concern Index High Traffic High Connections Trapped Hosts

Detection: Command and Control Periodic phone home activity What to analyse: Countries Applications Uploads/Downloads ratio Time of day Repeated connections Beaconing - Repeated dead connections Long lived flows Known C&C servers StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow Beaconing Host SLIC Reputation Feed

Detection: Data Loss Intermediary resource used to obfuscate theft Data is exported off resource What to analyse: Historical data transfer behaviour Applications Time of day Countries Amount of data single and in aggregate Time frames Asymmetric traffic patterns Traffic between Host Groups StealthWatch Method of Detection: Suspect Data Loss Alarm

Detection: Identifying Malware Propagation Discovered host answers and vulnerability exploited What to analyse: High number of flows High client byte ratio Connections within the subnet/host group Flow patterns Abnormal behaviour StealthWatch Method of Detection: Concern Index, Target Index Scanning Alarms Touched Host Worm Propagation Alarm Worm Tracker

Part 4 Live Demo

Thank you!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information