Slide - 1

Network Security – FOR FREE

Slide - 2

• A10 Networks, Akamai, AlienVault, Appriver, At-Bay, Avecto, Axiomatics

• BeyondTrust, BluVector

• Carbon Black, Centrify, CGS, Check Point, CheckMarx, CloudBees, Comodo, Corero Network Security,

Cyxtera

• Darktrace, DeepInstinct, DomainTools, Dyadic

• eSentire, Experian

• F-Secure, FireEye, Forcepoint, ForeScout, Forrester, Fortinet, Fujitsu

• Gigamon, GigaTrust, GlobalSign

• Herjavec Group

• IBM Resilient, iboss, Illumio, Imperva, Informatica

• Kaspersky Lab, KnowBe4, KPMG

• Lawfare, LogRhythm

• Malwarebytes, McAfee, MediaMath, Mimecast, MobileIron

• NordVPN, Nozomi Networks, NSS Labs, NTT Security, Nuvias Group

• ObserveIT

• Palo Alto Networks, Panda, Portnox, Proofpoint

• Qubic

• Radial, Radware, Rapid7, RiskIQ

• SAP, Secureworks, Semafone, SentinelOne, Sonatype, Sophos, Splunk, Symantec

• Thales, Trend Micro, Tripwire

• Varonis, Veridium, Voxpro,

• WatchGuard, Webroot

• ZeroFOX, ZScaler

Security Companies A – Z, etc.

Slide - 3

Assessment and Fundamentals

• All types of bad actors are trying to break into your

network today

• Start monitoring your network TODAY

• Understand how to track them using an Analyzer

looking for Indicators of Compromise

• 24 hour period:

Country Attempts

United States 241

Canada 115

Taiwan 87

China 70

Slide - 4

• The Boy Scout Motto - BE PREPARED

• Gain total network visibility by capturing all of the

packets 24 x 7 and using NetFlow data

• Know the “normal” path of your packets

• Gather the Log files from Firewalls, Servers, IDS,

DLP, Antivirus, etc.

The Importance of Packets

Slide - 5

• Cost of Attacks

• Resource time (Investigations, Monitoring, Mitigate)

• Security Controls

• HIPPA / SCADA / Other Regulatory Fines

• Data Breach

• $100 to $500 per record

• 1000 records = $1M to $5M

• Business, Health, Finance, Government, Education

Why are Attacks a Concern?

Slide - 6

• Endpoint protection is not adequate any longer

• WannaCry / Petya

• Windows desktops represent the weakest link in the

chain

• Software as a Service means no endpoint visibility

• Most defense enhancements come first on the

NETWORK – speed and scalability

Prevent

Slide - 7

• Monitor both inside and outside of the Internet

Firewall

• Monitor any other inbound link, VPN, Branch

office, dedicated link other than Internet

• Key locations need to be monitored for attacks

• Monitor for both outside and inside threats

The Path of the Packet is Important

Slide - 8

Identify the Indicators

1) Observing the

initial download

at the perimeter

2) Observing the

use of the

Exploit on my

internal network

3) Observing the

movement of the

malware on my

local network

Ways to Identify these Attacks on my network

1

2

3

Slide - 9

Security Onion

Slide - 10

What are your Indicators?

• All indicators have value, some greater than others

• You see a mail server has initiated an outbound FTP session to a

host in Russia - an indicator.

• You see a spike in the amount of Internet Control Message Protocol

(ICMP) traffic at 2 A.M. - an indicator.

• You see a Host sending RAR files to a host in San Diego – an

indicator.

• You see SMBv1 traffic on your network – an indicator.

• Which are your biggest concerns?

• Prioritize the indicator value

Slide - 11

Trojan / Worm Indicators

• Number of SYN’s Sent / Number of SYN+ACK’s

• Generally should be 1:1

• Trojans and worms always send large amounts of TCP SYN packets to

establish connections with other hosts on the LOCAL subnet.

• Look at Top Talkers by Packets

• Trojans and worms usually send out a large number of SMALL packets.

• Filter for DNS – Export to CSV – Comma delimited with packet

summary

• Analyze using keywords

• Compare to Top 1 million (Alexa or Cisco Umbrella)

• Use a specific filter – POP3, Readme.exe and PSEXEC.EXE

Slide - 12

Filter for SYN + ACK

• Filter for SYN + ACK – See what Servers and

Applications are accepting connections

• Should they? / Any surprises? / Workstations?

Slide - 13

Filter for SMBv1, SMBv2 and SMBv3

• Filter for SMBv1 – See what devices are vulnerable

• WannaCry / Petya

SMBv2 hex Pattern is 0x424d53fe

SMBv3 hex Pattern is 0x424d53fd

Slide - 14

Filter for HTTP Credentials

• Filter for HTTP Authorization Type Basic:

• Yields Credentials

Slide - 15

• Explore and understand both Ingress and Egress

traffic flows and patterns

• Don’t assume

• Validate

• TAP / Packet Broker

• There could be several paths into the Data Center

depending on Trusted User, Untrusted User or

Customer

The Path of the Packet is Important

Slide - 16

Limit the outbound Path of the Packet

Set Your Internal DB servers and App Servers that don’t need to

communicate outside of your Datacenter (IP TTL = 1/2)

Slide - 17

Investigation using NetFlow and Packets

• Some of the most commonly used data elements generated by NetFlow or Network Trending data include:

• Source IP Address

• Destination IP Address

• Source Port

• Destination Port

• Protocol

• Timestamps for the flow start and conclusion

• Amount of data transferred

Slide - 18

Log Files

Country Attempts

United States 151+90 = 241

Canada 115

Taiwan 87

China 70

Slide - 19

• Analysis equipment must be able to keep up:

• 1 Gbps @ 25% utilization is 1.875 GBytes / Min

➢ 112 GBytes / HR

• 10 Gbps @ 25% utilization is 10.875 GBytes / Min

➢ 1.12 TBytes / HR

• 40 Gbps @ 25% utilization is 43.5 GBytes / Min

➢ 4.5 TBytes / HR

• 100 Gbps @ 25% utilization is 108.75 GBytes / Min

➢ 11. 2 TBytes / HR

• Data Center will require stream to disk hardware capable of

10G to 40G link speeds and higher

• Potential to use Packet Broker to gain total network visibility

Capturing all of the Packets

Slide - 20

Ability to go “Back in Time”

• Assemble the complete picture of the attack / compromise

• Ability to see the evolution of the compromise

• Facility to pinpoint the time of the attack / compromise

• Determine what other systems were affected

Slide - 21

The Unfamiliar

• We can be sure an attack is eminent – our firewall

logs tell us they are probing, waiting to find the

chink in our armor

• We must be familiar with flows and patterns

• Determine what is different or unknown

• Different Pattern? File transfers outbound?

• RAR files transferred outbound?

Slide - 22

Attack Recognition

• Have we Baselined the network?

• What is normal?

• Protocols:• Connection Oriented

• Connectionless

• Applications

• Remote Locations

• After the compromise

• What was the scope?

Slide - 23

Baseline

• Need to know

what is normal

• Deviations could

indicate a

compromise

• Needs to be

updated as traffic

and applications

change

Slide - 24

Normal or Abnormal?

• FTP is allowed through Firewall – Did they get in?

• What do the packets show – FTP service is down

Slide - 25

Filter out Normal

• Once you have defined and validated “Normal” –

start filtering out the normal protocols / applications

/ subnets / domains

• Easier to filter out the hay stack and find a needle

among the needles

• Easily identify your normal established connections

• Filter for SYN + ACK – See what Servers and

Applications are accepting connections

• VALIDATE no WORKSTATIONS

Slide - 26

Forensic Analysis

Observe the use of the Exploit on your internal network

• Both WannaCry and Petya used recently released EternalBlue

exploit to propagate

• Snort rules to detect EternalBlue were available as of May 3,

2017 (a week before the initial WannaCry attack and a month

before Petya)

• Once a new zero-day exploit is unveiled, it is faster to write a

snort rule to detect it on the network than to add variant to

endpoint malware detection software

Slide - 27

GigaStor / Uila and SNORT

• Create different profiles for different SNORT rules

Slide - 28

Perimeter Defenses

• Port Scan your perimeter – know what ports are open

• Perform a penetration test / vulnerability scan

• Find your weaknesses / vulnerabilities before they do

• Look for abnormal outbound data transfers

• Develop your plan – refine, refine, refine

Slide - 29

Validate your Firewall rules

• Don’t presume that your Firewall(s) are doing their

job(s)

• Review your firewall rules

• Make sure a business case exists for each rule

• Capture both sides of Firewall to validate your UDP

rules

Slide - 30

Scope of Attack / Penetration

• Range of the Attack / Penetration vectors

• Internal or External?

• Foreign entity or Competing Company?

• Recall Major League Baseball?

• 1/30/2017 - Cardinals hacked the Astros

• Email and Scouting Database

• Inside their system from 2012 - 2014

• Fined $2M plus other penalties

Slide - 31

Reporting / Validating

Clearly document the attack / compromise

• What was compromised

• Servers

• Hosts

• Network Hardware

• Credentials (UID / Password)

• What methods were used to exfiltrate the data?

• Save all logs and capture files

• Can we put countermeasures in place to keep this

type of compromise from happening again?

• Notify management

Slide - 32

What can you do?

Configuration Management (CSC-9)

Patch as soon as practical

Follow-up on vulnerability scanning

Documenting all exceptions

Communicate

No tolerance for allowing unauthorized computers

on the network

Application review and Peer reviews

Slide - 33

Conclusion

Identify security threats through packet analysis

Ensure you have all of the packets (GigaStor)

If you can’t see all of the paths, how do you know

you have all of the information

Use of a packet broker and TAP’s can help with

24x7 total network visibility

Slide - 34

Questions?

mike@mnex.biz