1 / 34

Network Security – FOR FREE

Network Security – FOR FREE. Security Companies A – Z, etc. A10 Networks, Akamai, AlienVault , Appriver , At-Bay, Avecto , Axiomatics BeyondTrust , BluVector Carbon Black, Centrify , CGS, Check Point, CheckMarx , CloudBees , Comodo , Corero Network Security, Cyxtera

mbraun
Download Presentation

Network Security – FOR FREE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security – FOR FREE

  2. Security Companies A – Z, etc. • A10 Networks, Akamai, AlienVault, Appriver, At-Bay, Avecto, Axiomatics • BeyondTrust, BluVector • Carbon Black, Centrify, CGS, Check Point, CheckMarx, CloudBees, Comodo, Corero Network Security, Cyxtera • Darktrace, DeepInstinct, DomainTools, Dyadic • eSentire, Experian • F-Secure, FireEye, Forcepoint, ForeScout, Forrester, Fortinet, Fujitsu • Gigamon, GigaTrust, GlobalSign • Herjavec Group • IBM Resilient, iboss, Illumio, Imperva, Informatica • Kaspersky Lab, KnowBe4, KPMG • Lawfare, LogRhythm • Malwarebytes, McAfee, MediaMath, Mimecast, MobileIron • NordVPN, Nozomi Networks, NSS Labs, NTT Security, NuviasGroup • ObserveIT • Palo Alto Networks, Panda, Portnox, Proofpoint • Qubic • Radial, Radware, Rapid7, RiskIQ • SAP, Secureworks, Semafone, SentinelOne, Sonatype, Sophos, Splunk, Symantec • Thales, Trend Micro, Tripwire • Varonis, Veridium, Voxpro, • WatchGuard, Webroot • ZeroFOX, ZScaler

  3. Assessment and Fundamentals • All types of bad actors are trying to break into your network today • Start monitoring your network TODAY • Understand how to track them using an Analyzer looking for Indicators of Compromise • 24 hour period:

  4. The Importance of Packets • The Boy Scout Motto - BE PREPARED • Gain total network visibility by capturing all of the packets 24 x 7 and using NetFlow data • Know the “normal” path of your packets • Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc.

  5. Why are Attacks a Concern? • Cost of Attacks • Resource time (Investigations, Monitoring, Mitigate) • Security Controls • HIPPA / SCADA / Other Regulatory Fines • Data Breach • $100 to $500 per record • 1000 records = $1M to $5M • Business, Health, Finance, Government, Education

  6. Prevent • Endpoint protection is not adequate any longer • WannaCry / Petya • Windows desktops represent the weakest link in the chain • Software as a Service means no endpoint visibility • Most defense enhancements come first on the NETWORK – speed and scalability

  7. The Path of the Packet is Important • Monitor both inside and outside of the Internet Firewall • Monitor any other inbound link, VPN, Branch office, dedicated link other than Internet • Key locations need to be monitored for attacks • Monitor for both outside and inside threats

  8. Identify the Indicators Ways to Identify these Attacks on my network • Observing the initial download at the perimeter • Observing the use of the Exploit on my internal network • Observing the movement of the malware on my local network 1 3 2

  9. Security Onion

  10. What are your Indicators? • All indicators have value, some greater than others • You see a mail server has initiated an outbound FTP session to a host in Russia - an indicator. • You see a spike in the amount of Internet Control Message Protocol (ICMP) traffic at 2 A.M.- an indicator. • You see a Host sending RAR files to a host in San Diego – an indicator. • You see SMBv1 traffic on your network – an indicator. • Which are your biggest concerns? • Prioritize the indicator value

  11. Trojan / Worm Indicators • Number of SYN’s Sent / Number of SYN+ACK’s • Generally should be 1:1 • Trojans and worms always send large amounts of TCP SYN packets to establish connections with other hosts on the LOCAL subnet. • Look at Top Talkers by Packets • Trojans and worms usually send out a large number of SMALL packets. • Filter for DNS – Export to CSV – Comma delimited with packet summary • Analyze using keywords • Compare to Top 1 million (Alexa or Cisco Umbrella) • Use a specific filter – POP3, Readme.exe and PSEXEC.EXE

  12. Filter for SYN + ACK • Filter for SYN + ACK – See what Servers and Applications are accepting connections • Should they? / Any surprises? / Workstations?

  13. Filter for SMBv1, SMBv2 and SMBv3 • Filter for SMBv1 – See what devices are vulnerable • WannaCry / Petya SMBv2 hex Pattern is 0x424d53fe SMBv3 hex Pattern is 0x424d53fd

  14. Filter for HTTP Credentials • Filter for HTTP Authorization Type Basic: • Yields Credentials

  15. The Path of the Packet is Important • Explore and understand both Ingress and Egress traffic flows and patterns • Don’t assume • Validate • TAP / Packet Broker • There could be several paths into the Data Center depending on Trusted User, Untrusted User or Customer

  16. Limit the outbound Path of the Packet Set Your Internal DB servers and App Servers that don’t need to communicate outside of your Datacenter (IP TTL = 1/2)

  17. Investigation using NetFlow and Packets • Some of the most commonly used data elements generated by NetFlow or Network Trending data include: • Source IP Address • Destination IP Address • Source Port • Destination Port • Protocol • Timestamps for the flow start and conclusion • Amount of data transferred

  18. Log Files

  19. Capturing all of the Packets • Analysis equipment must be able to keep up: • 1 Gbps @ 25% utilization is 1.875 GBytes / Min • 112 GBytes / HR • 10 Gbps @ 25% utilization is 10.875 GBytes/ Min • 1.12 TBytes / HR • 40 Gbps @ 25% utilization is 43.5 GBytes / Min • 4.5 TBytes/ HR • 100 Gbps @ 25% utilization is 108.75 GBytes / Min • 11. 2 TBytes / HR • Data Center will require stream to disk hardware capable of 10G to 40G link speeds and higher • Potential to use Packet Broker to gain total network visibility

  20. Ability to go “Back in Time” • Assemble the complete picture of the attack / compromise • Ability to see the evolution of the compromise • Facility to pinpoint the time of the attack / compromise • Determine what other systems were affected

  21. The Unfamiliar • We can be sure an attack is eminent – our firewall logs tell us they are probing, waiting to find the chink in our armor • We must be familiar with flows and patterns • Determine what is different or unknown • Different Pattern? File transfers outbound? • RAR files transferred outbound?

  22. Attack Recognition • Have we Baselined the network? • What is normal? • Protocols: • Connection Oriented • Connectionless • Applications • Remote Locations • After the compromise • What was the scope?

  23. Baseline • Need to know what is normal • Deviations could indicate a compromise • Needs to be updated as traffic and applications change

  24. Normal or Abnormal? • FTP is allowed through Firewall – Did they get in? • What do the packets show – FTP service is down

  25. Filter out Normal • Once you have defined and validated “Normal” – start filtering out the normal protocols / applications / subnets / domains • Easier to filter out the hay stack and find a needle among the needles • Easily identify your normal established connections • Filter for SYN + ACK – See what Servers and Applications are accepting connections • VALIDATE no WORKSTATIONS

  26. Forensic Analysis Observe the use of the Exploit on your internal network • Both WannaCry and Petya used recently released EternalBlue exploit to propagate • Snort rules to detect EternalBlue were available as of May 3, 2017 (a week before the initial WannaCry attack and a month before Petya) • Once a new zero-day exploit is unveiled, it is faster to write a snort rule to detect it on the network than to add variant to endpoint malware detection software

  27. GigaStor / Uila and SNORT • Create different profiles for different SNORT rules

  28. Perimeter Defenses • Port Scan your perimeter – know what ports are open • Perform a penetration test / vulnerability scan • Find your weaknesses / vulnerabilities before they do • Look for abnormal outbound data transfers • Develop your plan – refine, refine, refine

  29. Validate your Firewall rules • Don’t presume that your Firewall(s) are doing their job(s) • Review your firewall rules • Make sure a business case exists for each rule • Capture both sides of Firewall to validate your UDP rules

  30. Scope of Attack / Penetration • Range of the Attack / Penetration vectors • Internal or External? • Foreign entity or Competing Company? • Recall Major League Baseball? • 1/30/2017 - Cardinals hacked the Astros • Email and Scouting Database • Inside their system from 2012 - 2014 • Fined $2M plus other penalties

  31. Reporting / Validating Clearly document the attack / compromise • What was compromised • Servers • Hosts • Network Hardware • Credentials (UID / Password) • What methods were used to exfiltrate the data? • Save all logs and capture files • Can we put countermeasures in place to keep this type of compromise from happening again? • Notify management

  32. What can you do? • Configuration Management (CSC-9) • Patch as soon as practical • Follow-up on vulnerability scanning • Documenting all exceptions • Communicate • No tolerance for allowing unauthorized computers on the network • Application review and Peer reviews

  33. Conclusion • Identify security threats through packet analysis • Ensure you have all of the packets (GigaStor) • If you can’t see all of the paths, how do you know you have all of the information • Use of a packet broker and TAP’s can help with 24x7 total network visibility

  34. Questions?mike@mnex.biz

More Related