350 likes | 365 Views
Network Security – FOR FREE. Security Companies A – Z, etc. A10 Networks, Akamai, AlienVault , Appriver , At-Bay, Avecto , Axiomatics BeyondTrust , BluVector Carbon Black, Centrify , CGS, Check Point, CheckMarx , CloudBees , Comodo , Corero Network Security, Cyxtera
E N D
Security Companies A – Z, etc. • A10 Networks, Akamai, AlienVault, Appriver, At-Bay, Avecto, Axiomatics • BeyondTrust, BluVector • Carbon Black, Centrify, CGS, Check Point, CheckMarx, CloudBees, Comodo, Corero Network Security, Cyxtera • Darktrace, DeepInstinct, DomainTools, Dyadic • eSentire, Experian • F-Secure, FireEye, Forcepoint, ForeScout, Forrester, Fortinet, Fujitsu • Gigamon, GigaTrust, GlobalSign • Herjavec Group • IBM Resilient, iboss, Illumio, Imperva, Informatica • Kaspersky Lab, KnowBe4, KPMG • Lawfare, LogRhythm • Malwarebytes, McAfee, MediaMath, Mimecast, MobileIron • NordVPN, Nozomi Networks, NSS Labs, NTT Security, NuviasGroup • ObserveIT • Palo Alto Networks, Panda, Portnox, Proofpoint • Qubic • Radial, Radware, Rapid7, RiskIQ • SAP, Secureworks, Semafone, SentinelOne, Sonatype, Sophos, Splunk, Symantec • Thales, Trend Micro, Tripwire • Varonis, Veridium, Voxpro, • WatchGuard, Webroot • ZeroFOX, ZScaler
Assessment and Fundamentals • All types of bad actors are trying to break into your network today • Start monitoring your network TODAY • Understand how to track them using an Analyzer looking for Indicators of Compromise • 24 hour period:
The Importance of Packets • The Boy Scout Motto - BE PREPARED • Gain total network visibility by capturing all of the packets 24 x 7 and using NetFlow data • Know the “normal” path of your packets • Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc.
Why are Attacks a Concern? • Cost of Attacks • Resource time (Investigations, Monitoring, Mitigate) • Security Controls • HIPPA / SCADA / Other Regulatory Fines • Data Breach • $100 to $500 per record • 1000 records = $1M to $5M • Business, Health, Finance, Government, Education
Prevent • Endpoint protection is not adequate any longer • WannaCry / Petya • Windows desktops represent the weakest link in the chain • Software as a Service means no endpoint visibility • Most defense enhancements come first on the NETWORK – speed and scalability
The Path of the Packet is Important • Monitor both inside and outside of the Internet Firewall • Monitor any other inbound link, VPN, Branch office, dedicated link other than Internet • Key locations need to be monitored for attacks • Monitor for both outside and inside threats
Identify the Indicators Ways to Identify these Attacks on my network • Observing the initial download at the perimeter • Observing the use of the Exploit on my internal network • Observing the movement of the malware on my local network 1 3 2
What are your Indicators? • All indicators have value, some greater than others • You see a mail server has initiated an outbound FTP session to a host in Russia - an indicator. • You see a spike in the amount of Internet Control Message Protocol (ICMP) traffic at 2 A.M.- an indicator. • You see a Host sending RAR files to a host in San Diego – an indicator. • You see SMBv1 traffic on your network – an indicator. • Which are your biggest concerns? • Prioritize the indicator value
Trojan / Worm Indicators • Number of SYN’s Sent / Number of SYN+ACK’s • Generally should be 1:1 • Trojans and worms always send large amounts of TCP SYN packets to establish connections with other hosts on the LOCAL subnet. • Look at Top Talkers by Packets • Trojans and worms usually send out a large number of SMALL packets. • Filter for DNS – Export to CSV – Comma delimited with packet summary • Analyze using keywords • Compare to Top 1 million (Alexa or Cisco Umbrella) • Use a specific filter – POP3, Readme.exe and PSEXEC.EXE
Filter for SYN + ACK • Filter for SYN + ACK – See what Servers and Applications are accepting connections • Should they? / Any surprises? / Workstations?
Filter for SMBv1, SMBv2 and SMBv3 • Filter for SMBv1 – See what devices are vulnerable • WannaCry / Petya SMBv2 hex Pattern is 0x424d53fe SMBv3 hex Pattern is 0x424d53fd
Filter for HTTP Credentials • Filter for HTTP Authorization Type Basic: • Yields Credentials
The Path of the Packet is Important • Explore and understand both Ingress and Egress traffic flows and patterns • Don’t assume • Validate • TAP / Packet Broker • There could be several paths into the Data Center depending on Trusted User, Untrusted User or Customer
Limit the outbound Path of the Packet Set Your Internal DB servers and App Servers that don’t need to communicate outside of your Datacenter (IP TTL = 1/2)
Investigation using NetFlow and Packets • Some of the most commonly used data elements generated by NetFlow or Network Trending data include: • Source IP Address • Destination IP Address • Source Port • Destination Port • Protocol • Timestamps for the flow start and conclusion • Amount of data transferred
Capturing all of the Packets • Analysis equipment must be able to keep up: • 1 Gbps @ 25% utilization is 1.875 GBytes / Min • 112 GBytes / HR • 10 Gbps @ 25% utilization is 10.875 GBytes/ Min • 1.12 TBytes / HR • 40 Gbps @ 25% utilization is 43.5 GBytes / Min • 4.5 TBytes/ HR • 100 Gbps @ 25% utilization is 108.75 GBytes / Min • 11. 2 TBytes / HR • Data Center will require stream to disk hardware capable of 10G to 40G link speeds and higher • Potential to use Packet Broker to gain total network visibility
Ability to go “Back in Time” • Assemble the complete picture of the attack / compromise • Ability to see the evolution of the compromise • Facility to pinpoint the time of the attack / compromise • Determine what other systems were affected
The Unfamiliar • We can be sure an attack is eminent – our firewall logs tell us they are probing, waiting to find the chink in our armor • We must be familiar with flows and patterns • Determine what is different or unknown • Different Pattern? File transfers outbound? • RAR files transferred outbound?
Attack Recognition • Have we Baselined the network? • What is normal? • Protocols: • Connection Oriented • Connectionless • Applications • Remote Locations • After the compromise • What was the scope?
Baseline • Need to know what is normal • Deviations could indicate a compromise • Needs to be updated as traffic and applications change
Normal or Abnormal? • FTP is allowed through Firewall – Did they get in? • What do the packets show – FTP service is down
Filter out Normal • Once you have defined and validated “Normal” – start filtering out the normal protocols / applications / subnets / domains • Easier to filter out the hay stack and find a needle among the needles • Easily identify your normal established connections • Filter for SYN + ACK – See what Servers and Applications are accepting connections • VALIDATE no WORKSTATIONS
Forensic Analysis Observe the use of the Exploit on your internal network • Both WannaCry and Petya used recently released EternalBlue exploit to propagate • Snort rules to detect EternalBlue were available as of May 3, 2017 (a week before the initial WannaCry attack and a month before Petya) • Once a new zero-day exploit is unveiled, it is faster to write a snort rule to detect it on the network than to add variant to endpoint malware detection software
GigaStor / Uila and SNORT • Create different profiles for different SNORT rules
Perimeter Defenses • Port Scan your perimeter – know what ports are open • Perform a penetration test / vulnerability scan • Find your weaknesses / vulnerabilities before they do • Look for abnormal outbound data transfers • Develop your plan – refine, refine, refine
Validate your Firewall rules • Don’t presume that your Firewall(s) are doing their job(s) • Review your firewall rules • Make sure a business case exists for each rule • Capture both sides of Firewall to validate your UDP rules
Scope of Attack / Penetration • Range of the Attack / Penetration vectors • Internal or External? • Foreign entity or Competing Company? • Recall Major League Baseball? • 1/30/2017 - Cardinals hacked the Astros • Email and Scouting Database • Inside their system from 2012 - 2014 • Fined $2M plus other penalties
Reporting / Validating Clearly document the attack / compromise • What was compromised • Servers • Hosts • Network Hardware • Credentials (UID / Password) • What methods were used to exfiltrate the data? • Save all logs and capture files • Can we put countermeasures in place to keep this type of compromise from happening again? • Notify management
What can you do? • Configuration Management (CSC-9) • Patch as soon as practical • Follow-up on vulnerability scanning • Documenting all exceptions • Communicate • No tolerance for allowing unauthorized computers on the network • Application review and Peer reviews
Conclusion • Identify security threats through packet analysis • Ensure you have all of the packets (GigaStor) • If you can’t see all of the paths, how do you know you have all of the information • Use of a packet broker and TAP’s can help with 24x7 total network visibility