© WildPackets, Inc. 2

Agenda

• The Bad Guys Are Winning

• Security Attack Analysis with Network Forensics


How are we doing?

• Ok, but not great…

• Bad guys are getting more advanced and

organized.

• We keep doing the same things.

• We’re defending against last years attacks.

• They’ve moved on to newer and better.


The good!

• FireEye, BlueCoat, and other advanced threat

detection/prevention technology

• Great for telling us something is wrong

• Time gap from breach to notification is

improving….slowly.


The Bad!

• Most security teams are missing key skills

and threat/attack knowledge.

• Are often limited to whatever the expensive

boxes can automate.


The bad!

• Not only are they losing….

• They’re not even in the game.

‒Many security personnel have become

spectators, watching the threat actors

and their appliances do battle.


Network Forensics

• Find needles in haystacks! Big haystacks…

• Once the needles are found put “some” hay back to

gain context (what, when, where, how).

• Put together the pieces.

• Operating Systems and Host based forensics tools

can be made to lie (Anti-Forensics Techniques/Rootkits)

• Packets always tell the truth

7


Timeline of Events

• Something has happened!‒ FireEye

‒ BlueCoat

‒ Cisco IDS/IPS

• What has happened and where’s the evidence?‒ Omnipeek and OmniPliances

‒ Custom Scripts

• Let’s examine the evidence in detail and keep this

from happening again.‒ IDA Pro

‒ Malware Reverse Engineering

‒ File and Data Analysis

8


What I’ll demonstrate

• Client Side Web Browser exploit

• Covert Channel Attack

• Then forensics on both using just packet data

(pcaps) and Omnipeek.

9


Summary

• We need to stop the “Bad Guys” from winning.

‒Analyst and security professionals need to get back in

the game!

‒Ominpeek is a great bridge between the big data

hardware/appliances and malware/attack tool

reversing.

Network Forensics Backwards and Forwards

Technology

Transcript of Network Forensics Backwards and Forwards