Network Forensics Backwards and Forwards

10
www.wildpackets.com © WildPackets, Inc. Forensics Backwards and Forwards with Omnipeek March 2015 Keatron Evans Security Researcher [email protected] @infoseckeatron

Transcript of Network Forensics Backwards and Forwards

Page 1: Network Forensics Backwards and Forwards

www.wildpackets.com© WildPackets, Inc.

Forensics Backwards and

Forwards with Omnipeek

March 2015

Keatron Evans

Security Researcher

[email protected]

@infoseckeatron

Page 2: Network Forensics Backwards and Forwards

© WildPackets, Inc. 2

Agenda

• The Bad Guys Are Winning

• Security Attack Analysis with Network Forensics

Page 3: Network Forensics Backwards and Forwards

© WildPackets, Inc. 3

How are we doing?

• Ok, but not great…

• Bad guys are getting more advanced and

organized.

• We keep doing the same things.

• We’re defending against last years attacks.

• They’ve moved on to newer and better.

Page 4: Network Forensics Backwards and Forwards

© WildPackets, Inc. 4

The good!

• FireEye, BlueCoat, and other advanced threat

detection/prevention technology

• Great for telling us something is wrong

• Time gap from breach to notification is

improving….slowly.

Page 5: Network Forensics Backwards and Forwards

© WildPackets, Inc. 5

The Bad!

• Most security teams are missing key skills

and threat/attack knowledge.

• Are often limited to whatever the expensive

boxes can automate.

Page 6: Network Forensics Backwards and Forwards

© WildPackets, Inc. 6

The bad!

• Not only are they losing….

• They’re not even in the game.

‒Many security personnel have become

spectators, watching the threat actors

and their appliances do battle.

Page 7: Network Forensics Backwards and Forwards

© WildPackets, Inc. 7

Network Forensics

• Find needles in haystacks! Big haystacks…

• Once the needles are found put “some” hay back to

gain context (what, when, where, how).

• Put together the pieces.

• Operating Systems and Host based forensics tools

can be made to lie (Anti-Forensics Techniques/Rootkits)

• Packets always tell the truth

7

Page 8: Network Forensics Backwards and Forwards

© WildPackets, Inc. 8

Timeline of Events

• Something has happened!‒ FireEye

‒ BlueCoat

‒ Cisco IDS/IPS

• What has happened and where’s the evidence?‒ Omnipeek and OmniPliances

‒ Custom Scripts

• Let’s examine the evidence in detail and keep this

from happening again.‒ IDA Pro

‒ Malware Reverse Engineering

‒ File and Data Analysis

8

Page 9: Network Forensics Backwards and Forwards

© WildPackets, Inc. 9

What I’ll demonstrate

• Client Side Web Browser exploit

• Covert Channel Attack

• Then forensics on both using just packet data

(pcaps) and Omnipeek.

9

Page 10: Network Forensics Backwards and Forwards

© WildPackets, Inc. 10

Summary

• We need to stop the “Bad Guys” from winning.

‒Analyst and security professionals need to get back in

the game!

‒Ominpeek is a great bridge between the big data

hardware/appliances and malware/attack tool

reversing.