Packets Don’t Lie: What’s Really Happening on Your€¦ · traffic and command and control (C2)...

Packets Don’t Lie:What’s Really Happening on Your

Network?

Sponsored by LogRhythm

© 2017 The SANS™ Institute – www.sans.org


Today’s Speakers

Dave ShacklefordSANS Analyst and Instructor

Rob McGovernLogRhythm Senior Technical Product Manager


Introduction

• When it comes to detection and response, defenders require full visibility into what's traversing their network.

• We reviewed LogRhythm's Network Monitor Freemium, and focused on:• Usability

• Accurate traffic identification and profiling

• Detection of patterns and drilling into sources

• Sensitive data identification and data loss prevention

• Network forensics

• Full packet capture and file reconstruction


Starting Out: The Test Environment

• A convenient and simple web interface• Updates every 30 seconds

• Shows the last 15 minutes of activity (by default)


Drilling into traffic

• We easily drilled into traffic in the main dashboard:


Performing Simple Queries

• Query entered: DestIP: [10.0.0.0 to 10.3.255.255]


Traffic Identification & Profiling


Full Packet Capture

• Capturing and downloading PCAP files can help with network forensics.• File reconstruction can also be very useful.


Use Case 1: Bandwidth Use

• Looking for Pandora



• Top bandwidth consumers:



• Lots of YouTube:



• Deep Packet Analysis (DPA) Rules:



• PCAP replay was handy for testing rules in our test cycle.

• We loaded some YouTube traffic that was available for replay and launched it through NetMon.

• This traffic then immediately triggered in the Alarms dashboard with alerts from the “youtube outgoing” rule.


Use Case 2: Network Malware Indicators

• Our second case involved looking for port and protocol misuse as indicators of malware traffic and command and control (C2) activity.

• We started with the Destination Ports dashboard.

• In our review environment, we saw a majority of traffic by session count appeared to be DNS, quite a bit of HTTP and HTTPS, and a fair amount of Kerberos traffic.



• The Destination Ports dashboard:



• We filtered on port 53:



• Kerberos? Who’s talking?



• Unusual Traffic Spikes:



• Port and Protocol Mismatches:


Use Case 3: Sensitive Data Identification

• NetMon Freemium includes numerous DPA rules for sensitive data identification.

• The first rule we looked at was monitoring for payment card data.


Use Case 3: Sensitive Data Identification

• Payment Card Data Alarm Details:


Conclusion

• To prevent network attacks and to minimize exposure time, security professionals need:• Tools that are easier to use

• More visibility into network traffic

• Faster insight into network traffic

• LogRhythm NetMon Freemium lives up to that promise, and security operations teams should be able to hit the ground running with this solution.

Network Monitor Freemium

Real-Time Network Visibility

Network Monitor in Action

www.logrhythm.com/freemium

For how-to videos, guides, and forums visit our Network Monitor Community:

networkmonitor.logrhythm.com


Q & A

Please use GoToWebinar’s

Questions tool to submit

questions to our panel.

Send to “Organizers”

and tell us if it’s for

a specific panelist.


Acknowledgements

Thanks to our sponsor:

To our special guest:

Rob McGovern

And to our attendees,

Thank you for joining us today

Packets Don’t Lie: What’s Really Happening on Your€¦ · traffic and command and control (C2)...

Documents

Transcript of Packets Don’t Lie: What’s Really Happening on Your€¦ · traffic and command and control (C2)...