Stefan Burschka Tranalyzer Feel the packets, be the packets.
Packets Don’t Lie: What’s Really Happening on Your€¦ · traffic and command and control (C2)...
Transcript of Packets Don’t Lie: What’s Really Happening on Your€¦ · traffic and command and control (C2)...
Packets Don’t Lie:What’s Really Happening on Your
Network?
Sponsored by LogRhythm
© 2017 The SANS™ Institute – www.sans.org
© 2017 The SANS™ Institute – www.sans.org
Today’s Speakers
Dave ShacklefordSANS Analyst and Instructor
Rob McGovernLogRhythm Senior Technical Product Manager
© 2017 The SANS™ Institute – www.sans.org
Introduction
• When it comes to detection and response, defenders require full visibility into what's traversing their network.
• We reviewed LogRhythm's Network Monitor Freemium, and focused on:• Usability
• Accurate traffic identification and profiling
• Detection of patterns and drilling into sources
• Sensitive data identification and data loss prevention
• Network forensics
• Full packet capture and file reconstruction
© 2017 The SANS™ Institute – www.sans.org
Starting Out: The Test Environment
• A convenient and simple web interface• Updates every 30 seconds
• Shows the last 15 minutes of activity (by default)
© 2017 The SANS™ Institute – www.sans.org
Drilling into traffic
• We easily drilled into traffic in the main dashboard:
© 2017 The SANS™ Institute – www.sans.org
Performing Simple Queries
• Query entered: DestIP: [10.0.0.0 to 10.3.255.255]
© 2017 The SANS™ Institute – www.sans.org
Traffic Identification & Profiling
© 2017 The SANS™ Institute – www.sans.org
Full Packet Capture
• Capturing and downloading PCAP files can help with network forensics.• File reconstruction can also be very useful.
© 2017 The SANS™ Institute – www.sans.org
Use Case 1: Bandwidth Use
• Looking for Pandora
© 2017 The SANS™ Institute – www.sans.org
Use Case 1: Bandwidth Use
• Top bandwidth consumers:
© 2017 The SANS™ Institute – www.sans.org
Use Case 1: Bandwidth Use
• Lots of YouTube:
© 2017 The SANS™ Institute – www.sans.org
Use Case 1: Bandwidth Use
• Deep Packet Analysis (DPA) Rules:
© 2017 The SANS™ Institute – www.sans.org
Use Case 1: Bandwidth Use
• PCAP replay was handy for testing rules in our test cycle.
• We loaded some YouTube traffic that was available for replay and launched it through NetMon.
• This traffic then immediately triggered in the Alarms dashboard with alerts from the “youtube outgoing” rule.
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• Our second case involved looking for port and protocol misuse as indicators of malware traffic and command and control (C2) activity.
• We started with the Destination Ports dashboard.
• In our review environment, we saw a majority of traffic by session count appeared to be DNS, quite a bit of HTTP and HTTPS, and a fair amount of Kerberos traffic.
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• The Destination Ports dashboard:
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• We filtered on port 53:
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• Kerberos? Who’s talking?
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• Unusual Traffic Spikes:
© 2017 The SANS™ Institute – www.sans.org
Use Case 2: Network Malware Indicators
• Port and Protocol Mismatches:
© 2017 The SANS™ Institute – www.sans.org
Use Case 3: Sensitive Data Identification
• NetMon Freemium includes numerous DPA rules for sensitive data identification.
• The first rule we looked at was monitoring for payment card data.
© 2017 The SANS™ Institute – www.sans.org
Use Case 3: Sensitive Data Identification
• Payment Card Data Alarm Details:
© 2017 The SANS™ Institute – www.sans.org
Conclusion
• To prevent network attacks and to minimize exposure time, security professionals need:• Tools that are easier to use
• More visibility into network traffic
• Faster insight into network traffic
• LogRhythm NetMon Freemium lives up to that promise, and security operations teams should be able to hit the ground running with this solution.
Network Monitor Freemium
Real-Time Network Visibility
Network Monitor in Action
www.logrhythm.com/freemium
For how-to videos, guides, and forums visit our Network Monitor Community:
networkmonitor.logrhythm.com
© 2017 The SANS™ Institute – www.sans.org
Q & A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
Send to “Organizers”
and tell us if it’s for
a specific panelist.
© 2017 The SANS™ Institute – www.sans.org
Acknowledgements
Thanks to our sponsor:
To our special guest:
Rob McGovern
And to our attendees,
Thank you for joining us today