You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers

www.wildpackets.com© WildPackets, Inc.

You Suspect a Security Breach

Network Forensic Analysis Gives

You the Answers

December 2014

Keatron Evans

Senior Security Researcher

Principle of Blink Digital Security

© WildPackets, Inc. 2

Administration

• All callers are on mute‒ If you have problems, please let us know via the Chat window

• There will be Q&A‒ Feel free to type a question at any time

• Slides and recording will be available‒ Notification within 48 hours via a follow-up email


Agenda

• The Bad Guys Are Winning

• Security Attack Analysis with Network Forensics


The Bad Guys Are Winning


“The Bad Guys Are Winning”*

• Cyber espionage up 3X

• Insiders stealing intellectual property

• Average time in 2012 to discover and resolve a data breach: 123 days

• 86% of security professionals consider incident detection time too slow

* Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report


Challenges

• IDS/IPS and other tools raise alerts

• But security teams need details‒ Who, what, where, when

‒ Answers require network visibility

• Network visibility declining overall‒ Last-generation network analysis tools can’t keep up with 10G,

40G, and 100G networks

‒ Market trend for high-level stats such as NetFlow and traffic

sampling leave security analysts with generalities not specifics


WildPackets Attack Analysis• Benefits

‒ Give security teams evidence and insight• A comprehensive record of network activity

• Powerful search and filtering tools for zeroing in on anomalies

and attack details

‒ Enable security teams to act quickly• Find proof of attacks

• Characterize attacks and stop them

‒ Who, what, where, when

• Solution: Packet Capture + Network Forensics‒ Record, store, and analyze traffic

‒ Uncover and understand attacks so they can be stopped

‒ Tools include deep packet inspection, searches, filters,

graphs, etc.

Full visibility into everything going in and out of your network


Network Forensics in Action


Most Common Breaches

• User action i.e. visiting a malicious website

• Downloading malicious files.

• Web Application Attacks (SQL Injection,CSRF, etc.)

9


Network Forensics

• Find needles in haystacks by removing all the hay.

• Once the needles are found put “some” hay back to

gain context (what, when, where, how).

• Put together the pieces.

• Operating Systems and Host based forensics tools

can be made to lie (Anti-Forensics Techniques/Rootkits)

• Packets always tell the truth

10


Timeline of Events

• Something has happened!‒ FireEye

‒ BlueCoat

‒ Cisco IDS/IPS

• What has happened and where’s the evidence?‒ Omnipeek and OmniPliances

‒ Custom Scripts

• Let’s examine the evidence in detail and keep this

from happening again.‒ IDA Pro

‒ Malware Reverse Engineering

‒ File and Data Analysis

11


What I’ll demonstrate

• Rootkit being used for covert exfiltration

• Web Server being taken over by SQL Injection

• Then forensics on both using just packet data

(pcaps) and Omnipeek.

12


Summary

• We need to stop the “Bad Guys” from winning.‒ Improve capability to investigate attacks.

• Attack Analysis = Packet Capture + Network

Forensics‒ Provides comprehensive evidence of all attack activity within a

set period.

‒ Provides an irrefutable record of user, network, and application

activity, including transactions.

‒ Enables security teams to characterize and trace attacks.

• WildPackets Omnipliances offer unmatched

performance and precision for attack analysis.‒ Complements existing security toolset with performance network

recording, storage, and analysis.


Q&A

Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200

You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers

Internet

Transcript of You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers