Infographic on why you need CARM when’a cyber breach take place.
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
-
Upload
savvius-inc -
Category
Internet
-
view
592 -
download
0
Transcript of You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
www.wildpackets.com© WildPackets, Inc.
You Suspect a Security Breach
Network Forensic Analysis Gives
You the Answers
December 2014
Keatron Evans
Senior Security Researcher
Principle of Blink Digital Security
© WildPackets, Inc. 2
Administration
• All callers are on mute‒ If you have problems, please let us know via the Chat window
• There will be Q&A‒ Feel free to type a question at any time
• Slides and recording will be available‒ Notification within 48 hours via a follow-up email
© WildPackets, Inc. 3
Agenda
• The Bad Guys Are Winning
• Security Attack Analysis with Network Forensics
www.wildpackets.com© WildPackets, Inc.
The Bad Guys Are Winning
© WildPackets, Inc. 5
“The Bad Guys Are Winning”*
• Cyber espionage up 3X
• Insiders stealing intellectual property
• Average time in 2012 to discover and resolve a data breach: 123 days
• 86% of security professionals consider incident detection time too slow
* Wade Baker, principal author of the 2014 Verizon Data Breach Investigations Report
© WildPackets, Inc. 6
Challenges
• IDS/IPS and other tools raise alerts
• But security teams need details‒ Who, what, where, when
‒ Answers require network visibility
• Network visibility declining overall‒ Last-generation network analysis tools can’t keep up with 10G,
40G, and 100G networks
‒ Market trend for high-level stats such as NetFlow and traffic
sampling leave security analysts with generalities not specifics
© WildPackets, Inc. 7
WildPackets Attack Analysis• Benefits
‒ Give security teams evidence and insight• A comprehensive record of network activity
• Powerful search and filtering tools for zeroing in on anomalies
and attack details
‒ Enable security teams to act quickly• Find proof of attacks
• Characterize attacks and stop them
‒ Who, what, where, when
• Solution: Packet Capture + Network Forensics‒ Record, store, and analyze traffic
‒ Uncover and understand attacks so they can be stopped
‒ Tools include deep packet inspection, searches, filters,
graphs, etc.
Full visibility into everything going in and out of your network
www.wildpackets.com© WildPackets, Inc.
Network Forensics in Action
© WildPackets, Inc. 9
Most Common Breaches
• User action i.e. visiting a malicious website
• Downloading malicious files.
• Web Application Attacks (SQL Injection,CSRF, etc.)
9
© WildPackets, Inc. 10
Network Forensics
• Find needles in haystacks by removing all the hay.
• Once the needles are found put “some” hay back to
gain context (what, when, where, how).
• Put together the pieces.
• Operating Systems and Host based forensics tools
can be made to lie (Anti-Forensics Techniques/Rootkits)
• Packets always tell the truth
10
© WildPackets, Inc. 11
Timeline of Events
• Something has happened!‒ FireEye
‒ BlueCoat
‒ Cisco IDS/IPS
• What has happened and where’s the evidence?‒ Omnipeek and OmniPliances
‒ Custom Scripts
• Let’s examine the evidence in detail and keep this
from happening again.‒ IDA Pro
‒ Malware Reverse Engineering
‒ File and Data Analysis
11
© WildPackets, Inc. 12
What I’ll demonstrate
• Rootkit being used for covert exfiltration
• Web Server being taken over by SQL Injection
• Then forensics on both using just packet data
(pcaps) and Omnipeek.
12
© WildPackets, Inc. 13
Summary
• We need to stop the “Bad Guys” from winning.‒ Improve capability to investigate attacks.
• Attack Analysis = Packet Capture + Network
Forensics‒ Provides comprehensive evidence of all attack activity within a
set period.
‒ Provides an irrefutable record of user, network, and application
activity, including transactions.
‒ Enables security teams to characterize and trace attacks.
• WildPackets Omnipliances offer unmatched
performance and precision for attack analysis.‒ Complements existing security toolset with performance network
recording, storage, and analysis.
www.wildpackets.com© WildPackets, Inc.
Q&A
Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200