ขั้นตอนการต ิดตั้งโปรแกรม Antivirus BitDefender · ขั้นตอนการต ิดตั้งโปรแกรม Antivirus
Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers,...
Transcript of Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers,...
![Page 1: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/1.jpg)
Slide - 1
Network Security – FOR FREE
![Page 2: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/2.jpg)
Slide - 2
• A10 Networks, Akamai, AlienVault, Appriver, At-Bay, Avecto, Axiomatics
• BeyondTrust, BluVector
• Carbon Black, Centrify, CGS, Check Point, CheckMarx, CloudBees, Comodo, Corero Network Security,
Cyxtera
• Darktrace, DeepInstinct, DomainTools, Dyadic
• eSentire, Experian
• F-Secure, FireEye, Forcepoint, ForeScout, Forrester, Fortinet, Fujitsu
• Gigamon, GigaTrust, GlobalSign
• Herjavec Group
• IBM Resilient, iboss, Illumio, Imperva, Informatica
• Kaspersky Lab, KnowBe4, KPMG
• Lawfare, LogRhythm
• Malwarebytes, McAfee, MediaMath, Mimecast, MobileIron
• NordVPN, Nozomi Networks, NSS Labs, NTT Security, Nuvias Group
• ObserveIT
• Palo Alto Networks, Panda, Portnox, Proofpoint
• Qubic
• Radial, Radware, Rapid7, RiskIQ
• SAP, Secureworks, Semafone, SentinelOne, Sonatype, Sophos, Splunk, Symantec
• Thales, Trend Micro, Tripwire
• Varonis, Veridium, Voxpro,
• WatchGuard, Webroot
• ZeroFOX, ZScaler
Security Companies A – Z, etc.
![Page 3: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/3.jpg)
Slide - 3
Assessment and Fundamentals
• All types of bad actors are trying to break into your
network today
• Start monitoring your network TODAY
• Understand how to track them using an Analyzer
looking for Indicators of Compromise
• 24 hour period:
Country Attempts
United States 241
Canada 115
Taiwan 87
China 70
![Page 4: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/4.jpg)
Slide - 4
• The Boy Scout Motto - BE PREPARED
• Gain total network visibility by capturing all of the
packets 24 x 7 and using NetFlow data
• Know the “normal” path of your packets
• Gather the Log files from Firewalls, Servers, IDS,
DLP, Antivirus, etc.
The Importance of Packets
![Page 5: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/5.jpg)
Slide - 5
• Cost of Attacks
• Resource time (Investigations, Monitoring, Mitigate)
• Security Controls
• HIPPA / SCADA / Other Regulatory Fines
• Data Breach
• $100 to $500 per record
• 1000 records = $1M to $5M
• Business, Health, Finance, Government, Education
Why are Attacks a Concern?
![Page 6: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/6.jpg)
Slide - 6
• Endpoint protection is not adequate any longer
• WannaCry / Petya
• Windows desktops represent the weakest link in the
chain
• Software as a Service means no endpoint visibility
• Most defense enhancements come first on the
NETWORK – speed and scalability
Prevent
![Page 7: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/7.jpg)
Slide - 7
• Monitor both inside and outside of the Internet
Firewall
• Monitor any other inbound link, VPN, Branch
office, dedicated link other than Internet
• Key locations need to be monitored for attacks
• Monitor for both outside and inside threats
The Path of the Packet is Important
![Page 8: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/8.jpg)
Slide - 8
Identify the Indicators
1) Observing the
initial download
at the perimeter
2) Observing the
use of the
Exploit on my
internal network
3) Observing the
movement of the
malware on my
local network
Ways to Identify these Attacks on my network
1
2
3
![Page 9: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/9.jpg)
Slide - 9
Security Onion
![Page 10: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/10.jpg)
Slide - 10
What are your Indicators?
• All indicators have value, some greater than others
• You see a mail server has initiated an outbound FTP session to a
host in Russia - an indicator.
• You see a spike in the amount of Internet Control Message Protocol
(ICMP) traffic at 2 A.M. - an indicator.
• You see a Host sending RAR files to a host in San Diego – an
indicator.
• You see SMBv1 traffic on your network – an indicator.
• Which are your biggest concerns?
• Prioritize the indicator value
![Page 11: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/11.jpg)
Slide - 11
Trojan / Worm Indicators
• Number of SYN’s Sent / Number of SYN+ACK’s
• Generally should be 1:1
• Trojans and worms always send large amounts of TCP SYN packets to
establish connections with other hosts on the LOCAL subnet.
• Look at Top Talkers by Packets
• Trojans and worms usually send out a large number of SMALL packets.
• Filter for DNS – Export to CSV – Comma delimited with packet
summary
• Analyze using keywords
• Compare to Top 1 million (Alexa or Cisco Umbrella)
• Use a specific filter – POP3, Readme.exe and PSEXEC.EXE
![Page 12: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/12.jpg)
Slide - 12
Filter for SYN + ACK
• Filter for SYN + ACK – See what Servers and
Applications are accepting connections
• Should they? / Any surprises? / Workstations?
![Page 13: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/13.jpg)
Slide - 13
Filter for SMBv1, SMBv2 and SMBv3
• Filter for SMBv1 – See what devices are vulnerable
• WannaCry / Petya
SMBv2 hex Pattern is 0x424d53fe
SMBv3 hex Pattern is 0x424d53fd
![Page 14: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/14.jpg)
Slide - 14
Filter for HTTP Credentials
• Filter for HTTP Authorization Type Basic:
• Yields Credentials
![Page 15: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/15.jpg)
Slide - 15
• Explore and understand both Ingress and Egress
traffic flows and patterns
• Don’t assume
• Validate
• TAP / Packet Broker
• There could be several paths into the Data Center
depending on Trusted User, Untrusted User or
Customer
The Path of the Packet is Important
![Page 16: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/16.jpg)
Slide - 16
Limit the outbound Path of the Packet
Set Your Internal DB servers and App Servers that don’t need to
communicate outside of your Datacenter (IP TTL = 1/2)
![Page 17: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/17.jpg)
Slide - 17
Investigation using NetFlow and Packets
• Some of the most commonly used data elements generated by NetFlow or Network Trending data include:
• Source IP Address
• Destination IP Address
• Source Port
• Destination Port
• Protocol
• Timestamps for the flow start and conclusion
• Amount of data transferred
![Page 18: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/18.jpg)
Slide - 18
Log Files
Country Attempts
United States 151+90 = 241
Canada 115
Taiwan 87
China 70
![Page 19: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/19.jpg)
Slide - 19
• Analysis equipment must be able to keep up:
• 1 Gbps @ 25% utilization is 1.875 GBytes / Min
➢ 112 GBytes / HR
• 10 Gbps @ 25% utilization is 10.875 GBytes / Min
➢ 1.12 TBytes / HR
• 40 Gbps @ 25% utilization is 43.5 GBytes / Min
➢ 4.5 TBytes / HR
• 100 Gbps @ 25% utilization is 108.75 GBytes / Min
➢ 11. 2 TBytes / HR
• Data Center will require stream to disk hardware capable of
10G to 40G link speeds and higher
• Potential to use Packet Broker to gain total network visibility
Capturing all of the Packets
![Page 20: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/20.jpg)
Slide - 20
Ability to go “Back in Time”
• Assemble the complete picture of the attack / compromise
• Ability to see the evolution of the compromise
• Facility to pinpoint the time of the attack / compromise
• Determine what other systems were affected
![Page 21: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/21.jpg)
Slide - 21
The Unfamiliar
• We can be sure an attack is eminent – our firewall
logs tell us they are probing, waiting to find the
chink in our armor
• We must be familiar with flows and patterns
• Determine what is different or unknown
• Different Pattern? File transfers outbound?
• RAR files transferred outbound?
![Page 22: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/22.jpg)
Slide - 22
Attack Recognition
• Have we Baselined the network?
• What is normal?
• Protocols:• Connection Oriented
• Connectionless
• Applications
• Remote Locations
• After the compromise
• What was the scope?
![Page 23: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/23.jpg)
Slide - 23
Baseline
• Need to know
what is normal
• Deviations could
indicate a
compromise
• Needs to be
updated as traffic
and applications
change
![Page 24: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/24.jpg)
Slide - 24
Normal or Abnormal?
• FTP is allowed through Firewall – Did they get in?
• What do the packets show – FTP service is down
![Page 25: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/25.jpg)
Slide - 25
Filter out Normal
• Once you have defined and validated “Normal” –
start filtering out the normal protocols / applications
/ subnets / domains
• Easier to filter out the hay stack and find a needle
among the needles
• Easily identify your normal established connections
• Filter for SYN + ACK – See what Servers and
Applications are accepting connections
• VALIDATE no WORKSTATIONS
![Page 26: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/26.jpg)
Slide - 26
Forensic Analysis
Observe the use of the Exploit on your internal network
• Both WannaCry and Petya used recently released EternalBlue
exploit to propagate
• Snort rules to detect EternalBlue were available as of May 3,
2017 (a week before the initial WannaCry attack and a month
before Petya)
• Once a new zero-day exploit is unveiled, it is faster to write a
snort rule to detect it on the network than to add variant to
endpoint malware detection software
![Page 27: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/27.jpg)
Slide - 27
GigaStor / Uila and SNORT
• Create different profiles for different SNORT rules
![Page 28: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/28.jpg)
Slide - 28
Perimeter Defenses
• Port Scan your perimeter – know what ports are open
• Perform a penetration test / vulnerability scan
• Find your weaknesses / vulnerabilities before they do
• Look for abnormal outbound data transfers
• Develop your plan – refine, refine, refine
![Page 29: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/29.jpg)
Slide - 29
Validate your Firewall rules
• Don’t presume that your Firewall(s) are doing their
job(s)
• Review your firewall rules
• Make sure a business case exists for each rule
• Capture both sides of Firewall to validate your UDP
rules
![Page 30: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/30.jpg)
Slide - 30
Scope of Attack / Penetration
• Range of the Attack / Penetration vectors
• Internal or External?
• Foreign entity or Competing Company?
• Recall Major League Baseball?
• 1/30/2017 - Cardinals hacked the Astros
• Email and Scouting Database
• Inside their system from 2012 - 2014
• Fined $2M plus other penalties
![Page 31: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/31.jpg)
Slide - 31
Reporting / Validating
Clearly document the attack / compromise
• What was compromised
• Servers
• Hosts
• Network Hardware
• Credentials (UID / Password)
• What methods were used to exfiltrate the data?
• Save all logs and capture files
• Can we put countermeasures in place to keep this
type of compromise from happening again?
• Notify management
![Page 32: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/32.jpg)
Slide - 32
What can you do?
Configuration Management (CSC-9)
Patch as soon as practical
Follow-up on vulnerability scanning
Documenting all exceptions
Communicate
No tolerance for allowing unauthorized computers
on the network
Application review and Peer reviews
![Page 33: Network Security FOR FREE - Data Connectors · •Gather the Log files from Firewalls, Servers, IDS, DLP, Antivirus, etc. The Importance of Packets. Slide - 5 ... •You see a Host](https://reader036.fdocuments.us/reader036/viewer/2022062506/5f0318867e708231d407837c/html5/thumbnails/33.jpg)
Slide - 33
Conclusion
Identify security threats through packet analysis
Ensure you have all of the packets (GigaStor)
If you can’t see all of the paths, how do you know
you have all of the information
Use of a packet broker and TAP’s can help with
24x7 total network visibility