©2015 SecureSet, LLC

Active Defense

PCAP and Log Detection Techniques

Instructor: Greg FossDecember 08, 2015

©2015 SecureSet, LLC

# whoami

Greg.Foss@LogRhythm.com

@heinzarelli

Security Operations Team Lead

Sr. Security Research Engineer

OSCP, GAWN, GPEN, GCIH, CEH, Cyber APT

©2015 SecureSet, LLC

©2015 SecureSet, LLC

Logging and Packet Capture…

©2015 SecureSet, LLC

Why this content matters

You already have everything you need for security monitoring within your corporate infrastructure.

Logging and Packet Capture are the cornerstones to incident response and cyber investigations.

Detailed evidence that can help to show what exactly happened within an environment.

Valuable to Operations and Security alike

©2015 SecureSet, LLC

How it fits into cybersecurity

Every single computer investigation can be aided by supporting log and packet capture data.

If you ever want to work on an incident response team or help monitor the security of an organization, you must have an understand logging, packet capture analysis and event correlation.

©2015 SecureSet, LLC

What you should learn tonight

Introduction to Logging and Log Management

Actively Detecting Attacks Using Log Data

Introduction to Packet Capture and Net Flow

Packet Dissection and Data Exfiltration Detection

Packet Capture Challenge!

http://omg.endoftheinternet.org/

©2015 SecureSet, LLC

Why I love this industry

©2015 SecureSet, LLC

Breaking into computers for a living!

©2015 SecureSet, LLC

It’s also fun to go hunting…

©2015 SecureSet, LLC

TITLE

©2015 SecureSet, LLC

Logging

©2015 SecureSet, LLC

What are ‘Logs’…

“A record of performance, events,or day-to-day activities”

Merriam Webster, 2015

©2015 SecureSet, LLC

Log Data = Log Message Meaning

Informational – Generally benign events

Debug – Software development

Warning – Dependencies may be absent

Error – Indication that something is not right

Alert – Often security related. Highlight interesting info

Logging and Log Management, 2012

©2015 SecureSet, LLC

Log Formats

Flat File

Database

CSV

Linux Syslog

Generic Syslog

Windows System, Event, Security, etc…

©2015 SecureSet, LLC

Standard Logging Locations

Linux

/var/log/

Windows

Event Viewer

©2015 SecureSet, LLC

Log Management

Store the logs in a centralized location

Replicating logs across to a log management system

Back up the logs to ensure integrity of the data and maintain compliance standards

©2015 SecureSet, LLC

Log Parsing (Normalization)

To gain value from your SIEM, data must be normalized

Varies depending on the log management solution

Regular Expressions

Data Categorization

Common Event Generation

General Classification

©2015 SecureSet, LLC

Endpoint Monitoring

User Activity

File Integrity and Hashing

Processes Details

Network Connections

Registry Modification

Document and/or Web Bug Tracking

©2015 SecureSet, LLC

Event Correlation

Leveraging actionable metadata allows you to understand the full picture.

Key when attempting to reconstruct a scenario

©2015 SecureSet, LLC

Security Information Event Management

Bringing it all together

Dashboards

Automated Alerting

Automated Response

Central Log Storage

Enterprise Correlation

©2015 SecureSet, LLC

SIEM Tools

Commercial LogRhythm

Splunk

Open Source Logstash and

Kibana

Graylog

©2015 SecureSet, LLC

Advanced Logging

PowerShell

Command Line Logging

Extracting Logs using PowerShell PS C:\> Get-EventLog Security

Honeypot Event Correlation

TTY Log Replay

Web Bugs

Open Source Document Tracking and Event Correlation

©2015 SecureSet, LLC

DEMO

©2015 SecureSet, LLC

©2015 SecureSet, LLC

TITLE

©2015 SecureSet, LLC

Packet Capture (PCAP)

©2015 SecureSet, LLC

©2015 SecureSet, LLC

©2015 SecureSet, LLC

OSI Model Complete record of network activity : Layers 2-7

©2015 SecureSet, LLC

Transport Layer Protocols

Transmission Control Protocol (TCP)

Stateful – HTTP, SSH, SMTP, etc.

Used to establish interactive sessions

User Datagram Protocol (UDP)

Stateless / Connectionless transmission model

Easy to spoof origin

No delivery guarantee

Can be used to exfiltrate data via DNS

©2015 SecureSet, LLC

How To Capture Network Traffic

Local

Using tcpdump, Wireshark, NetworkMiner, Ettercap, etc.

In-Line Device

Often commercial but there are free tools as well.

Mirror off Firewalls

Split datapassed through firewalls and push to appliance.

Offensive – MiTM, Arp Poisoning, Evil Twin, etc.

©2015 SecureSet, LLC

Packet Capture Appliances

LogRhythm Network Monitor Freemium Version – https://support.logrhythm.com

FireEye PX Series

NetScout

NetWitness

Riverbed

Etc.

©2015 SecureSet, LLC

Network Tap

A network Tap can be as simple as a hub. Hubs allow you to see all data transmitted, as opposed to switches.

Raspberry Pi

Beaglebone Black

LAN Turtle

Wi-Fi Pineapple

©2015 SecureSet, LLC

Capturing Network Traffic

Simple Network

Many Options

©2015 SecureSet, LLC

Capturing Network Traffic Basic Network, Multiple VLANs

©2015 SecureSet, LLC

Offensive Network Capture

ARP Poisoning

Convince host that our MAC is the router, traffic begans to pass through our system.

Evil Twin Wi-Fi Attacks

https://www.youtube.com/watch?v=86bvUV92Ek8

We’ll talk about this more soon…

Attack Switches, Routers, Gateways, etc.

©2015 SecureSet, LLC

Sniffing Packets

Many protocols are in plain text

Easy to understand and dissect

HTTP, DNS, FTP, Telnet, SMTP, etc.

TLS is becoming more prevalent

Making traffic inspection more difficult

HTTPS, SSH, SFTP, FTPS, etc.

Malware often uses encrypted tunnels

©2015 SecureSet, LLC

Viewing Encrypted Packets SSL Interception Proxies

Source: https://logrhythm.com/blog/network-monitor-and-ssl-proxy-integration/

©2015 SecureSet, LLC

Offensive MiTM Against TLS / SSL

SSLStrip – Older but still works

https://github.com/moxie0/sslstrip

SSLSplit – Transparent TLS/SSL Interception Proxy

Terminates one session then creates its own

https://github.com/droe/sslsplit

NetRipper – Windows API Hooking

https://github.com/NytroRST/NetRipper

©2015 SecureSet, LLC

Attacking Users – A Case Study

©2015 SecureSet, LLC

Evil Twin

©2015 SecureSet, LLC

Evil Twin

source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html

©2015 SecureSet, LLC

©2015 SecureSet, LLC

©2015 SecureSet, LLC

©2015 SecureSet, LLC

©2015 SecureSet, LLC

DEMO

©2015 SecureSet, LLC

We’ve only just scratched the surface…

©2015 SecureSet, LLC

Want To Learn More and Practice?

http://www.netresec.com/?page=PcapFiles

Publicly Available PCAP Files

http://malware-traffic-analysis.net/

PCAP Files and Malware Samples

https://www.vthreat.com/

Simulate threats, data exfiltration, etc.

VirusTotal Professional

©2015 SecureSet, LLC

PCAP Challenge

©2015 SecureSet, LLC

©2015 SecureSet, LLC

UsingLog Datato TrackWinners

©2015 SecureSet, LLC

References Chuvakin, Anton, and Kevin Schmidt. Logging and

Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. Print.

Bejtlich, Richard. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison-Wesley, 2005. Print.

©2015 SecureSet, LLC

CLOSING

Careers in this area of security

The work – LogRhythm is hiring!

The rewards – Great benefits!

How to pursue

https://logrhythm.com/about/careers/

greg.foss@logrhythm.com

©2015 SecureSet, LLC

Provides aspiring security talent with a powerful & direct path into cybersecurity

“Career Promise”

www.secureset.com/academy

Next Denver session: January 2016

©2015 SecureSet, LLC

Did you know?More than 209,000 cybersecurity jobs

in the US are unfilled.*

* www.peninsulapress.com/2015

©2015 SecureSet, LLC

wargames.secureset.com

wargames@secureset.com

Secure your future in Cyber!SecureSet Academy Starts January 2016