SlideShare a Scribd company logo

Applied Detection and Analysis Using Flow Data - MIRCon 2014

Download as PPTX, PDF
C
chrissanders88

In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.

Technology
1 of 58
Applied Detection and Analysis Using Network Flow Data Chris Sanders and Jason Smith TAP Intel-Based Detection Mandiant, a FireEye Company
2 Chris Sanders  Christian & Husband  Kentuckian and South Carolinian  MS, GSE, et al.  Non-Profit Director  BBQ Pit Master
3 Jason Smith  Kentuckian  Car Aficionado  Raspberry Pi enthusiast  Junkyard Engineer
4 Applied Network Security Monitoring “This book should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” “Written by analysts, for analysts.” - Amazon Reviewers
5 Agenda Flow Data!  Why it’s important  How you can collect it  What you can do with it  Tools that can help “Why/How to use Flow Data in NSM/IR”
 The collection, detection, and analysis of network security data.  The goal of NSM is escalation, or to declare that an incident has occurred so that incident response can occur. 6 Network Security Monitoring Network Security Monitoring Incident Response
7 The NSM Cycle Collection Analysis Detection
8 Evolution of NSM Emphasis Past • Detection Era Present • Collection Era Future • Analysis Era
9 NSM/IR Challenges of the Present We All Want Full PCAP…  Collection − Easy to Capture / Filter Stream Data  Detection − Major Detection Tools are PCAP Oriented  Analysis − Gives us Who, Where, When, and What
10 NSM/IR Challenges of the Present But, It’s not Feasible for Every Goal…  Collection − Not Scalable for Extended Retention  Detection − Not Ideal of Hunting / Rapid Pivoting  Analysis − Not a Great Starting Point
11 Full PCAP vs. Flow Data PCAP Data Flow Data
12 Flow Data  Often Called Flow / Session / NetFlow  Summary of Network Communications  Aggregated Record of Packets  Gives Us Who, Where, When  Based on the 5-tuple + Timing/Data Stats Source IP Source Port Dest IP Dest Port Protocol 192.168.5.1 48293 8.8.8.8 53 UDP Start Time End Time Bytes 2014/09/22T00:03:58.756 2014/09/22T00:04:58.756 76
13 Flow Data Example sTime| sIP|dPort| dIP|dPort|pro|bytes| 2014/09/22T00:03:58.756| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:03:58.999 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:08:59.012| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:08:59.466| 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:03:58.756| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:03:58.999 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:08:59.012| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:08:59.466| 10.10.120.1| 53| 10.1.188.5| 53| 17| 89|
14 Building Flow Records  Records are Defined by Unique 5-tuples  Data is added to the 5-tuple Record until a termination condition is met.
15 Flow Record Termination Conditions  Natural Timeout − End of communication per protocol (ex. TCP RST/FIN)  Idle Timeout − No data received for 30 seconds  Active Timeout − Thirty minute max timeout (configurable)
Collection with Flow Data
17 Generating Flow Data  Generation − Routers − Sensors  Fprobe  YAF  Multiple Types: − NetFlow (v5,v9) − IPFIX − jFlow − More…
18 Collecting Flow Data  Popular Platforms − Argus + Reliable + Fast Collection - Not Well Supported − NFDump + Easy to Setup and Use - Not in Wide Use − SiLK + Exceptional Analysis Tools - More Involved Setup
19 SiLK  The System for Internet-Level Knowledge  CERT NetSA Team  Two Major Components: − Packing Suite  Collection and parsing of flow data − Analysis Suite  Filter, display, sort, count, group, mate, and more  Excellent Documentation & Community − https://tools.netsa.cert.org/silk/docs.html
20 SiLK Collection Architecture
21 SiLK – What You Need  Flow Sources − Hardware: Routers, Switches − Software: YAF, fprobe  SiLK Server − Rwflowpack − Will also have SiLK analysis suite installed  Analyst Workstation − Access SiLK server directly − Locally mirrored database
22 SiLK – Analysis Suite  rwfilter - Filters through data based on conditions.  rwcut - Converts flow binary data to a human readable format.  rwstats - Generates statistics from flow data  rwcount - Summarizes total network traffic over time
23 SiLK Analysis – rwfilter / rwcut (1)  Display all records from the beginning the current day until the current time: rwfilter --type=all --proto=0-255 --pass=stdout | rwcut
24 SiLK Analysis – rwfilter / rwcut (2)  Display all records of communication to or from Chinese IP addresses over a specific week to one local CIDR range: rwfilter --type=all --start-date=2014/08/01 --end-date= 2014/08/07 --any-address=192.168.1.0/24 --any-cc=cn --pass=stdout | rwcut -- fields=stime,sip,dip,sport,dport,type
25 SiLK Analysis – rwstats (1)  Display statistics for the total amount of bytes transferred by protocol (top 10): rwfilter --type=all --proto=0-255 --pass=stdout | rwstats --top --count=10 --fields=proto -- value=bytes
26 SiLK Analysis – rwstats (2)  Show the top 10 sip,dip pairs for valid conversations (top 10) rwfilter --type=all --proto=0-255 --packets=4, -- pass=stdout | rwstats --top --count=10 -- fields=sip,dip --value=bytes
27 SiLK Analysis – rwstats (3)  Show the top 10 outbound destination country codes by records: rwfilter --type=out,outweb --proto=0-255 -- pass=stdout | rwstats --top --count=10 --fields=dcc
28 SiLK Analysis – Real World Examples  Rwstats to discover potential ZeroAccess victims rwfilter --type=all --dport=16464,16465,16470,16471 -- pass=stdout | rwstats --top --fields=sip -- value=distinct:dcc --threshold=3
29 SiLK Analysis – Real World Examples  Discovering outbound data to applications using nonstandard ports. rwfilter Sampledata/sample.rw --plugin=app-mismatch.so --type=out,outweb --proto=6 --sport=1024- --packets=4- --flags-initial=S/SURFPACE --pass=stdout | rwstats --fields=application,dport --count=100 --distinct:dport
30 Collecting Intelligence Data  Friendly Intelligence Gathering  Identify Services on the Network  Identify Normal Behaviors of Hosts  Identify “Friends and Family” − Friends: Who a host communicates with outside the network − Family: Who a host communicates with inside the network
31 Identifying Services  Identify SSH Servers rwfilter --type=out --protocol=6 --packets=4- - -ack-flag=1 --sport=22 --pass=stdout | rwcut -- fields=sip  Identify Web Servers rwfilter --type=outweb --protocol=6 -- packets=4- --ack-flag=1 --sport=80,443,8080 -- pass=stdout | rwcut --fields=sip
32 Identifying Friends and Family • Identify Friends rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dcidr=192.168.0.0/24 --fail=stdout • Identify Family rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dipset=local --fail=stdout
Detection with Flow Data
34 Flow for Detection Signature- Based Reputation- Based Behavior- Based Statistics- Based
35 FlowPlotter  Generates Visualizations from the Output of Flow Tools  Useful for Detection-Oriented Statistics  Written in BASH – Flexible/Tweakable/Minimal  Free/Open Source - Maintained in GitHub  Browser Independent
36 FlowPlotter - GeoMap  rwfilter ../Sampledata/sample.rw --dcc=us,cn,-- --fail=stdout | ./flowplotter.sh geomap dcc bytes > geomap.html
37 FlowPlotter - LineChart  rwfilter --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh linechart 600 bytes > linechart.html
38 FlowPlotter - TreeMap  rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=out --pass=stdout | ./flowplotter.sh treemap dip records > treemap.html
39 FlowPlotter - Pie/Bar/Column Chart  rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=all --pass=stdout | ./flowplotter.sh piechart dip bytes > piechart.html
40 FlowPlotter - BubbleChart  rwfilter ../Sampledata/sample.rw --type=all --proto=0-255 -- pass=stdout | ./flowplotter.sh bubblechart sip > bubblechart.html
41 FlowPlotter - Timeline  rwfilter --proto=0- --type=out --sport=41142 --pass=stdout | ./flowplotter.sh timeline dip sip > timeline.html
42 FlowPlotter - Force Directed  rwfilter ../Sampledata/sample.rw --scc=kr --proto=0- --type=all -- pass=stdout | ./flowplotter.sh forceopacity sip dip distinct:dport 100 > forcetest.html
43 FlowPlotter - AssetDiscovery  rwfilter ../Sampledata/sample.rw --proto=0- --type=all --pass=stdout | ./flowplotter.sh assetdiscovery > assettest.html
Analysis with Flow
45 Flow in Analysis – PCAP Only Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Reduce Data Set Analyze / Make Decisions 5% 10% 35% ~ 50% * Based on the First Hour of Analysis
46 Flow in Analysis - Improved Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Expand Data Set as Needed Analyze / Make Decisions 5% 10% 5% ~ 80% * Based on the First Hour of Analysis
47 Flow – Barriers to Entry  Be Prepared to Look at a LOT of Line-Based Data  Very Command Line Oriented  Not Welcoming to Junior-Level Analysts  Hard to Display/Interpret Data Visually
48 SiLK Data Output
49
50  Flow Basic Analysis Tool  Graphical Front-End to SiLK  Easy Two-Step Install on SiLK Capable Box − Install Locally to SiLK Box − Install Remotely and Interact via SSH w/ Keys  Rapid Pivoting Between Data  Graphing Ability  By Analysts, for Analysts
51 Getting Data with FlowBAT (CLI Mode)
Getting Data with FlowBAT (Guided Mode) 52
53 Manipulating FlowBAT Data
54 Pivoting with FlowBAT Data
55 Generating Stats with FlowBAT
56 Generating Stats with FlowBAT
57 Conclusion  Flow Data is Underused and Underrated  Easy to Collect, Enhances Detection & Analysis  Minimal Barriers to Entry − SiLK (Easy to Install on SO) − Argus (Already Installed on SO) − Bro (Already Installed on SO)
58 Thanks Folks!  Questions? − Chris Sanders – chris@chrissanders.org − Jason Smith – jason.smith.webmail@gmail.com  Blog / Book − http://www.appliednsm.com  FlowPlotter − http://www.github.com/automayt/FlowPlotter/  FlowBAT − http://www.flowbat.com

Recommended

From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Network scanning
Network scanningNetwork scanning
Network scanning
MD SAQUIB KHAN
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 

Recommended

From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Network scanning
Network scanningNetwork scanning
Network scanning
MD SAQUIB KHAN
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
Cybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOCCybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOC
Fidelis Cybersecurity
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
Santosh Khadsare
 
CyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint ProtectionCyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint Protection
Panji Ramadhan Hadjarati
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 
All About Snort
All About SnortAll About Snort
All About Snort
28pranjal
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
chrissanders88
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 

More Related Content

What's hot

VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 

What's hot (20)

Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
NMAP
NMAPNMAP
NMAP
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Cybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOCCybersecurity Operations: Examining the State of the SOC
Cybersecurity Operations: Examining the State of the SOC
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
CyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint ProtectionCyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint Protection
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
 

Similar to Applied Detection and Analysis Using Flow Data - MIRCon 2014

Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
Zobair Khan
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
Ryan Breed
 
Tim eberhard bajug3_talk
Tim eberhard bajug3_talkTim eberhard bajug3_talk
Tim eberhard bajug3_talk
Tim Eberhard
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
AssadLeo1
 
Best practices and lessons learnt from Running Apache NiFi at Renault
Best practices and lessons learnt from Running Apache NiFi at RenaultBest practices and lessons learnt from Running Apache NiFi at Renault
Best practices and lessons learnt from Running Apache NiFi at Renault
DataWorks Summit
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 

Similar to Applied Detection and Analysis Using Flow Data - MIRCon 2014 (20)

Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Tim eberhard bajug3_talk
Tim eberhard bajug3_talkTim eberhard bajug3_talk
Tim eberhard bajug3_talk
 
Go with the flow
Go with the flowGo with the flow
Go with the flow
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Best practices and lessons learnt from Running Apache NiFi at Renault
Best practices and lessons learnt from Running Apache NiFi at RenaultBest practices and lessons learnt from Running Apache NiFi at Renault
Best practices and lessons learnt from Running Apache NiFi at Renault
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
NFA - Middle East Workshop
NFA - Middle East WorkshopNFA - Middle East Workshop
NFA - Middle East Workshop
 
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 

More from chrissanders88

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLA
chrissanders88
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
chrissanders88
 

More from chrissanders88 (12)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLA
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Security
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Applied Detection and Analysis Using Flow Data - MIRCon 2014

  • 1. Applied Detection and Analysis Using Network Flow Data Chris Sanders and Jason Smith TAP Intel-Based Detection Mandiant, a FireEye Company
  • 2. 2 Chris Sanders  Christian & Husband  Kentuckian and South Carolinian  MS, GSE, et al.  Non-Profit Director  BBQ Pit Master
  • 3. 3 Jason Smith  Kentuckian  Car Aficionado  Raspberry Pi enthusiast  Junkyard Engineer
  • 4. 4 Applied Network Security Monitoring “This book should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” “Written by analysts, for analysts.” - Amazon Reviewers
  • 5. 5 Agenda Flow Data!  Why it’s important  How you can collect it  What you can do with it  Tools that can help “Why/How to use Flow Data in NSM/IR”
  • 6.  The collection, detection, and analysis of network security data.  The goal of NSM is escalation, or to declare that an incident has occurred so that incident response can occur. 6 Network Security Monitoring Network Security Monitoring Incident Response
  • 7. 7 The NSM Cycle Collection Analysis Detection
  • 8. 8 Evolution of NSM Emphasis Past • Detection Era Present • Collection Era Future • Analysis Era
  • 9. 9 NSM/IR Challenges of the Present We All Want Full PCAP…  Collection − Easy to Capture / Filter Stream Data  Detection − Major Detection Tools are PCAP Oriented  Analysis − Gives us Who, Where, When, and What
  • 10. 10 NSM/IR Challenges of the Present But, It’s not Feasible for Every Goal…  Collection − Not Scalable for Extended Retention  Detection − Not Ideal of Hunting / Rapid Pivoting  Analysis − Not a Great Starting Point
  • 11. 11 Full PCAP vs. Flow Data PCAP Data Flow Data
  • 12. 12 Flow Data  Often Called Flow / Session / NetFlow  Summary of Network Communications  Aggregated Record of Packets  Gives Us Who, Where, When  Based on the 5-tuple + Timing/Data Stats Source IP Source Port Dest IP Dest Port Protocol 192.168.5.1 48293 8.8.8.8 53 UDP Start Time End Time Bytes 2014/09/22T00:03:58.756 2014/09/22T00:04:58.756 76
  • 13. 13 Flow Data Example sTime| sIP|dPort| dIP|dPort|pro|bytes| 2014/09/22T00:03:58.756| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:03:58.999 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:08:59.012| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:08:59.466| 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:03:58.756| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:03:58.999 10.10.120.1| 53| 10.1.188.5| 53| 17| 89| 2014/09/22T00:08:59.012| 10.10.120.1| 53| 10.1.179.5| 53| 17| 72| 2014/09/22T00:08:59.466| 10.10.120.1| 53| 10.1.188.5| 53| 17| 89|
  • 14. 14 Building Flow Records  Records are Defined by Unique 5-tuples  Data is added to the 5-tuple Record until a termination condition is met.
  • 15. 15 Flow Record Termination Conditions  Natural Timeout − End of communication per protocol (ex. TCP RST/FIN)  Idle Timeout − No data received for 30 seconds  Active Timeout − Thirty minute max timeout (configurable)
  • 17. 17 Generating Flow Data  Generation − Routers − Sensors  Fprobe  YAF  Multiple Types: − NetFlow (v5,v9) − IPFIX − jFlow − More…
  • 18. 18 Collecting Flow Data  Popular Platforms − Argus + Reliable + Fast Collection - Not Well Supported − NFDump + Easy to Setup and Use - Not in Wide Use − SiLK + Exceptional Analysis Tools - More Involved Setup
  • 19. 19 SiLK  The System for Internet-Level Knowledge  CERT NetSA Team  Two Major Components: − Packing Suite  Collection and parsing of flow data − Analysis Suite  Filter, display, sort, count, group, mate, and more  Excellent Documentation & Community − https://tools.netsa.cert.org/silk/docs.html
  • 20. 20 SiLK Collection Architecture
  • 21. 21 SiLK – What You Need  Flow Sources − Hardware: Routers, Switches − Software: YAF, fprobe  SiLK Server − Rwflowpack − Will also have SiLK analysis suite installed  Analyst Workstation − Access SiLK server directly − Locally mirrored database
  • 22. 22 SiLK – Analysis Suite  rwfilter - Filters through data based on conditions.  rwcut - Converts flow binary data to a human readable format.  rwstats - Generates statistics from flow data  rwcount - Summarizes total network traffic over time
  • 23. 23 SiLK Analysis – rwfilter / rwcut (1)  Display all records from the beginning the current day until the current time: rwfilter --type=all --proto=0-255 --pass=stdout | rwcut
  • 24. 24 SiLK Analysis – rwfilter / rwcut (2)  Display all records of communication to or from Chinese IP addresses over a specific week to one local CIDR range: rwfilter --type=all --start-date=2014/08/01 --end-date= 2014/08/07 --any-address=192.168.1.0/24 --any-cc=cn --pass=stdout | rwcut -- fields=stime,sip,dip,sport,dport,type
  • 25. 25 SiLK Analysis – rwstats (1)  Display statistics for the total amount of bytes transferred by protocol (top 10): rwfilter --type=all --proto=0-255 --pass=stdout | rwstats --top --count=10 --fields=proto -- value=bytes
  • 26. 26 SiLK Analysis – rwstats (2)  Show the top 10 sip,dip pairs for valid conversations (top 10) rwfilter --type=all --proto=0-255 --packets=4, -- pass=stdout | rwstats --top --count=10 -- fields=sip,dip --value=bytes
  • 27. 27 SiLK Analysis – rwstats (3)  Show the top 10 outbound destination country codes by records: rwfilter --type=out,outweb --proto=0-255 -- pass=stdout | rwstats --top --count=10 --fields=dcc
  • 28. 28 SiLK Analysis – Real World Examples  Rwstats to discover potential ZeroAccess victims rwfilter --type=all --dport=16464,16465,16470,16471 -- pass=stdout | rwstats --top --fields=sip -- value=distinct:dcc --threshold=3
  • 29. 29 SiLK Analysis – Real World Examples  Discovering outbound data to applications using nonstandard ports. rwfilter Sampledata/sample.rw --plugin=app-mismatch.so --type=out,outweb --proto=6 --sport=1024- --packets=4- --flags-initial=S/SURFPACE --pass=stdout | rwstats --fields=application,dport --count=100 --distinct:dport
  • 30. 30 Collecting Intelligence Data  Friendly Intelligence Gathering  Identify Services on the Network  Identify Normal Behaviors of Hosts  Identify “Friends and Family” − Friends: Who a host communicates with outside the network − Family: Who a host communicates with inside the network
  • 31. 31 Identifying Services  Identify SSH Servers rwfilter --type=out --protocol=6 --packets=4- - -ack-flag=1 --sport=22 --pass=stdout | rwcut -- fields=sip  Identify Web Servers rwfilter --type=outweb --protocol=6 -- packets=4- --ack-flag=1 --sport=80,443,8080 -- pass=stdout | rwcut --fields=sip
  • 32. 32 Identifying Friends and Family • Identify Friends rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dcidr=192.168.0.0/24 --fail=stdout • Identify Family rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dipset=local --fail=stdout
  • 34. 34 Flow for Detection Signature- Based Reputation- Based Behavior- Based Statistics- Based
  • 35. 35 FlowPlotter  Generates Visualizations from the Output of Flow Tools  Useful for Detection-Oriented Statistics  Written in BASH – Flexible/Tweakable/Minimal  Free/Open Source - Maintained in GitHub  Browser Independent
  • 36. 36 FlowPlotter - GeoMap  rwfilter ../Sampledata/sample.rw --dcc=us,cn,-- --fail=stdout | ./flowplotter.sh geomap dcc bytes > geomap.html
  • 37. 37 FlowPlotter - LineChart  rwfilter --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh linechart 600 bytes > linechart.html
  • 38. 38 FlowPlotter - TreeMap  rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=out --pass=stdout | ./flowplotter.sh treemap dip records > treemap.html
  • 39. 39 FlowPlotter - Pie/Bar/Column Chart  rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- -- proto=0- --type=all --pass=stdout | ./flowplotter.sh piechart dip bytes > piechart.html
  • 40. 40 FlowPlotter - BubbleChart  rwfilter ../Sampledata/sample.rw --type=all --proto=0-255 -- pass=stdout | ./flowplotter.sh bubblechart sip > bubblechart.html
  • 41. 41 FlowPlotter - Timeline  rwfilter --proto=0- --type=out --sport=41142 --pass=stdout | ./flowplotter.sh timeline dip sip > timeline.html
  • 42. 42 FlowPlotter - Force Directed  rwfilter ../Sampledata/sample.rw --scc=kr --proto=0- --type=all -- pass=stdout | ./flowplotter.sh forceopacity sip dip distinct:dport 100 > forcetest.html
  • 43. 43 FlowPlotter - AssetDiscovery  rwfilter ../Sampledata/sample.rw --proto=0- --type=all --pass=stdout | ./flowplotter.sh assetdiscovery > assettest.html
  • 45. 45 Flow in Analysis – PCAP Only Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Reduce Data Set Analyze / Make Decisions 5% 10% 35% ~ 50% * Based on the First Hour of Analysis
  • 46. 46 Flow in Analysis - Improved Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Expand Data Set as Needed Analyze / Make Decisions 5% 10% 5% ~ 80% * Based on the First Hour of Analysis
  • 47. 47 Flow – Barriers to Entry  Be Prepared to Look at a LOT of Line-Based Data  Very Command Line Oriented  Not Welcoming to Junior-Level Analysts  Hard to Display/Interpret Data Visually
  • 48. 48 SiLK Data Output
  • 49. 49
  • 50. 50  Flow Basic Analysis Tool  Graphical Front-End to SiLK  Easy Two-Step Install on SiLK Capable Box − Install Locally to SiLK Box − Install Remotely and Interact via SSH w/ Keys  Rapid Pivoting Between Data  Graphing Ability  By Analysts, for Analysts
  • 51. 51 Getting Data with FlowBAT (CLI Mode)
  • 52. Getting Data with FlowBAT (Guided Mode) 52
  • 54. 54 Pivoting with FlowBAT Data
  • 55. 55 Generating Stats with FlowBAT
  • 56. 56 Generating Stats with FlowBAT
  • 57. 57 Conclusion  Flow Data is Underused and Underrated  Easy to Collect, Enhances Detection & Analysis  Minimal Barriers to Entry − SiLK (Easy to Install on SO) − Argus (Already Installed on SO) − Bro (Already Installed on SO)
  • 58. 58 Thanks Folks!  Questions? − Chris Sanders – chris@chrissanders.org − Jason Smith – jason.smith.webmail@gmail.com  Blog / Book − http://www.appliednsm.com  FlowPlotter − http://www.github.com/automayt/FlowPlotter/  FlowBAT − http://www.flowbat.com