SlideShare a Scribd company logo

Applied Detection and Analysis with Flow Data - SO Con 2014

Download as PPT, PDF
C
chrissanders88

The document discusses using network flow data for applied detection and analysis. It describes how to collect flow data using tools like SiLK, analyze the data using rwfilter, rwstats and other SiLK tools, and use the results for detection via visualizations with FlowPlotter and intelligence gathering. Flow data provides benefits like small data footprint and scalability compared to full packet capture.

Technology
1 of 54
Applied Detection and Analysis Using Network Flow Data Chris Sanders & Jason Smith Security Onion Conference 2014
Chris Sanders • Christian & Husband • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
Jason Smith • Kentuckian • Car Aficionado • Raspberry Pi Enthusiast • Junkyard Engineer
Applied Network Security Monitoring “This book should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” “Written by analysts, for analysts.” - Amazon Reviewers
Agenda Flow Data! •Why it’s important •How you can collect it •What you can do with it •Tool that’s can help “[Why, How] to extend Security Onion with Flow Analysis.“
The NSM Cycle Collection Analysis Detection
Evolution of NSM Emphasis Past •Detection Era Present • Collection Era Future •Analysis Era
NSM Challenges of the Present We All Want Full PCAP… •Collection – Easy to Capture / Filter Stream Data •Detection – Major Detection Tools are PCAP Oriented •Analysis – Gives us Who, Where, When, and What
NSM Challenges of the Present But, It’s not Feasible for Every Goal… •Collection – Not Scalable for Extended Retention •Detection – Not Ideal for Hunting / Rapid Pivoting •Analysis – Not a Great Starting Point
Enter Flow Data • Often Called Flow / Session / NetFlow • Summary of Network Communications • Aggregated Record of Packets • Gives Us Who, Where, When • Based on the 5-tuple + Timing/Data Stats Source IP Source Port Dest IP Dest Port Protocol 192.168.5.1 48293 8.8.8.8 53 UDP
Building Flow Records • Records are Defined by Unique 5-tuples • Data is added to the 5-tuple Record until a termination condition is met.
Flow Record Termination Conditions • Natural Timeout – End of communication per protocol (ex. RST/FIN) • Idle Timeout – No data received for 30 seconds • Active Timeout – Thirty minute max timeout (configurable)
Full PCAP vs. Flow Data PCAP Data Flow Data Level of Context
Full PCAP vs. Flow Data PCAP Data Flow Data Storage Requirements
Flow Data Benefits • Most Network Devices Generate it Natively • Collectors are Easy to Setup • Data Footprint is Incredibly Small • Easy for Orgs to Keep Years of Flow Data • Useful for Detection and Analysis
COLLECTION WITH FLOW DATA
Generating Flow Data • Generation – Routers – Sensors • Fprobe • YAF • Multiple Types: – NetFlow (v5,v9) – IPFIX – jFlow – More…
Collecting Flow Data • Popular Platforms – Argus + Reliable & Fast Collection - Not Well Supported/Documented – NFDump + Easy to Setup and Use - Not in Wide Use – SiLK + Exceptional Analysis Tools - More Involved Setup
SiLK • The System for Internet-Level Knowledge • CERT NetSA Team • Two Major Components: – Packing Suite • Collection and parsing of flow data – Analysis Suite • Filter, display, sort, count, group, mate, and more • Excellent Documentation & Community – https://tools.netsa.cert.org/silk/docs.html
SiLK Collection Architecture
SiLK – What You Need  Flow Sources − Hardware: Routers, Switches − Software: YAF, fprobe  SiLK Server − Rwflowpack − Will also have SiLK analysis suite installed  Analyst Workstation − Access SiLK server directly − Locally mirrored database
SiLK – Packing Suite Config  rwflowpack – Listens and sorts incoming flows, preparing them for the analysis suite. − --sensor-configuration  Defines listener options  Defines ipblocks  Defines sensor probes − --site-config-file  Matches sensor probes with a naming convention  Defines class and type relationships − --root-directory  Location where all binary flat files are stored  Indexed: Type>Year>Month>Day>Hour
SiLK – Analysis Suite  rwfilter - Filters through data based on conditions.  rwcut - Converts flow binary data to a human readable format.  rwstats - Generates statistics from flow data  rwcount - Summarizes total network traffic over time
SiLK Analysis – rwfilter / rwcut (1)  Display all records from the beginning the current day until the current time: rwfilter --type=all --proto=0-255 --pass=stdout | rwcut
SiLK Analysis – rwfilter / rwcut (2)  Display all records of communication to or from Chinese IP addresses over a specific week to one local CIDR range: rwfilter --type=all --start-date=2014/08/01 --end-date= 2014/08/07 --any-address=192.168.1.0/24 --any-cc=cn --pass=stdout | rwcut -- fields=stime,sip,dip,sport,dport,type
SiLK Analysis – rwstats (1)  Display statistics for the total amount of bytes transferred by protocol (top 10): rwfilter --type=all --proto=0-255 --pass=stdout | rwstats --top --count=10 --fields=proto -- value=bytes
SiLK Analysis – rwstats (2)  Show the top 10 sip,dip pairs for valid conversations (top 10) rwfilter --type=all --proto=0-255 --packets=4, -- pass=stdout | rwstats --top --count=10 -- fields=sip,dip --value=bytes
SiLK Analysis – rwstats (3)  Show the top 10 outbound destination country codes by records: rwfilter --type=out,outweb --proto=0-255 -- pass=stdout | rwstats --top --count=10 --fields=dcc
SiLK Analysis – Zero Access Example (1)  Rwstats to discover potential victims rwfilter --type=all --dport=16464,16465,16470,16471 -- pass=stdout | rwstats --top --fields=sip -- value=distinct:dcc --threshold=3  Filter down to only the potential victim machine rwfilter --type=all --start-date=2014/08/02 --end-date= 2014/08/03 --saddress=192.168.106.131 -- pass=ZA1.rwf
SiLK Analysis – Zero Access Example (2)  Analyze the data per 10 minute buckets over the course of 24 hours to look for abnormal user data at bizarre times. rwfilter ZA1.rwf --type=all --proto=0-255 --active-time= 2014/08/02:00-2014/08/03:00 --pass=stdout | rwcut --bin-size=600
Collecting Intelligence Data • Friendly Intelligence Gathering • Identify Services on the Network • Identify Normal Behaviors of Hosts • Identify “Friends and Family” – Friends: Who a host communicates with outside the network – Family: Who a host communicates with inside the network
Identifying Services • Identify SSH Servers rwfilter --type=out --protocol=6 -- packets=4- --ack-flag=1 --sport=22 - -pass=stdout | rwcut --fields=sip • Identify Web Servers rwfilter --type=outweb --protocol=6 --packets=4- --ack-flag=1 -- sport=80,443,8080 --pass=stdout | rwcut --fields=sip
Identifying Friends and Family • Identify Friends rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dcidr=192.168.0.0/24 --fail=stdout • Identify Family rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dipset=local --fail=stdout
DETECTION WITH FLOW DATA
Flow for Detection Signature- Based Reputation- Based Behavior- Based Statistics- Based
FlowPlotter • Generates Visualizations from Output of Flow Tools • Useful for Detection-Oriented Statistics • Written in BASH – Flexible/Tweakable • Maintained in GitHub • Browser Independent
FlowPlotter - GeoMap rwfilter ../Sampledata/sample.rw --dcc=us,cn,-- --fail=stdout | ./flowplotter.sh geomap dcc bytes > geomap.html
FlowPlotter – Line Chart rwfilter --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh linechart 600 bytes > linechart.html
FlowPlotter - TreeMap rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh treemap dip records > treemap.html
FlowPlotter - PieChart rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh piechart dip bytes > piechart.html
FlowPlotter - Barchart/ColumnChart rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh columnchart dip bytes > columnchart.html
FlowPlotter - BubbleChart rwfilter ../Sampledata/sample.rw --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh bubblechart sip > bubblechart.html
FlowPlotter - Timeline rwfilter ../Sampledata/sample.rw --proto=0- --dcc=us,-- --fail=stdout | ./flowplotter.sh timeline sip dip > timeline.html
FlowPlotter - Force Directed rwfilter ../Sampledata/sample.rw --scc=kr --proto=0- --type=all -- pass=stdout | ./flowplotter.sh forceopacity sip dip distinct:dport 100 > forcetest.html
FlowPlotter – Asset Discovery rwfilter ../Sampledata/sample.rw --proto=0- --type=all --pass=stdout | ./flowplotter.sh assetdiscovery > assettest.html
ANALYSIS WITH FLOW DATA
Flow in Analysis – PCAP Only Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Reduce Data Set Analyze / Make Decisions 5% 10% 35% ~ 50% * Based on the First Hour of Analysis
Flow in Analysis – w/ Flow Data Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Expand Data Set as Needed Analyze / Make Decisions 5% 10% 5% ~ 80% * Based on the First Hour of Analysis
Flow – Barriers to Entry • Be Prepared to Look at a LOT of Line-Based Data • Very Command Line Oriented • Not Welcoming to Junior-Level Analysts • Hard to Display/Interpret Data Visually
SiLK Data Output
• Flow Basic Analysis Tool • Graphical Front-End to SiLK • Easy Two-Step Install on SiLK Capable Box – Install Locally to SiLK Box – Install Remotely and Interact via SSH w/ Keys • Rapid Pivoting Between Data • Graphing Ability
Conclusion • Flow Data is Underused and Underrated • Easy to Collect, Enhances Detection & Analysis • Minimal Barriers to Entry – SiLK (Easy to Install on SO) – Argus (Already Installed on SO) – Bro (Already Installed on SO)
Thanks Folks! • Questions? – Chris Sanders: chris@chrissanders.org – Jason Smith: jason.smith.webmail@gmail.com • Blog/Book – http://www.appliednsm.com • FlowPlotter – http://www.github.com/automayt/FlowPlotter • FlowBAT – Release in October!

Recommended

Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités Web
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités WebAlphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités Web
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités WebAlphorm
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 

Recommended

Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités Web
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités WebAlphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités Web
Alphorm.com Support Formation Hacking & Sécurité Expert Vulnérabilités WebAlphorm
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Alphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide completAlphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide completAlphorm
 
Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security DataWorks Summit/Hadoop Summit
 
Bonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOSBonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOSJulien SIMON
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf9905234521
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellAdeo Security
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide Tauhidul islam
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 
Segurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASPSegurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASPFabiano Pereira
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)Alphorm
 
Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm
 
Rapport Sockets en Java
Rapport Sockets en JavaRapport Sockets en Java
Rapport Sockets en JavaSoukaina Boujadi
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 

More Related Content

What's hot

Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Alphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide completAlphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide completAlphorm
 
Bonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOSBonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOSJulien SIMON
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf9905234521
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellAdeo Security
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide Tauhidul islam
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)Jason Trost
 
Segurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASPSegurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASPFabiano Pereira
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)Alphorm
 
Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 

What's hot (20)

Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Alphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide completAlphorm.com Formation Analyse de Malware 1/2 : Le guide complet
Alphorm.com Formation Analyse de Malware 1/2 : Le guide complet
 
Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security Apache Metron: Community Driven Cyber Security
Apache Metron: Community Driven Cyber Security
 
Bonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOSBonnes pratiques anti-DDOS
Bonnes pratiques anti-DDOS
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShell
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)
 
Segurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASPSegurança em Aplicações Web conforme OWASP
Segurança em Aplicações Web conforme OWASP
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)alphorm.com - Formation SQL Server 2012 (70-462)
alphorm.com - Formation SQL Server 2012 (70-462)
 
Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 II
 
Rapport Sockets en Java
Rapport Sockets en JavaRapport Sockets en Java
Rapport Sockets en Java
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 

Similar to Applied Detection and Analysis with Flow Data - SO Con 2014

Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APNIC
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringAPNIC
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
PNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data AnalyticsPNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data AnalyticsJohn Evans
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itAPNIC
 
Remote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSRemote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSSumant Tambe
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
RIPEstat, RIPE Atlas and the new DNSMON
RIPEstat, RIPE Atlas and the new DNSMONRIPEstat, RIPE Atlas and the new DNSMON
RIPEstat, RIPE Atlas and the new DNSMONRIPE NCC
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...Altinity Ltd
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry developmentAPNIC
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaMyNOG
 

Similar to Applied Detection and Analysis with Flow Data - SO Con 2014 (20)

Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
PNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data AnalyticsPNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data Analytics
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
 
Remote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSRemote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJS
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
RIPEstat, RIPE Atlas and the new DNSMON
RIPEstat, RIPE Atlas and the new DNSMONRIPEstat, RIPE Atlas and the new DNSMON
RIPEstat, RIPE Atlas and the new DNSMON
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Apache Spark Components
Apache Spark ComponentsApache Spark Components
Apache Spark Components
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-on
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
 

More from chrissanders88

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017chrissanders88
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017chrissanders88
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinthchrissanders88
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAchrissanders88
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychologychrissanders88
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Securitychrissanders88
 

More from chrissanders88 (11)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLA
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Security
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Applied Detection and Analysis with Flow Data - SO Con 2014

  • 1. Applied Detection and Analysis Using Network Flow Data Chris Sanders & Jason Smith Security Onion Conference 2014
  • 2. Chris Sanders • Christian & Husband • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
  • 3. Jason Smith • Kentuckian • Car Aficionado • Raspberry Pi Enthusiast • Junkyard Engineer
  • 4. Applied Network Security Monitoring “This book should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” “Written by analysts, for analysts.” - Amazon Reviewers
  • 5. Agenda Flow Data! •Why it’s important •How you can collect it •What you can do with it •Tool that’s can help “[Why, How] to extend Security Onion with Flow Analysis.“
  • 6. The NSM Cycle Collection Analysis Detection
  • 7. Evolution of NSM Emphasis Past •Detection Era Present • Collection Era Future •Analysis Era
  • 8. NSM Challenges of the Present We All Want Full PCAP… •Collection – Easy to Capture / Filter Stream Data •Detection – Major Detection Tools are PCAP Oriented •Analysis – Gives us Who, Where, When, and What
  • 9. NSM Challenges of the Present But, It’s not Feasible for Every Goal… •Collection – Not Scalable for Extended Retention •Detection – Not Ideal for Hunting / Rapid Pivoting •Analysis – Not a Great Starting Point
  • 10. Enter Flow Data • Often Called Flow / Session / NetFlow • Summary of Network Communications • Aggregated Record of Packets • Gives Us Who, Where, When • Based on the 5-tuple + Timing/Data Stats Source IP Source Port Dest IP Dest Port Protocol 192.168.5.1 48293 8.8.8.8 53 UDP
  • 11. Building Flow Records • Records are Defined by Unique 5-tuples • Data is added to the 5-tuple Record until a termination condition is met.
  • 12. Flow Record Termination Conditions • Natural Timeout – End of communication per protocol (ex. RST/FIN) • Idle Timeout – No data received for 30 seconds • Active Timeout – Thirty minute max timeout (configurable)
  • 13. Full PCAP vs. Flow Data PCAP Data Flow Data Level of Context
  • 14. Full PCAP vs. Flow Data PCAP Data Flow Data Storage Requirements
  • 15. Flow Data Benefits • Most Network Devices Generate it Natively • Collectors are Easy to Setup • Data Footprint is Incredibly Small • Easy for Orgs to Keep Years of Flow Data • Useful for Detection and Analysis
  • 17. Generating Flow Data • Generation – Routers – Sensors • Fprobe • YAF • Multiple Types: – NetFlow (v5,v9) – IPFIX – jFlow – More…
  • 18. Collecting Flow Data • Popular Platforms – Argus + Reliable & Fast Collection - Not Well Supported/Documented – NFDump + Easy to Setup and Use - Not in Wide Use – SiLK + Exceptional Analysis Tools - More Involved Setup
  • 19. SiLK • The System for Internet-Level Knowledge • CERT NetSA Team • Two Major Components: – Packing Suite • Collection and parsing of flow data – Analysis Suite • Filter, display, sort, count, group, mate, and more • Excellent Documentation & Community – https://tools.netsa.cert.org/silk/docs.html
  • 21. SiLK – What You Need  Flow Sources − Hardware: Routers, Switches − Software: YAF, fprobe  SiLK Server − Rwflowpack − Will also have SiLK analysis suite installed  Analyst Workstation − Access SiLK server directly − Locally mirrored database
  • 22. SiLK – Packing Suite Config  rwflowpack – Listens and sorts incoming flows, preparing them for the analysis suite. − --sensor-configuration  Defines listener options  Defines ipblocks  Defines sensor probes − --site-config-file  Matches sensor probes with a naming convention  Defines class and type relationships − --root-directory  Location where all binary flat files are stored  Indexed: Type>Year>Month>Day>Hour
  • 23. SiLK – Analysis Suite  rwfilter - Filters through data based on conditions.  rwcut - Converts flow binary data to a human readable format.  rwstats - Generates statistics from flow data  rwcount - Summarizes total network traffic over time
  • 24. SiLK Analysis – rwfilter / rwcut (1)  Display all records from the beginning the current day until the current time: rwfilter --type=all --proto=0-255 --pass=stdout | rwcut
  • 25. SiLK Analysis – rwfilter / rwcut (2)  Display all records of communication to or from Chinese IP addresses over a specific week to one local CIDR range: rwfilter --type=all --start-date=2014/08/01 --end-date= 2014/08/07 --any-address=192.168.1.0/24 --any-cc=cn --pass=stdout | rwcut -- fields=stime,sip,dip,sport,dport,type
  • 26. SiLK Analysis – rwstats (1)  Display statistics for the total amount of bytes transferred by protocol (top 10): rwfilter --type=all --proto=0-255 --pass=stdout | rwstats --top --count=10 --fields=proto -- value=bytes
  • 27. SiLK Analysis – rwstats (2)  Show the top 10 sip,dip pairs for valid conversations (top 10) rwfilter --type=all --proto=0-255 --packets=4, -- pass=stdout | rwstats --top --count=10 -- fields=sip,dip --value=bytes
  • 28. SiLK Analysis – rwstats (3)  Show the top 10 outbound destination country codes by records: rwfilter --type=out,outweb --proto=0-255 -- pass=stdout | rwstats --top --count=10 --fields=dcc
  • 29. SiLK Analysis – Zero Access Example (1)  Rwstats to discover potential victims rwfilter --type=all --dport=16464,16465,16470,16471 -- pass=stdout | rwstats --top --fields=sip -- value=distinct:dcc --threshold=3  Filter down to only the potential victim machine rwfilter --type=all --start-date=2014/08/02 --end-date= 2014/08/03 --saddress=192.168.106.131 -- pass=ZA1.rwf
  • 30. SiLK Analysis – Zero Access Example (2)  Analyze the data per 10 minute buckets over the course of 24 hours to look for abnormal user data at bizarre times. rwfilter ZA1.rwf --type=all --proto=0-255 --active-time= 2014/08/02:00-2014/08/03:00 --pass=stdout | rwcut --bin-size=600
  • 31. Collecting Intelligence Data • Friendly Intelligence Gathering • Identify Services on the Network • Identify Normal Behaviors of Hosts • Identify “Friends and Family” – Friends: Who a host communicates with outside the network – Family: Who a host communicates with inside the network
  • 32. Identifying Services • Identify SSH Servers rwfilter --type=out --protocol=6 -- packets=4- --ack-flag=1 --sport=22 - -pass=stdout | rwcut --fields=sip • Identify Web Servers rwfilter --type=outweb --protocol=6 --packets=4- --ack-flag=1 -- sport=80,443,8080 --pass=stdout | rwcut --fields=sip
  • 33. Identifying Friends and Family • Identify Friends rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dcidr=192.168.0.0/24 --fail=stdout • Identify Family rwfilter --type=out,outweb -- saddress=192.168.1.1 --pass=stdout | rwfilter --input-pipe=stdin -- dipset=local --fail=stdout
  • 35. Flow for Detection Signature- Based Reputation- Based Behavior- Based Statistics- Based
  • 36. FlowPlotter • Generates Visualizations from Output of Flow Tools • Useful for Detection-Oriented Statistics • Written in BASH – Flexible/Tweakable • Maintained in GitHub • Browser Independent
  • 37. FlowPlotter - GeoMap rwfilter ../Sampledata/sample.rw --dcc=us,cn,-- --fail=stdout | ./flowplotter.sh geomap dcc bytes > geomap.html
  • 38. FlowPlotter – Line Chart rwfilter --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh linechart 600 bytes > linechart.html
  • 39. FlowPlotter - TreeMap rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh treemap dip records > treemap.html
  • 40. FlowPlotter - PieChart rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh piechart dip bytes > piechart.html
  • 41. FlowPlotter - Barchart/ColumnChart rwfilter ../Sampledata/sample.rw --sport=1025- --dport=1025- --proto=0- --type=all --pass=stdout | ./flowplotter.sh columnchart dip bytes > columnchart.html
  • 42. FlowPlotter - BubbleChart rwfilter ../Sampledata/sample.rw --type=all --proto=0-255 --pass=stdout | ./flowplotter.sh bubblechart sip > bubblechart.html
  • 43. FlowPlotter - Timeline rwfilter ../Sampledata/sample.rw --proto=0- --dcc=us,-- --fail=stdout | ./flowplotter.sh timeline sip dip > timeline.html
  • 44. FlowPlotter - Force Directed rwfilter ../Sampledata/sample.rw --scc=kr --proto=0- --type=all -- pass=stdout | ./flowplotter.sh forceopacity sip dip distinct:dport 100 > forcetest.html
  • 45. FlowPlotter – Asset Discovery rwfilter ../Sampledata/sample.rw --proto=0- --type=all --pass=stdout | ./flowplotter.sh assetdiscovery > assettest.html
  • 47. Flow in Analysis – PCAP Only Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Reduce Data Set Analyze / Make Decisions 5% 10% 35% ~ 50% * Based on the First Hour of Analysis
  • 48. Flow in Analysis – w/ Flow Data Validate Signature TP < 1% Scoping Relevant Time Range Find Related Events in Time Range Expand Data Set as Needed Analyze / Make Decisions 5% 10% 5% ~ 80% * Based on the First Hour of Analysis
  • 49. Flow – Barriers to Entry • Be Prepared to Look at a LOT of Line-Based Data • Very Command Line Oriented • Not Welcoming to Junior-Level Analysts • Hard to Display/Interpret Data Visually
  • 51.
  • 52. • Flow Basic Analysis Tool • Graphical Front-End to SiLK • Easy Two-Step Install on SiLK Capable Box – Install Locally to SiLK Box – Install Remotely and Interact via SSH w/ Keys • Rapid Pivoting Between Data • Graphing Ability
  • 53. Conclusion • Flow Data is Underused and Underrated • Easy to Collect, Enhances Detection & Analysis • Minimal Barriers to Entry – SiLK (Easy to Install on SO) – Argus (Already Installed on SO) – Bro (Already Installed on SO)
  • 54. Thanks Folks! • Questions? – Chris Sanders: chris@chrissanders.org – Jason Smith: jason.smith.webmail@gmail.com • Blog/Book – http://www.appliednsm.com • FlowPlotter – http://www.github.com/automayt/FlowPlotter • FlowBAT – Release in October!

Editor's Notes

  1. 13 September 2014
  2. 13 September 2014
  3. 13 September 2014
  4. 13 September 2014
  5. 13 September 2014