![Page 1: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/1.jpg)
1Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 1
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Threat Hunting with Network Flow
Austin Whisnant
![Page 2: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/2.jpg)
2Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 2
Copyright 2017 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily
reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON
AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS
TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-
US Government use and distribution.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
![Page 3: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/3.jpg)
3Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 3
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
me@linux:~$ echo “Where’s my cursor?”
![Page 4: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/4.jpg)
4Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 4
![Page 5: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/5.jpg)
5Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 5
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros Cons
Small
Automatable
Privacy
No validation
Summary
Yet another tool
![Page 6: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/6.jpg)
6Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 6
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
![Page 7: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/7.jpg)
7Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 7
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Adversary
Victim
Capabilities
Infrastructure
![Page 8: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/8.jpg)
8Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 8
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
IP Address
Network
Flow
IP Address
Network
Flow
Timestamp
Pcap
![Page 9: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/9.jpg)
9Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 9
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
APT IP
Addresses
Network
Flow
/24
Network
Flow
![Page 10: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/10.jpg)
10Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 10
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Internal IP Logs
New Malicious
IPs
IDS
![Page 11: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/11.jpg)
11Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 11
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Small (Quick)
![Page 12: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/12.jpg)
12Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 12
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Critical thinking
![Page 13: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/13.jpg)
13Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 13
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Small (Quick)
Automatable
Privacy
Critical thinking
Cons
No validation
Summary
Yet another tool
![Page 14: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/14.jpg)
14Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 14
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Profile
DNS: xxxxxx
NAT: xxxxxxxxxx
VPN: xxx
Web: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…
![Page 15: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/15.jpg)
15Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 15
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
me@linux:~$ echo “Just Linux command line skills”
![Page 16: Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM](https://reader031.vdocuments.net/reader031/viewer/2022021610/5cf3cf6d88c993d5048c0a89/html5/thumbnails/16.jpg)
16Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 16
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Threat Hunting with Network Flow
Austin Whisnant