netflow for incident response - cybersecurity · •increase botnet nodes for attacks. why can’t...
TRANSCRIPT
![Page 1: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/1.jpg)
Advanced Security Analytics: NetFlow for Incident Response
![Page 2: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/2.jpg)
2015: The Year of the Breach
> 200 Million PII exposed
• Ashley Madison• Office of Personnel Management• Anthem• VTech• Hilton• LATEST – Wendy’s
2016 – The Year of Ransomware
![Page 3: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/3.jpg)
What Motivates Cyber Criminals•Financial Gain
• Personally identifiable information (PII)
• Intellectual Property
• Ransom
• Access to your bank accounts
•Your servers to host malware
• Increase botnet nodes for attacks
![Page 4: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/4.jpg)
Why Can’t You Detect Them?
•Zero Day• No signature match
•They make outbound connections•They embrace encryption for secure connections•They know DNS in your blind spot•They use the authentication system you setup!
![Page 5: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/5.jpg)
2014 2015 Today
Encryption Growth Rate
70%29%
![Page 6: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/6.jpg)
What is NetFlow/IPFIX
![Page 7: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/7.jpg)
NetFlow – What it is…
OutboundPhone Calls
Outbound Flow Data
![Page 8: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/8.jpg)
A
B
A - sending to B is one flow entry on every NetFlow capable router / switch in the path
B - acknowledging A is a 2nd
flow
NetFlow – How it works…
![Page 9: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/9.jpg)
IPFIX
• Internet Protocol Flow Information Export (IPFIX)• Designed as a common standard for defining how IP Flow
information can be exported from routers, measurement probes, or other devices for billing and network management systems.
• The RFC draft of 5101 was approved as standard – July ’13• What does this mean?• Who supports IPFIX?
![Page 10: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/10.jpg)
NetFlow/IPFIX Supported Vendors
• 3Com• Adtran• Barracuda• Blue Coat• Cisco• Citrix• Dell• Enterasys
• Plixer• Riverbed• SonicWALL• VMware• Vyatta• Xirrus• Others …
• Expand• Extreme• FatPipe• Juniper• Mikrotik• Nortel• YAF• Palo Alto
![Page 11: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/11.jpg)
How to Combat: Reduce Complexity
1.Analyze Behavior2.Profile3.Threshold4.Correlate DNS5.Alarm
![Page 12: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/12.jpg)
Identifying Malware Requires
• Network Traffic Monitoring• Host-based information monitoring
![Page 13: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/13.jpg)
Profile Your Oracles – Critical Resources
• Before setting thresholds, use flow data to determine certain behaviors that are normal. For example:
• Volume of flows from a host• Max number of end systems it communicates within 5 minutes• Average bytes transmitted• The ports it communicates on
• Loaded with a historical profile, you can set thresholds which build upon your threat index!
![Page 14: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/14.jpg)
Host Indexing
• Index every IP seen on your network• Search across TRILLIONS of records in
SECONDS.• Clean search & result GUI• Can be queried by a new API runmode
for security vetting automation
![Page 15: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/15.jpg)
Network as a Sensor: Collect AVC Flows
![Page 16: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/16.jpg)
AVC: Incident Response
![Page 17: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/17.jpg)
AVC: Performance
![Page 18: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/18.jpg)
Elasticsearch
FlowProDefender
Cloud Services
DNS
DNS
ApplicationServers
Scrutinizer
FlowReplicator
BYOD
Desk Tops
Security as a Platform
• FireSIGHT• Splunk• Elasticsearch• FlowPro Defender
Splunk
FireSIGHT
![Page 19: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/19.jpg)
FlowProDefender
Cloud Services
DNS
DNS
ApplicationServers
Scrutinizer
FlowReplicator
BYOD
Desk Tops
FireSIGHT Integration
• Username• Application• FS App• URL• HTTP Host• Web event &
Rule Details FireSIGHT
Elasticsearch Splunk
![Page 20: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/20.jpg)
FireSIGHT Server
Cisco ASAs with FirePOWER
Scrutinizer
FireSIGHT Integration
![Page 21: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/21.jpg)
![Page 22: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/22.jpg)
DNS
• Cloud, Virtualization, & Encryption make it difficult to collect flow data directly from all source devices.
• Visibility suffers as a result!
DNS
Visibility Challenge
![Page 23: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/23.jpg)
![Page 24: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/24.jpg)
DNS
![Page 25: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/25.jpg)
![Page 26: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/26.jpg)
FlowProDefender
Cloud Services
DNS
DNS
ApplicationServers
Scrutinizer
FlowReplicator
BYOD
Desk Tops
FlowPro Defender
• DNS Data Leak• Botnet Detection• DNS C2 detection• Data exfiltration• DNS to flow
correlation FireSIGHT
Elasticsearch Splunk
![Page 27: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/27.jpg)
![Page 28: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/28.jpg)
DNS Data Leak and Exfiltration
Trusted Vendors are sneaking past your firewall. c-0.b3000081.50083.15e0.1e2a.36d4.210.0.mfunhzl9whredkfbfe2qvdhiti.avts.mcafee.com
1009050090202.000001000.001010101010101010.110100123.dc1a8ae28a4a4ea8938842445c903a91.6b4c217548c84de99d42b0262debd80d.11000.h.00.mac.sophosxl.net
![Page 29: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/29.jpg)
![Page 30: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/30.jpg)
![Page 31: NetFlow for Incident Response - Cybersecurity · •Increase botnet nodes for attacks. Why Can’t You Detect Them? •Zero Day •No signature match •They make outbound connections](https://reader031.vdocuments.net/reader031/viewer/2022030518/5ac3d86e7f8b9a5c558c44a8/html5/thumbnails/31.jpg)
Who
When
Where
WhatHow much