secureset wargames - logging and packet capture training
Post on 11-Apr-2017
353 Views
Preview:
TRANSCRIPT
©2015 SecureSet, LLC
Active Defense
PCAP and Log Detection Techniques
Instructor: Greg FossDecember 08, 2015
©2015 SecureSet, LLC
# whoami
Greg.Foss@LogRhythm.com
@heinzarelli
Security Operations Team Lead
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GCIH, CEH, Cyber APT
©2015 SecureSet, LLC
©2015 SecureSet, LLC
Logging and Packet Capture…
©2015 SecureSet, LLC
Why this content matters
You already have everything you need for security monitoring within your corporate infrastructure.
Logging and Packet Capture are the cornerstones to incident response and cyber investigations.
Detailed evidence that can help to show what exactly happened within an environment.
Valuable to Operations and Security alike
©2015 SecureSet, LLC
How it fits into cybersecurity
Every single computer investigation can be aided by supporting log and packet capture data.
If you ever want to work on an incident response team or help monitor the security of an organization, you must have an understand logging, packet capture analysis and event correlation.
©2015 SecureSet, LLC
What you should learn tonight
Introduction to Logging and Log Management
Actively Detecting Attacks Using Log Data
Introduction to Packet Capture and Net Flow
Packet Dissection and Data Exfiltration Detection
Packet Capture Challenge!
http://omg.endoftheinternet.org/
©2015 SecureSet, LLC
Why I love this industry
©2015 SecureSet, LLC
Breaking into computers for a living!
©2015 SecureSet, LLC
It’s also fun to go hunting…
©2015 SecureSet, LLC
TITLE
©2015 SecureSet, LLC
Logging
©2015 SecureSet, LLC
What are ‘Logs’…
“A record of performance, events,or day-to-day activities”
Merriam Webster, 2015
©2015 SecureSet, LLC
Log Data = Log Message Meaning
Informational – Generally benign events
Debug – Software development
Warning – Dependencies may be absent
Error – Indication that something is not right
Alert – Often security related. Highlight interesting info
Logging and Log Management, 2012
©2015 SecureSet, LLC
Log Formats
Flat File
Database
CSV
Linux Syslog
Generic Syslog
Windows System, Event, Security, etc…
©2015 SecureSet, LLC
Standard Logging Locations
Linux
/var/log/
Windows
Event Viewer
©2015 SecureSet, LLC
Log Management
Store the logs in a centralized location
Replicating logs across to a log management system
Back up the logs to ensure integrity of the data and maintain compliance standards
©2015 SecureSet, LLC
Log Parsing (Normalization)
To gain value from your SIEM, data must be normalized
Varies depending on the log management solution
Regular Expressions
Data Categorization
Common Event Generation
General Classification
©2015 SecureSet, LLC
Endpoint Monitoring
User Activity
File Integrity and Hashing
Processes Details
Network Connections
Registry Modification
Document and/or Web Bug Tracking
©2015 SecureSet, LLC
Event Correlation
Leveraging actionable metadata allows you to understand the full picture.
Key when attempting to reconstruct a scenario
©2015 SecureSet, LLC
Security Information Event Management
Bringing it all together
Dashboards
Automated Alerting
Automated Response
Central Log Storage
Enterprise Correlation
©2015 SecureSet, LLC
SIEM Tools
Commercial LogRhythm
Splunk
Open Source Logstash and
Kibana
Graylog
©2015 SecureSet, LLC
Advanced Logging
PowerShell
Command Line Logging
Extracting Logs using PowerShell PS C:\> Get-EventLog Security
Honeypot Event Correlation
TTY Log Replay
Web Bugs
Open Source Document Tracking and Event Correlation
©2015 SecureSet, LLC
DEMO
©2015 SecureSet, LLC
©2015 SecureSet, LLC
TITLE
©2015 SecureSet, LLC
Packet Capture (PCAP)
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
OSI Model Complete record of network activity : Layers 2-7
©2015 SecureSet, LLC
Transport Layer Protocols
Transmission Control Protocol (TCP)
Stateful – HTTP, SSH, SMTP, etc.
Used to establish interactive sessions
User Datagram Protocol (UDP)
Stateless / Connectionless transmission model
Easy to spoof origin
No delivery guarantee
Can be used to exfiltrate data via DNS
©2015 SecureSet, LLC
How To Capture Network Traffic
Local
Using tcpdump, Wireshark, NetworkMiner, Ettercap, etc.
In-Line Device
Often commercial but there are free tools as well.
Mirror off Firewalls
Split datapassed through firewalls and push to appliance.
Offensive – MiTM, Arp Poisoning, Evil Twin, etc.
©2015 SecureSet, LLC
Packet Capture Appliances
LogRhythm Network Monitor Freemium Version – https://support.logrhythm.com
FireEye PX Series
NetScout
NetWitness
Riverbed
Etc.
©2015 SecureSet, LLC
Network Tap
A network Tap can be as simple as a hub. Hubs allow you to see all data transmitted, as opposed to switches.
Raspberry Pi
Beaglebone Black
LAN Turtle
Wi-Fi Pineapple
©2015 SecureSet, LLC
Capturing Network Traffic
Simple Network
Many Options
©2015 SecureSet, LLC
Capturing Network Traffic Basic Network, Multiple VLANs
©2015 SecureSet, LLC
Offensive Network Capture
ARP Poisoning
Convince host that our MAC is the router, traffic begans to pass through our system.
Evil Twin Wi-Fi Attacks
https://www.youtube.com/watch?v=86bvUV92Ek8
We’ll talk about this more soon…
Attack Switches, Routers, Gateways, etc.
©2015 SecureSet, LLC
Sniffing Packets
Many protocols are in plain text
Easy to understand and dissect
HTTP, DNS, FTP, Telnet, SMTP, etc.
TLS is becoming more prevalent
Making traffic inspection more difficult
HTTPS, SSH, SFTP, FTPS, etc.
Malware often uses encrypted tunnels
©2015 SecureSet, LLC
Viewing Encrypted Packets SSL Interception Proxies
Source: https://logrhythm.com/blog/network-monitor-and-ssl-proxy-integration/
©2015 SecureSet, LLC
Offensive MiTM Against TLS / SSL
SSLStrip – Older but still works
https://github.com/moxie0/sslstrip
SSLSplit – Transparent TLS/SSL Interception Proxy
Terminates one session then creates its own
https://github.com/droe/sslsplit
NetRipper – Windows API Hooking
https://github.com/NytroRST/NetRipper
©2015 SecureSet, LLC
Attacking Users – A Case Study
©2015 SecureSet, LLC
Evil Twin
©2015 SecureSet, LLC
Evil Twin
source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
DEMO
©2015 SecureSet, LLC
We’ve only just scratched the surface…
©2015 SecureSet, LLC
Want To Learn More and Practice?
http://www.netresec.com/?page=PcapFiles
Publicly Available PCAP Files
http://malware-traffic-analysis.net/
PCAP Files and Malware Samples
https://www.vthreat.com/
Simulate threats, data exfiltration, etc.
VirusTotal Professional
©2015 SecureSet, LLC
PCAP Challenge
©2015 SecureSet, LLC
©2015 SecureSet, LLC
UsingLog Datato TrackWinners
©2015 SecureSet, LLC
References Chuvakin, Anton, and Kevin Schmidt. Logging and
Log Management: The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. Print.
Bejtlich, Richard. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison-Wesley, 2005. Print.
©2015 SecureSet, LLC
CLOSING
Careers in this area of security
The work – LogRhythm is hiring!
The rewards – Great benefits!
How to pursue
https://logrhythm.com/about/careers/
greg.foss@logrhythm.com
©2015 SecureSet, LLC
Provides aspiring security talent with a powerful & direct path into cybersecurity
“Career Promise”
www.secureset.com/academy
Next Denver session: January 2016
©2015 SecureSet, LLC
Did you know?More than 209,000 cybersecurity jobs
in the US are unfilled.*
* www.peninsulapress.com/2015
©2015 SecureSet, LLC
wargames.secureset.com
wargames@secureset.com
Secure your future in Cyber!SecureSet Academy Starts January 2016
top related