is an attacker hidden in your network? · is an attacker hidden in your network? have your network...
TRANSCRIPT
![Page 1: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/1.jpg)
Is an attacker hidden in your network?Have your network under your control
Tomáš Šárocký, Channel Specialist
CloudSec • 29th of August • Seoul, South Korea
![Page 2: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/2.jpg)
Agenda
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
![Page 3: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/3.jpg)
Security Approach
Prevention
Detection
Response
![Page 4: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/4.jpg)
How do we secure our networks?
![Page 5: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/5.jpg)
Technology Approaches
Network Visibility
& Security
Perimeter
Security
Endpoint
Security
![Page 6: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/6.jpg)
DMZ VPN
LAN
Firewall
IDS/IPS
UTM
Application
firewall
Web filter
E-mail security
SSH Access
![Page 7: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/7.jpg)
DMZ VPN
LANAntivirus
Personal Firewall
Antimalware
Endpoint DLP
Antirootkit
![Page 8: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/8.jpg)
That is not enough anymore!
![Page 9: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/9.jpg)
DMZ VPN
LAN
![Page 10: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/10.jpg)
Network Visibility & Security
Why? What to use it for?
How you can effectively protect and manage something, if you
have no visibility into it?
![Page 11: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/11.jpg)
Real Life ExamplesSecurity Incident
![Page 12: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/12.jpg)
Advanced malware
I don‘t know what is happening
Most of us cannot access the Internet
In konference room is everything OK
And IS is working as well
That is weird…
There is no announcement in Zabbix
Servers and VPN are available
I will check and let you know
![Page 13: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/13.jpg)
Advanced malware
78 port scans?
DNS anomalies?
![Page 14: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/14.jpg)
Advanced malware
Let’s see the scans first
Ok, users cannot access web
Are the DNS anomalies related?
![Page 15: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/15.jpg)
Advanced malware
Ok, which DNS is being used?
192.168.0.53? This is notebook!
How did this happen?
![Page 16: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/16.jpg)
Advanced malware
Let’s look for the details…
Laptop 192.168.0.53 is doing
DHCP server in the network
![Page 17: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/17.jpg)
Advanced malware
Malware infected device
Trying to redirect and bridge traffic
Probably to get sensitive data
![Page 18: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/18.jpg)
What if
…the malware reallyworks?
from user perspective iseverything OK
malware have access to wholetraffic
malware have access to logininfo and passwords
…IT is not monitoring thetraffic?
problem would take severalhours of solving instead of 20
mins
if the malware works, theywould not even know…
![Page 19: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/19.jpg)
Real Life ExamplesSecurity Incident
![Page 20: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/20.jpg)
Traffic overview,
anomalies
detected
![Page 21: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/21.jpg)
Attacker activity
(port scan, SSH
authentica-tion
attack)
![Page 22: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/22.jpg)
Victim of the
attack, source of
anomalies
![Page 23: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/23.jpg)
Attacker is looking
for potential victims
And starts SSH
attack
That turns
out to be
successful
![Page 24: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/24.jpg)
Few minutes after
that breached
device
starts to
communicate with
botnet C&C
![Page 25: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/25.jpg)
Botnet
identification using
Flowmon Threat
Intelligence
![Page 26: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/26.jpg)
Flow data on
L2/L3/L4
![Page 27: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/27.jpg)
Including L7
visibility
![Page 28: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/28.jpg)
Full packet capture
and packet trace
(PCAP file)
![Page 29: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/29.jpg)
Analysis of PCAP
file with botnet
C&C communica-
tion in Wireshark
![Page 30: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/30.jpg)
Data exfiltration
command via
ICMP
![Page 31: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/31.jpg)
Command to
discover RDP
servers
![Page 32: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/32.jpg)
ICMP anomaly
traffic with payload
present
![Page 33: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/33.jpg)
PCAP available,
what is the ICMP
payload?
![Page 34: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/34.jpg)
Linux /etc/passwd
file with user
accounts and hash
of passwords
![Page 35: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/35.jpg)
Looking for
Windows servers
with RDP
Attack against
RDP services
![Page 36: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/36.jpg)
Network Against Threats
Flow monitoring including L7
Network Behavior AnalysisFull packet capture
Triggered by detection
![Page 37: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/37.jpg)
Few More Real Life Examples
![Page 38: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/38.jpg)
Stations from local network
under control of an attacker were
performing a DDoS attack on command from
C&C server.
Detected as an outgoing DDoS
attack.
![Page 39: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/39.jpg)
Employee on a leave notice wassaving internal files to shared
disc of Yahoo. Itwas detected as
transfer highamount of data from LAN to the
Internet.
A serious incident after investigation
![Page 40: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/40.jpg)
1. Copying file from shared filesystem
onto a compromised
device
2. The original file deleted from the shared filesystem
3. Upload of encrypted file back to the
shared filesystem
![Page 41: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/41.jpg)
Network Behaviour AnalysisThe unknown is known
![Page 42: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/42.jpg)
Anomaly Detection
▪ Network as a sensor concept (and enforcer)▪ blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer
Statistical analysisVolumetric DDoS detection
Advanced data analysis algorithmsDetection of non-volumetric anomalies
DDoS Anomaly detection
![Page 43: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/43.jpg)
Detection Principles
Behavio
ur
Analy
sis Machine Learning
Adaptive Baselining
Heuristics
Behavior Patterns
Reputation Databases
![Page 44: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/44.jpg)
Cloud Monitoring
![Page 45: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/45.jpg)
Terminology
vs.
Cloud Delivery
Flowmon available in all major
platforms ready to be deployed in
a hybrid mode
Cloud Monitoring
To monitor the traffic comming to,
from, and within the cloud
environment
![Page 46: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/46.jpg)
Flowmon Architecture
Flow export from
already deployed
devices
Flow data export +
L7 monitoring
Flow data
collection,
reporting, analysis
Flowmon modules for advanced flow data analysis
![Page 47: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/47.jpg)
Questions?
![Page 48: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/48.jpg)
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
![Page 49: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/49.jpg)
Summary: Security Approach
Prevention
Detection
Response
![Page 50: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/50.jpg)
Live DEMO?
...on our booth
![Page 51: Is an attacker hidden in your network? · Is an attacker hidden in your network? Have your network under your control Tomáš Šárocký, Channel Specialist ... have no visibility](https://reader030.vdocuments.site/reader030/viewer/2022041019/5ece0feb8eebef2c8329a4ee/html5/thumbnails/51.jpg)
Flowmon Networks a.s.
Sochorova 3232/34
616 00 Brno, Czech Republic
www.flowmon.com
Thank youPerformance monitoring, visibility and security with a single solution
Tomáš Šárocký, Regional Sales Manager
[email protected], +420 734 202 431