The Needle in the Haystack - PowerPoint Presentation

Slide1

The Needle in the Haystack

Jasper

Bongertz

17 June 2015Slide2

The Haystack

In an

incident

response situation at least one Indicator of Compromise has been found alreadyThe haystack is all of the IT infrastructure that needs to be checked:ClientsServersNetworkISP uplinks

27 May 2015

The Needle in the Haystack

2Slide3

Looking for the Needle

The

challenge

: Telling what systems have really been compromisedSo how do we usually do that?Looking at:file systemslog filesfirewall rule tablessensor hits (IDS/IPS/NSM/AV/Sandboxes)documentation

27 May 2015

The Needle in the Haystack

3Slide4

Looking at the network

N

etwork

forensics can be an effective way to spot potential „Needles“No matter how good malware hides, it‘ll use the network sooner or later„No place to hide“ if sniffing packets at the right spotChallenges:Sniffing packets at the „right spot“Scanning through

gazillions of packets, looking for IoCs

27 May 2015

The Needle in the Haystack

4Slide5

Best practices

Looking

at Internet

uplinksUsually there are only a couple of themProblem: undocumented/“rogue“ uplinksInspecting DNSCan be stored a long time, e.g. using PassiveDNSFinding CnC patterns: Answers containing Loopback addressesHigh amount of errors like „no such name“Domain Generation AlgorithmsStill need to sort out false positives27 May 2015

The Needle in the Haystack

5Slide6

Best practices

Leveraging

NetFlowLong term storage of metadata of communication flowsHelps tracking lateral movement of attackers and building timelinesCan also be used for event correlationBaselining suspicious systemsRecord everything it doesUsing SPAN ports/TAPsPinpoint assets that require file system forensics27 May 2015

The Needle in the Haystack

6Slide7

27 May 2015

The Needle in the Haystack

7

DemoSlide8

Thank you!

Questions

?

27 May 2015

8