Jasper Bongertz 17 June 2015 The Haystack In an incident response situation at least one Indicator of Compromise has been found already The haystack ID: 688238
Download Presentation The PPT/PDF document "The Needle in the Haystack" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The Needle in the Haystack
Jasper
Bongertz
17 June 2015Slide2
The Haystack
In an
incident
response situation at least one Indicator of Compromise has been found alreadyThe haystack is all of the IT infrastructure that needs to be checked:ClientsServersNetworkISP uplinks
27 May 2015
The Needle in the Haystack
2Slide3
Looking for the Needle
The
challenge
: Telling what systems have really been compromisedSo how do we usually do that?Looking at:file systemslog filesfirewall rule tablessensor hits (IDS/IPS/NSM/AV/Sandboxes)documentation
27 May 2015
The Needle in the Haystack
3Slide4
Looking at the network
N
etwork
forensics can be an effective way to spot potential „Needles“No matter how good malware hides, it‘ll use the network sooner or later„No place to hide“ if sniffing packets at the right spotChallenges:Sniffing packets at the „right spot“Scanning through
gazillions of packets, looking for IoCs
27 May 2015
The Needle in the Haystack
4Slide5
Best practices
Looking
at Internet
uplinksUsually there are only a couple of themProblem: undocumented/“rogue“ uplinksInspecting DNSCan be stored a long time, e.g. using PassiveDNSFinding CnC patterns: Answers containing Loopback addressesHigh amount of errors like „no such name“Domain Generation AlgorithmsStill need to sort out false positives27 May 2015
The Needle in the Haystack
5Slide6
Best practices
Leveraging
NetFlowLong term storage of metadata of communication flowsHelps tracking lateral movement of attackers and building timelinesCan also be used for event correlationBaselining suspicious systemsRecord everything it doesUsing SPAN ports/TAPsPinpoint assets that require file system forensics27 May 2015
The Needle in the Haystack
6Slide7
27 May 2015
The Needle in the Haystack
7
DemoSlide8
Thank you!
Questions
?
27 May 2015
8