Network and Incident Response

you so hello everyone um yeah my name is not the easiest one I think for Germans um but I think the Spanish and the paraguayans that are in the room uh should be able to cope better with my name the Portuguese one as well so um Jo is basically John or Johan or johanes whatever you want I'll go for it um yeah um we just had a short introduction I'm going to be I'm going to be talking about the Baseline uh capability basically how to start something simple to run network based detection um yeah the I have this obligatory who am I so basically I'm Brazilian that's why I have this strange name I'm not a

football player unfortunately I'm a IT guy um they're working for German for for D Telecom since 2010 um based in nen actually between nen and Bon um yeah um doing a lot of uh network security and network for forensics incident response uh collaboration I like talking to people that's I think one of great things here from from besides this open exchange platform that we have just like to be able to meet the guys who are really working on related stuff and exchange and and and get ideas and discuss them develop them together that's a great thing um yeah and I love sailing that's just about myself um just to set the scenes um 25 minutes

I think that's the biggest challenge of the day because uh I think most of you like this kind of stuff and are also curious persons like I am uh but that's the hard part um as a Brazilian especially because the Brazilians tend to talk too much so that's why I'll try to keep it to the point um yeah so setting the scenes these network based detection so basically I'm not the net I'm not the host based guy I'm the guy always looking at packets and bits and Fields and this kind of stuff um and I'm talking about the Baseline capabil that means how to start your how to cook your own Brew if you're if you want to do some network based

detection um a network based forensics uh on the proposal I I I I mentioned I would like to bring you some some tools and some ideas how to really to provide you some kind of a stepping stones really to start doing this because I think that's a that's a easy uh um uh uh it's not a lot of effort and you're going to get a lot of it for for for detecting incidents um and that's the idea so basically so show show you some tools patterns and really some tricks to get you started so that's that was basically the idea for for today um yeah um some introduction and Concepts because I think they are

important um when we discuss Network when we discuss network based uh uh detection why is this thing important um in my opinion and to the best of my low knowledge um most of you will already have the assets that are necessary to run this kind of capability you have switches you have routers you have some servers proxies and whatever that you can configure them to generate the data you need so this is going to be from from in terms of investment not not a not not a very big thing and and that's why I think that's important to set it up um if you're running a smaller midsize environment it's also not very complicated to get this thing R running

to get to talk to operations and convince them that you as a security analyst a security responder whatever security um that you need this information to be generated in that device and to be forward to some kind of server on your side um and and I think uh comparing comparing this network based uh detection and host based detection basically um to put it very simple par parallel I would say um firewalls and Antivirus um considering network based detection I think the typically the the efforts to set up a network uh to set up a host based detection capabilities uh higher than a network based capability they complement each other in a certain way and I and I

think the point here is really and also maybe a question to you who on your side is already able to run host based detection who already has some kind of a host-based uh uh um forensic agent or host based incident response capability like um there is a new indicator coming some kind of a regist key or some kind of a service driver whatever file hash um in my opinion and that's maybe a question of you that would be interesting to see how many of you already have this kind of capability in your environment are you able to run on all your machines to research whether these machines have a certain register key or certain network uh device or

certain driver or certain uh um um configuration on a Windows File is this something that you all have or is this something that uh we're thinking about it but we don't have it yet no that's no one raises the hand oh one at least one okay a two great yeah what's have them um but um I think that that reflects simply my point um it is not there and for the network base detection these things are already there so that's why I think that's a lwh hanging fruit that's why that was also the idea behind this presentation but in the end um I don't like this kind of pictures because they can be easily misinterpreted but anyway how to how to

how those how those things fit together and uh some kind of a very generic uh process here for doing network based detection um and that's unavoidable you have to start by doing some thre modeling you have to understand uh what kind of valuable data you have what kind of attackers are going to be after those data um how how does a business works and what are the things that that are really that must be protected so that you can really understand and and start start doing your preparation like to understand okay what kind of patterns can I use to detect uh to detect breach to detect detector activities um what is the technically relevant data that I

need to collect to support this kind of detection um and then you go for the collection so basically the things that you said okay those these networks these kind of protocols um are very important in my environment so I need to to start gathering this data um I need to transform it somehow and consolidate basically I need to filter that stuff which is not important and again Yo's presentation Layer Two uh frames from a Wi-Fi I think most likely no one will be looking into those things that's a covered channel of Wonder for one similarly to this one uh DNS tunneling I'm going to talk a little bit about DNS tunneling later on how to detect this at

least how to detect anomalies over DNS uh uh uh protocol um that's why again you have to consider again what is my techically relevant data that I need to collect so that I can detect this kind of a text here um and in the end Al need some to do some archiving from these things consolidating them storing them and destroying the things that you don't that you're not allowed to store and after when you have these things running you start doing your detection running these patterns against those data that you have um you do some visualization um evaluation on this data to detect uh problems or to detect maybe weak spots that's one important thing

here really to understand okay if I'm not collecting the layer two frames that I thought until according to my thread modeling they are not important for my environment but when someone comes and slaps me on the face hey it's important for you then that's the point here document them put them back there and start it from started over so basically uh I think Mike did this analogy of sharpening your knives that's again that's about it just go and sharpen your knife reevaluate your threat model and start it over I think these kind of slides we can talk hours about this we can discuss we can improve we can uh uh uh expand them but today I think we can do it later on

on the on the offsite um but that's basically something very generic just to understand how those things fit together I hope so far it's so good um or any questions or comments so far okay great so about data collection two very important points about data collection that are unavoidable in my opinion if you don't if you don't have the proper data you won't have visibility and again this layer two example here if you're not collecting you're going to you won't see you won't be able to detect um there is also another slap on the face this report from the Swiss defense company which is actually a fantastic uh document to learn about attacks to learn about uh

resourceful Act vors I don't like using APS for that but resourceful actors um what the investigation and how the learning one of the things that there was in this report I'm not sure if you're familiar with this ruag company ruag um um one of the one of the quotations that are that are reported that are that are in this document is um um uh there is there's a point that I say um uh we don't know exactly the the the the the the the the current the actual um U entry point in our networks uh because and the quotation that they have is nevertheless the key aspects of the case could not be clarified to to an

availabity of to an availability to an availability of log data prior to this period to basically they they they had they had log data until September 2014 but uh they could not look in the best so that's why they they they really at some point they said Okay um we cannot understand we cannot have the full picture of the attack because we don't have the data and that's something to consider sometimes management says we don't have this much uh this this big server for for the log storage that you want um you won't you won't be able to store six months of L data um and you say okay that's your call not my call

I'm advising you to store but if you don't want look at what happened to those guys so something to help you as a Defender it's interesting to take a look at this document second Point data collection sometimes message content is not available we talked a lot about htps and uh encryption which is a great thing and in these cases it's unavoidable and I think no one should be doing uh normally that's the case that no one should be doing C should be breaking TLS on Proxes whatever and that's the point if the content is not available you go for for the metadata for instance you can fairly well reconstruction reconstruct a web session by looking into what kind of

requests the sizes and what kind of DNS DNS resolution took place uh until the point so that that is something that that could be complemented um considering Network forensics and network based detection what kind of artifacts we have typically I have pick apps I just wanted to make sure that because this is n these Network load is sometimes kind of a a black box for people who are doing web development or or related stuff but not really into this um basically there are three types of of of artifacts that are that are used commonly packet captures this pcap everywhere you see pcap in this presentation um I have net flow which is somehow very Network bound so basically

people who never did anything with network they most likely won't hear wouldn't know what's that that's basically metadata about packets and sessions that were that that run of a network um um there is no message content here again it's just like IP address how many packets how many bites went to each endpoint and so on and log events um basically events that could be security relevant uh about some kind of network or some kind of system so that's basically the three types of artifacts that you need to work with these things um and I've started focusing on this is we're talking about Baseline I'll start talking to packet capture because in my opinion that's moreable that's how you

should start okay one first overview about the data collection and I Tred to put okay some ideas about uh how to do data collection what kind of tools are there and when when I say data collection you can be either traffic related data or metadata about Network traffic and I think uh some tools some examples basically um for traffic what's the artifact we already discussed it a little bit so pickup data source basically Network or network interface cards um collection tools what kind of software you need for that basically TP dump which is basically the Baseline to to get this things done net flow net flow exporters net flow exporters basically the device that can generate netf flow records this

can be firewalls this can be switches routers and so on um likely also to be uh Appliance or Hardware device configuration there are some FES um like pfSense that can generate these kind of records as well they're very useful for clarifications for instance of data exfiltration and so on this is something very useful um there's a Linux tool that is abl also to generate this kind of information from a network interface or from a PI app it's very interesting to start playing with it if if you never did um and for about logs um I think this is the common place I think don't need to explain what is a web server log yeah um the typical case and talking

again about the basine you never did it um what you have to do for TCP D for instance considering that you have some kind of interface card you want to do a full package capture you don't want to do any DNS resolution while doing capture you just with this kind of switch here just kind of a readymade recipe you're generating for uh 3,000 basically for 1 hour that's a seconds here and you're you're capturing for 24 of those captures you generate 25 files for one hour each and you're renaming you're naming them um with a proper name with the date and so on so basically just something ready made for you to start using if you're not doing this um if you

have some pickups laying around okay someone is doing traffic capture for you you're an incident responder you're getting there there are already pickups and you need to filter out data you could use also TP dump to f F out data just to focus on certain hosts or certain networks that are relevant for C investigation um and I'm trying to speed up as much as I can um data conversion I think uh punch line is really tshark Tark is a kind of a common line version of w shark and this is kind of a very interesting because the shark has the same protocols implemented as W shark so basically this kind of nifty tool will give you this

all this protocol Fe from layer two layer three until application layer protocol so it's a the way to go to start doing these things just an example here uh using tar pointed to some kind of already existing peap I'm not capturing live live data from network but and I'm focusing on what kind of a uh DNS traffic is going on here uh filtering out some kind of layer three multicast stuff um a similar example uh how to inspect HTP GS that happened in the past and uh Tark can also output data in Jon format which is great for elastic search some basic detection patterns and I'm really running up here now um uh threat hunting um I think we can skip

this because I think this would be pretty straightforward to explain but anyway what I call dns1 123 if you're doing DNS based hunting um there are some pretty cool stuff that you could use to detect uh for instance DNS tunneling um if you want to inspect all the fqdns the fully qualified domain names the host names that appeared on your uh Network or on a traffic capture that you already have then you could run something like this which is basically telling me tshark to show me what kind of query names like maps.google.com were triggered by endpoints and so on um and I could also look on the entropy of those labels like everything which is

between the dots to see when I'm do intering I need to unavoidably have a high entropy on those label so that I can code data in as much as many bits as possible so basically increase the bandwidth of my tunnel so that's a kind of a readymade recipe for for doing that uh again the rate of uh dxt Records or the rate of unusual record types um could be also a hint for the NS tunneling um basically um the point is why should an endpoint be quering for a name server because it has already a name server in a network um so that's basically some some things that do not happen or uh um tunneling typically implies a lot

implies a lot of C name or some text records that's why you how you detect those things and do some kind of aggregation a very simple one actually on a on a console but this thing reated on on on elastic search and kibana stack is if you have the data generated from extracted from Tark using Jon pumping it out on your analysis environment and running the analysis on there um last one was uh non-existent domains which is basically how to detect a domain generation algorithm mow uh domain generation algorithm M will generate a lot of let's say non-existing domains errors and this way you could aggregate this information see what kind of end points have spikes in this let's say bed

d squares this way you would be able to spot some um infect DJ infected hosts on your on your networks um that's my point here already knew that this would happen um I put the emergency stop um I have uh still uh nine slides but I think that's it we can do it on the on the offsite um yeah that's basically the idea questions or thank you so much that was really good very [Applause] so questions I'm assuming if you don't have any questions you all know how to detect Del stuff on your network have youed the arus The Argus arus server foret um I don't know this to companies the equivalent ofet FL like net flow like net flow but you

don't need net flow IOD using the same Library okay in case you don't have I mean this this is about this is about tool set I mean when we all discuss tools everyone will have their favorite tools that that's the point okay because um I found don't know if you seen it um I saw some problem with parets that were using frame padding and they were sending that padding was not SE Wasing yeah interesting I mean yeah definitely sure hey thanks for the hint cool any other questions what about um you talked a little bit about DNS what about using like passive DNS I think passive DNS is very important to especially for threat intelligence to understand uh what

happened in the past if you if you're seeing some kind of uh DNS resolution Network and you see okay is this new but um this IP address and this uh uh uh domain name this fqdn combination that you seen yeah um what happened in the past yeah I think that's that's something very strategical and and and to um I think far side and and and they're a good supplier hisorical they have they have I mean everyone doing passive DNS um in their environments has this great capability of being able to look in the best like if I see a combination of if I see newp address or fqdn I can go I can look look into this database inuki but

how was this IP address used in the past like and in this Ru report that you mentioned at the beginning I know they recommended it as well that would that they would you know actually by the way this report there are great recommendations I would definitely recommend it as well it's very very good a great shows you how you know sophisticated everything detail yeah yeah actually that's a disagree document and we all would be able to progress much faster if there were several of those things coming up reports about incidents things that we learn during times yeah and uh it serves the community definitely so the ru of was breached and then the swisser wrote up a

I don't know 30 page report going into the details of how the breach uh you know took place and how well they don't know how to details of exfiltration but the fact that data was exfiltrated and everything they knew including the indicators that could be used by other organizations were included in the report that was thank you so much you very much thank you everyone