Post on 02-Jun-2019
transcript
1Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 1
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Threat Hunting with Network Flow
Austin Whisnant
2Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 2
Copyright 2017 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily
reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON
AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS
TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-
US Government use and distribution.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at
permission@sei.cmu.edu.
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
3Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 3
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
me@linux:~$ echo “Where’s my cursor?”
4Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 4
5Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 5
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros Cons
Small
Automatable
Privacy
No validation
Summary
Yet another tool
6Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 6
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
7Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 7
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Adversary
Victim
Capabilities
Infrastructure
8Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 8
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
IP Address
Network
Flow
IP Address
Network
Flow
Timestamp
Pcap
9Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 9
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
APT IP
Addresses
Network
Flow
/24
Network
Flow
10Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 10
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Internal IP Logs
New Malicious
IPs
IDS
11Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 11
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Small (Quick)
12Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 12
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Critical thinking
13Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 13
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Pros
Small (Quick)
Automatable
Privacy
Critical thinking
Cons
No validation
Summary
Yet another tool
14Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 14
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Profile
DNS: xxxxxx
NAT: xxxxxxxxxx
VPN: xxx
Web: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…
15Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 15
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
me@linux:~$ echo “Just Linux command line skills”
16Threat Hunting with Network Flow
April 19, 2017
© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution. 16
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Threat Hunting with Network Flow© 2017 Carnegie Mellon University
This material has been approved for public release and unlimited distribution.
Threat Hunting with Network Flow
Austin Whisnant