HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Tom Crosstcross@lancope.com

1

WHAT IS DIGITAL FORENSICS?WHAT IS INCIDENT RESPONSE?

2

WHAT IS FORENSICS?

3

Visibility through out the Kill Chain

4

Recon

Exploitation (Social Engineering?)

Initial Infection

Internal Pivot

Data Preparation

& Exfiltration

Command and

Control

4© 2013 Lancope, Inc. All rights reserved.

Intrusion Audit Trails

1:06:15 PM: Internal Host

Visits Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM:Malware begins

scanning internal network

1:13:59 PM:Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what went on while you were mitigating?

5© 2013 Lancope, Inc. All rights reserved.

Audit Trail Sources

• Firewall logs – Are you logging everything or just denies?

• Internal & Host IPS systems– HIPS potentially has a lot of breadth– Can be expensive to deploy– Signature based

• Log Management Solutions/SIEM– Are you collecting everything?– You can only see what gets logged

• Netflow– Lots of breadth, less depth– Lower disk space requirements

• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements

6

Tradeoffs:• Record everything vs

only bad things• Breadth vs Depth• Time vs Depth• Privacy

6© 2013 Lancope, Inc. All rights reserved.

DMZ

VPN

Internal Network

Internet

3GInternet

3G Internet

Tradeoffs

Tradeoffs

8

NetFlow

RICHNESS

Disk Space Required

Full Packet Capture

8© 2013 Lancope, Inc. All rights reserved.

NETWORK AUDIT LOG DETECTION

9

10©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)

Realtime Netflow Monitoring

Loss of Protected Data

What Can Behavioral NetFlow Analysis Do?

Reveal Recon

What Can Behavioral NetFlow Analysis Do?

What can you detect with the audit log?

Reveal BotNet Hosts

Layer 3 Layer 4 and URL

FORENSIC INVESTIGATIONS USING THE NETWORK AUDIT TRAIL

14

APT1

15

Best Practice – Running Reports in StealthWatch

• Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing

The Flow Traffic and Top reports are a summary of the flow data and much quicker to process

It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from.

16

17

Following IOC

Waterhole campaign targeting your industryhas been publicly disclosed.

A quick search of yournetwork audit trailreveals an internal hostthat accessed the disclosed site.

18

Following IOC

Check host details around that time

Suspicious HTTP connections right after contact- good candidate for a drive-by download

Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”

19

Following IOC

Attacker recons your network. Investigate any hosts contacted by the compromised host.Additionally- look for any other hosts scanning for 445 and 135.

20

Following IOC

Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), weShould check to see if that host has touched the network anywhere else.

Another host showing a reverse shell

21

SQL Injection

Large data transfer from your web server to an outside host was detected

22

SQL Injection

Where did the data go?

23

SQL Injection

Look for suspicious activity targeting the web server and your DMZ

• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.

• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?

Combating Insider Threat is a multidisciplinary challenge

2424© 2013 Lancope, Inc. All rights reserved.

IT

HR Legal

25

Following the User

Sometimes investigations start with user intelligence

26

Following the User

27

Beron’s abnormal disclosure

One of your users has uploaded a large amount of data to the internet.

Data Theft

28

What did Beron send? Who received it?

Data Theft

29

Where could have Beron gotten the data?

Data Theft

30

Data Theft

31

Why did Beron do it?

Data Theft

The Five W’s

• Who did this?

– Usernames, IP Addresses

• What did they do?

– What behavior did they engage in?

• Where did they go?

– What hosts on my network were accessed?

• When?

– Have we investigated the full intrusion timeline?

• Why? What is their objective?

32

Tom CrossDirector of Research, Lancopetcross@lancope.com

www.lancope.com

@Lancope (company)@netflowninjas (company blog)

https://www.facebook.com/Lancope

http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about

https://plus.google.com/u/0/103996520487697388791/posts

http://feeds.feedburner.com/NetflowNinjas