Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
1. Monitoring & Analysis
N00b to Ninja in 60 Minutes*
@grecs
NovaInfosec.com
* Most listeners do not become Ninjas in under 60 minutes.
2. Disclaimer
Opinions expressed are solely my own and do
not express the views or opinions of my
employers.
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
6. NovaInfosec Consulting
• 20 Years Industry/Infosec
Experience
• Security Engineering/
Architecture
• SOC 2.0/Transformation
• Security Training
datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
7. Agenda
• Introduction
• Environment
• Methodology
• Where to Learn
More
• Conclusion
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
9. Introduction
Security Analysts Looking to Recognize Gaps &
Learn How to Fill Them
General Security Practitioners Interested in
Getting Started in Monitoring & Analysis
It’s Kinda Fun … Like Solving a
Mystery
10. Introduction
What Is Network Monitoring & Analysis
• The Monitoring & Analysis of Networks ;)
• The Collection, Analysis, & Escalation of
Indications & Warnings to Detect & Respond
to intrusions
• Phases
– Select
– Triage
– Analyze
Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
11. Introduction
What Is Selection?
• Definition
– Choosing the Alert to Investigate
• Goals
– Choose the Most High Quality and Relevant Alerts
from the Sensors
• Order
– Varies for Every Organization
– High to Low Priority
Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
12. Introduction
What Is Triage?
• Definition
– Quickly Separate Alerts Needing Further Analysis
from Irrelevant Alerts
• Goals
– Identify Alerts Needing Further Investigation
• Activities
– Examine Alert Details to Discovery Why Fired
– Look through Prior Write-Ups/Reports
– Investigate Opens Source/Internal Resources
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
13. Introduction
What Is Analysis?
• Definition
– Analyze Supporting Resources to Determine Actions
• Goals
– Determine Actions Attackers May Have Taken
Throughout Network
• Activities
– Identify Key Indicators & Use Them to Search through
Supporting Resources
– Analyze Netflow for Indicators
– Search FPC for Indicators
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
15. Environment
Sensors
• Box Analyzing Traffic
• Placed at Strategic Points in Network (e.g.,
ingress/egress points)
• Usually IDS (passive) or IPS (active)
• Signature or Anomaly Based
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
16. Environment
Supporting Resources
• Data You can Correlate Off Of
• Two Types: Internal & External
• Find ALL Log Sources & Bring Together
• Track Everything Going Into & Out of Network
• Pivot Off Alerts Back into Logs to Discovery
New Indicators
• Or Several Tools that Need to Pivot Into to
Discovery More
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
17. Environment
Supporting Resources
• Internal
– Network
• Netflow
• FPC
– Device Logs
• Firewalls
• Routers
• Switches
– Application Logs
• Mail/Web/File Servers
• AD/DNS
• Proxies
– Other Detective/Preventative
Sources
• Could Be Useful Reference
• Low Priority Alerts that Usually
Ignore
• IPS, Proxies, Email Blocking, etc.
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
• External
– Google
– Whois/DNS Info
– Reputation Databases
– Web Archives
– Passive Scanning
– Metasites
18. Environment
SIEM/Logger
• Centralize All Security Data to Ease Analysis
• Sources Include
– Sensors
– Supporting Resources
– External Resources
• Configure to Show Alerts or Correlated Alerts
• Examples
– Pure SIEMs: ArcSight, AlienVault, etc.
– Adaptions: Splunk, ELK Stack
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
19. Environment
Monitoring Architecture
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
NIDS
Proxy
FirewallRouter
AD/D
NS
Web
External
File
Svr
User User User
Email
SIEMAnalyst
Server LAN
User LAN
SOC
Logger
DMZ
Sensors
Support
Google
Whois/DNS
Rep DBs
Web Arch
Passive Scans
Metasites
FPC
Analysis
20. Environment
Integrated Environment
• Security Onion
– Old Beige Box on Ebay
– Deployment Options
– Netgear ProSAFE (GS108T and
GS105T)
• Pfsense
– Old Desktop
– Firewall Distro but Customizable
– IDS, Proxy, VPN, etc.
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
24. Methodology
1. Select
• Choose Alert to Investigate
• Varies by Organization
• One Method
• Tips
– Don’t Cherry-Pick (i.e., for counts)
– Alert Sensor Admins of Recurring
FPs
Highest
Priority
Custom
Signatures
Counts
Grouped/Sig
Default Med
Priority
Default Low
Priority
25. Methodology
2. Triage
• Examine Details of
Selected Alert to Find Out
Why Fired
• SIEM vs. No SIEM
• General Methodology
• Tips
– Avoid Touching Attacker
Infrastructure
Review
Details in
SIEM
Compare
with Prior
Knowledge
Read Rule
Descr &
Review Refs
Analyze Rule
& PCAP to
Verify if TP
Need More
Details?
Invest. Src./
Dst. IPs/Ports
Determine FP or
Low Impact
Continue to
Analysis
26. Methodology
3. Analyze
• Analyze Supporting Resources to Determine Impact
• Based on what you know so far – indicators
– Search through Relevant Supporting Resources
– Learn More About Those Indicators
– Pivot Off Results with New Indicators Discovered
Derive
Indicator &
Search KB
Determine
Indicator
Resource
Query
Resource
Doc
Results in
KB
Indicator
Elsewhere?
Additional
Stimulus?
Stimulus End
Indicator Analysis Cycle
30. Where to Learn More
Fundamentals - Linux
• Contains Many Analysis Tools by Default
• Basics
– Commands: ls, mkdir, cd, pwd, rm, mv,
find, cat, file, …
– Help: man
• Intermediate
– Commands: more/less, grep, wc,
head/tail, strings
– Operators: |, >, >>, …
• Advanced
– Commands: sort, uniq, cut, xargs, …
– Regular Expressions
– Scripting: awk, sed, bash, Python
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
31. Where to Learn More
Fundamentals – Networking Basics
• Understand Basic Networking Concepts
• Overall OSI Model, TCP/IP Stack
• Common Ports & Protocols
32. Where to Learn More
Fundamentals - PCAP Analysis
• Understand How to Analyze Collected Traffic
• Wireshark
• Tshark
• Tcpdump
• Snort
33. Where to Learn More
Fundamentals - Flow Analysis
• Statistical Data on Who Talked to Who
• Usually Limited to 5-Tuples
– Source/Destination IP & Port
– Protocol
• Tools (SiLK, Argus, etc.)
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
34. Where to Learn More
Fundamentals - Log Analysis
• Network Device/Service Logs
– Proxy
– Firewall/Router/Switch
– DNS, SMTP, HTTP
• Host Logs
– Windows (System, Application, Security, etc.)
– End-Point Protection (IDS/IPS, Firewall, AV, etc.)
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Just Basic Understanding So Can Use
During Analysis
36. Where to Learn More
• OpenSecurityTraining.info
– Flow Analysis & Network Hunting
– Introduction to Network Forensics
– Pcap Analysis & Network Hunting
• Training/Certifications
– GCIA, GCIH
– 8570 CND-A/IR Certs if Gov (CEH, GCIA, GCIH)
– Vendor Certs for Common Tools (e.g., ArcSight,
SourceFire, etc.)
– Security Onion Course
37. Where to Learn More
• Defensive Challenges
– Malware-Traffic-Analysis.net Exercises
• Challenge followed by answers
• http://www.malware-traffic-analysis.net/training-
exercises.html
– Shell-Storm.org CTF Repo
• CTF Repository from major conferences
• http://shell-storm.org/repo/CTF/
– Many, Many Others…
38. Where to Learn More
• Top 5 Tips for Those Starting Out
– Setup SO at Home & Start Investigating
– Don’t Cherry-Pick; Don’t Measure by Counts
– Alert Sensor Admins of Recurring FPs
– Never Touch Adversary Infrastructure
• Even Safe External Sites (e.g., to deobfuscate base64),
Quick Bash or Perl Script is Safer
– Know Your Network and Sensor/Support
Placement Inside and Out – It’ll Help You Know
Where to Go in Your Analysis