SlideShare a Scribd company logo

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016

grecsl
grecsl

Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.

Technology
1 of 39
Monitoring & Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
NovaInfosec Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
NovaInfosec.com@grecs, INTRODUCTION Why Definitions Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Introduction Security Analysts Looking to Recognize Gaps & Learn How to Fill Them General Security Practitioners Interested in Getting Started in Monitoring & Analysis It’s Kinda Fun … Like Solving a Mystery
Introduction What Is Network Monitoring & Analysis • The Monitoring & Analysis of Networks ;) • The Collection, Analysis, & Escalation of Indications & Warnings to Detect & Respond to intrusions • Phases – Select – Triage – Analyze Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Introduction What Is Selection? • Definition – Choosing the Alert to Investigate • Goals – Choose the Most High Quality and Relevant Alerts from the Sensors • Order – Varies for Every Organization – High to Low Priority Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Introduction What Is Triage? • Definition – Quickly Separate Alerts Needing Further Analysis from Irrelevant Alerts • Goals – Identify Alerts Needing Further Investigation • Activities – Examine Alert Details to Discovery Why Fired – Look through Prior Write-Ups/Reports – Investigate Opens Source/Internal Resources NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Introduction What Is Analysis? • Definition – Analyze Supporting Resources to Determine Actions • Goals – Determine Actions Attackers May Have Taken Throughout Network • Activities – Identify Key Indicators & Use Them to Search through Supporting Resources – Analyze Netflow for Indicators – Search FPC for Indicators NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
ENVIRONMENT Sensors Supporting Resources SIEM/Logger Monitoring Architecture Integrated Environment NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Environment Sensors • Box Analyzing Traffic • Placed at Strategic Points in Network (e.g., ingress/egress points) • Usually IDS (passive) or IPS (active) • Signature or Anomaly Based NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Environment Supporting Resources • Data You can Correlate Off Of • Two Types: Internal & External • Find ALL Log Sources & Bring Together • Track Everything Going Into & Out of Network • Pivot Off Alerts Back into Logs to Discovery New Indicators • Or Several Tools that Need to Pivot Into to Discovery More NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Environment Supporting Resources • Internal – Network • Netflow • FPC – Device Logs • Firewalls • Routers • Switches – Application Logs • Mail/Web/File Servers • AD/DNS • Proxies – Other Detective/Preventative Sources • Could Be Useful Reference • Low Priority Alerts that Usually Ignore • IPS, Proxies, Email Blocking, etc. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes • External – Google – Whois/DNS Info – Reputation Databases – Web Archives – Passive Scanning – Metasites
Environment SIEM/Logger • Centralize All Security Data to Ease Analysis • Sources Include – Sensors – Supporting Resources – External Resources • Configure to Show Alerts or Correlated Alerts • Examples – Pure SIEMs: ArcSight, AlienVault, etc. – Adaptions: Splunk, ELK Stack NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Environment Monitoring Architecture NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes NIDS Proxy FirewallRouter AD/D NS Web External File Svr User User User Email SIEMAnalyst Server LAN User LAN SOC Logger DMZ Sensors Support Google Whois/DNS Rep DBs Web Arch Passive Scans Metasites FPC Analysis
Environment Integrated Environment • Security Onion – Old Beige Box on Ebay – Deployment Options – Netgear ProSAFE (GS108T and GS105T) • Pfsense – Old Desktop – Firewall Distro but Customizable – IDS, Proxy, VPN, etc. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Environment Integrated Environment • Security Onion (architecture) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes Ubuntu Netflow Argus, Bro IDSs Snort, Suricata, Bro FPC Daemonlogger App/Proto Logs Bro Analysis Sguil, Squert, Snorby SIEM/Logger ELSA Misc. Wireshark, Net Miner HIDSs OSSEC
Environment Integrated Environment • Security Onion (deployment options) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes FirewallRouter ExternalInternal FirewallRouter ExternalInternal SO Sensor Server Console
NovaInfosec.com@grecs, METHODOLOGY Network Monitoring & Analysis: N00b to Ninja in 60 Minutes 1. Select 2. Triage 3. Analyze
Methodology 1. Select • Choose Alert to Investigate • Varies by Organization • One Method  • Tips – Don’t Cherry-Pick (i.e., for counts) – Alert Sensor Admins of Recurring FPs Highest Priority Custom Signatures Counts Grouped/Sig Default Med Priority Default Low Priority
Methodology 2. Triage • Examine Details of Selected Alert to Find Out Why Fired • SIEM vs. No SIEM • General Methodology  • Tips – Avoid Touching Attacker Infrastructure Review Details in SIEM Compare with Prior Knowledge Read Rule Descr & Review Refs Analyze Rule & PCAP to Verify if TP Need More Details? Invest. Src./ Dst. IPs/Ports Determine FP or Low Impact Continue to Analysis
Methodology 3. Analyze • Analyze Supporting Resources to Determine Impact • Based on what you know so far – indicators – Search through Relevant Supporting Resources – Learn More About Those Indicators – Pivot Off Results with New Indicators Discovered Derive Indicator & Search KB Determine Indicator Resource Query Resource Doc Results in KB Indicator Elsewhere? Additional Stimulus? Stimulus End Indicator Analysis Cycle
Methodology 3. Analyze …
Methodology 3. Analyze Timeline Analysis Intelligence Frameworks
NovaInfosec.com@grecs, WHERE TO LEARN MORE Fundamentals OpenSecurityTraining.info Training/Certifications Defensive Challenges Top 5 Steps for Those Starting Out Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Where to Learn More Fundamentals - Linux • Contains Many Analysis Tools by Default • Basics – Commands: ls, mkdir, cd, pwd, rm, mv, find, cat, file, … – Help: man • Intermediate – Commands: more/less, grep, wc, head/tail, strings – Operators: |, >, >>, … • Advanced – Commands: sort, uniq, cut, xargs, … – Regular Expressions – Scripting: awk, sed, bash, Python NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Where to Learn More Fundamentals – Networking Basics • Understand Basic Networking Concepts • Overall OSI Model, TCP/IP Stack • Common Ports & Protocols
Where to Learn More Fundamentals - PCAP Analysis • Understand How to Analyze Collected Traffic • Wireshark • Tshark • Tcpdump • Snort
Where to Learn More Fundamentals - Flow Analysis • Statistical Data on Who Talked to Who • Usually Limited to 5-Tuples – Source/Destination IP & Port – Protocol • Tools (SiLK, Argus, etc.) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
Where to Learn More Fundamentals - Log Analysis • Network Device/Service Logs – Proxy – Firewall/Router/Switch – DNS, SMTP, HTTP • Host Logs – Windows (System, Application, Security, etc.) – End-Point Protection (IDS/IPS, Firewall, AV, etc.) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes Just Basic Understanding So Can Use During Analysis
Where to Learn More OpenSecurityTraining.info
Where to Learn More • OpenSecurityTraining.info – Flow Analysis & Network Hunting – Introduction to Network Forensics – Pcap Analysis & Network Hunting • Training/Certifications – GCIA, GCIH – 8570 CND-A/IR Certs if Gov  (CEH, GCIA, GCIH) – Vendor Certs for Common Tools (e.g., ArcSight, SourceFire, etc.) – Security Onion Course
Where to Learn More • Defensive Challenges – Malware-Traffic-Analysis.net Exercises • Challenge followed by answers • http://www.malware-traffic-analysis.net/training- exercises.html – Shell-Storm.org CTF Repo • CTF Repository from major conferences • http://shell-storm.org/repo/CTF/ – Many, Many Others…
Where to Learn More • Top 5 Tips for Those Starting Out – Setup SO at Home & Start Investigating – Don’t Cherry-Pick; Don’t Measure by Counts – Alert Sensor Admins of Recurring FPs – Never Touch Adversary Infrastructure • Even Safe External Sites (e.g., to deobfuscate base64), Quick Bash or Perl Script is Safer – Know Your Network and Sensor/Support Placement Inside and Out – It’ll Help You Know Where to Go in Your Analysis
Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting

Recommended

Zmap talk-sec13
Zmap talk-sec13Zmap talk-sec13
Zmap talk-sec13Sergi Duró
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUTNahidul Kibria
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 

Recommended

Zmap talk-sec13
Zmap talk-sec13Zmap talk-sec13
Zmap talk-sec13Sergi Duró
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUTNahidul Kibria
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewallsShmulik Avidan
 
Security onion
Security onionSecurity onion
Security onionKaustubh Padwad
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsMohammad Reza Zamiri
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Snort
SnortSnort
SnortRahul Jain
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection toolsvishalgohel12195
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
Home Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoringHome Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoringAnkit Rastogi
 
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNFOpen Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNFOpen Networking Summit
 

More Related Content

What's hot

SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsMohammad Reza Zamiri
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection toolsvishalgohel12195
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 

What's hot (20)

Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
Security onion
Security onionSecurity onion
Security onion
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Splunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto NetworksSplunk Webinar: Splunk App for Palo Alto Networks
Splunk Webinar: Splunk App for Palo Alto Networks
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypots
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Snort
SnortSnort
Snort
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-security
 

Viewers also liked

Home Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoringHome Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoringAnkit Rastogi
 
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNFOpen Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNFOpen Networking Summit
 
Free - Chris Anderson
Free - Chris AndersonFree - Chris Anderson
Free - Chris Andersonschooldialoog
 
Incident Command: The far side of the edge
Incident Command: The far side of the edgeIncident Command: The far side of the edge
Incident Command: The far side of the edgeFastly
 
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...OpenWhisk
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2Outlyer
 
Performance Pack
Performance PackPerformance Pack
Performance Packday
 
Metrics, Logs, Transaction Traces, Anomaly Detection at Scale
Metrics, Logs, Transaction Traces, Anomaly Detection at ScaleMetrics, Logs, Transaction Traces, Anomaly Detection at Scale
Metrics, Logs, Transaction Traces, Anomaly Detection at ScaleSematext Group, Inc.
 
Creating a personal narrative
Creating a personal narrativeCreating a personal narrative
Creating a personal narrativeEmily Kissner
 
WTF is Sensu and Monitoring
WTF is Sensu and MonitoringWTF is Sensu and Monitoring
WTF is Sensu and MonitoringToby Jackson
 
Joomladagen 2015 Joomla Performance
Joomladagen 2015 Joomla PerformanceJoomladagen 2015 Joomla Performance
Joomladagen 2015 Joomla PerformanceSimon Kloostra
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Rodrigo Montoro
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...OpenWhisk
 
Say no to var_dump
Say no to var_dumpSay no to var_dump
Say no to var_dumpbenwaine
 

Viewers also liked (20)

Home Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoringHome Brewing R.U.M - Analyzing application performance with real user monitoring
Home Brewing R.U.M - Analyzing application performance with real user monitoring
 
Open Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNFOpen Source Approach to Design and Deployment of Microservices-based VNF
Open Source Approach to Design and Deployment of Microservices-based VNF
 
Free - Chris Anderson
Free - Chris AndersonFree - Chris Anderson
Free - Chris Anderson
 
Crow
CrowCrow
Crow
 
Mohamed Ahmed Abdelkhalek
Mohamed Ahmed AbdelkhalekMohamed Ahmed Abdelkhalek
Mohamed Ahmed Abdelkhalek
 
Incident Command: The far side of the edge
Incident Command: The far side of the edgeIncident Command: The far side of the edge
Incident Command: The far side of the edge
 
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...
IBM Bluemix OpenWhisk: IBM Seminar 2016, Tokyo, Japan: The Future of Cloud Pr...
 
DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2DOXLON November 2016: Facebook Engineering on cgroupv2
DOXLON November 2016: Facebook Engineering on cgroupv2
 
Performance Pack
Performance PackPerformance Pack
Performance Pack
 
DevOps at Crevise Technologies
DevOps at Crevise TechnologiesDevOps at Crevise Technologies
DevOps at Crevise Technologies
 
Metrics, Logs, Transaction Traces, Anomaly Detection at Scale
Metrics, Logs, Transaction Traces, Anomaly Detection at ScaleMetrics, Logs, Transaction Traces, Anomaly Detection at Scale
Metrics, Logs, Transaction Traces, Anomaly Detection at Scale
 
Creating a personal narrative
Creating a personal narrativeCreating a personal narrative
Creating a personal narrative
 
WTF is Sensu and Monitoring
WTF is Sensu and MonitoringWTF is Sensu and Monitoring
WTF is Sensu and Monitoring
 
Joomladagen 2015 Joomla Performance
Joomladagen 2015 Joomla PerformanceJoomladagen 2015 Joomla Performance
Joomladagen 2015 Joomla Performance
 
Hangul
HangulHangul
Hangul
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014
 
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
IBM Bluemix OpenWhisk: Serverless Conference 2016, London, UK: The Future of ...
 
Wapenrusting
WapenrustingWapenrusting
Wapenrusting
 
Say no to var_dump
Say no to var_dumpSay no to var_dump
Say no to var_dump
 
Open Development
Open DevelopmentOpen Development
Open Development
 

Similar to Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016

Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...Nagios
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
Regional Internet Registry and Whois
Regional Internet Registry and WhoisRegional Internet Registry and Whois
Regional Internet Registry and WhoisAPNIC
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
BOSNOG NAC stack 2018
BOSNOG NAC stack 2018BOSNOG NAC stack 2018
BOSNOG NAC stack 2018GENIANS, INC.
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 

Similar to Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016 (20)

Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
Regional Internet Registry and Whois
Regional Internet Registry and WhoisRegional Internet Registry and Whois
Regional Internet Registry and Whois
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
BOSNOG NAC stack 2018
BOSNOG NAC stack 2018BOSNOG NAC stack 2018
BOSNOG NAC stack 2018
 
Nmap
NmapNmap
Nmap
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 

More from grecsl

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

More from grecsl (8)

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016

  • 1. Monitoring & Analysis N00b to Ninja in 60 Minutes* @grecs NovaInfosec.com * Most listeners do not become Ninjas in under 60 minutes.
  • 2. Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 3. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 4. 20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
  • 5. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 6. NovaInfosec Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
  • 7. Agenda • Introduction • Environment • Methodology • Where to Learn More • Conclusion NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 9. Introduction Security Analysts Looking to Recognize Gaps & Learn How to Fill Them General Security Practitioners Interested in Getting Started in Monitoring & Analysis It’s Kinda Fun … Like Solving a Mystery
  • 10. Introduction What Is Network Monitoring & Analysis • The Monitoring & Analysis of Networks ;) • The Collection, Analysis, & Escalation of Indications & Warnings to Detect & Respond to intrusions • Phases – Select – Triage – Analyze Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 11. Introduction What Is Selection? • Definition – Choosing the Alert to Investigate • Goals – Choose the Most High Quality and Relevant Alerts from the Sensors • Order – Varies for Every Organization – High to Low Priority Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 12. Introduction What Is Triage? • Definition – Quickly Separate Alerts Needing Further Analysis from Irrelevant Alerts • Goals – Identify Alerts Needing Further Investigation • Activities – Examine Alert Details to Discovery Why Fired – Look through Prior Write-Ups/Reports – Investigate Opens Source/Internal Resources NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 13. Introduction What Is Analysis? • Definition – Analyze Supporting Resources to Determine Actions • Goals – Determine Actions Attackers May Have Taken Throughout Network • Activities – Identify Key Indicators & Use Them to Search through Supporting Resources – Analyze Netflow for Indicators – Search FPC for Indicators NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 14. ENVIRONMENT Sensors Supporting Resources SIEM/Logger Monitoring Architecture Integrated Environment NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 15. Environment Sensors • Box Analyzing Traffic • Placed at Strategic Points in Network (e.g., ingress/egress points) • Usually IDS (passive) or IPS (active) • Signature or Anomaly Based NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 16. Environment Supporting Resources • Data You can Correlate Off Of • Two Types: Internal & External • Find ALL Log Sources & Bring Together • Track Everything Going Into & Out of Network • Pivot Off Alerts Back into Logs to Discovery New Indicators • Or Several Tools that Need to Pivot Into to Discovery More NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 17. Environment Supporting Resources • Internal – Network • Netflow • FPC – Device Logs • Firewalls • Routers • Switches – Application Logs • Mail/Web/File Servers • AD/DNS • Proxies – Other Detective/Preventative Sources • Could Be Useful Reference • Low Priority Alerts that Usually Ignore • IPS, Proxies, Email Blocking, etc. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes • External – Google – Whois/DNS Info – Reputation Databases – Web Archives – Passive Scanning – Metasites
  • 18. Environment SIEM/Logger • Centralize All Security Data to Ease Analysis • Sources Include – Sensors – Supporting Resources – External Resources • Configure to Show Alerts or Correlated Alerts • Examples – Pure SIEMs: ArcSight, AlienVault, etc. – Adaptions: Splunk, ELK Stack NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 19. Environment Monitoring Architecture NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes NIDS Proxy FirewallRouter AD/D NS Web External File Svr User User User Email SIEMAnalyst Server LAN User LAN SOC Logger DMZ Sensors Support Google Whois/DNS Rep DBs Web Arch Passive Scans Metasites FPC Analysis
  • 20. Environment Integrated Environment • Security Onion – Old Beige Box on Ebay – Deployment Options – Netgear ProSAFE (GS108T and GS105T) • Pfsense – Old Desktop – Firewall Distro but Customizable – IDS, Proxy, VPN, etc. NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 21. Environment Integrated Environment • Security Onion (architecture) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes Ubuntu Netflow Argus, Bro IDSs Snort, Suricata, Bro FPC Daemonlogger App/Proto Logs Bro Analysis Sguil, Squert, Snorby SIEM/Logger ELSA Misc. Wireshark, Net Miner HIDSs OSSEC
  • 22. Environment Integrated Environment • Security Onion (deployment options) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes FirewallRouter ExternalInternal FirewallRouter ExternalInternal SO Sensor Server Console
  • 23. NovaInfosec.com@grecs, METHODOLOGY Network Monitoring & Analysis: N00b to Ninja in 60 Minutes 1. Select 2. Triage 3. Analyze
  • 24. Methodology 1. Select • Choose Alert to Investigate • Varies by Organization • One Method  • Tips – Don’t Cherry-Pick (i.e., for counts) – Alert Sensor Admins of Recurring FPs Highest Priority Custom Signatures Counts Grouped/Sig Default Med Priority Default Low Priority
  • 25. Methodology 2. Triage • Examine Details of Selected Alert to Find Out Why Fired • SIEM vs. No SIEM • General Methodology  • Tips – Avoid Touching Attacker Infrastructure Review Details in SIEM Compare with Prior Knowledge Read Rule Descr & Review Refs Analyze Rule & PCAP to Verify if TP Need More Details? Invest. Src./ Dst. IPs/Ports Determine FP or Low Impact Continue to Analysis
  • 26. Methodology 3. Analyze • Analyze Supporting Resources to Determine Impact • Based on what you know so far – indicators – Search through Relevant Supporting Resources – Learn More About Those Indicators – Pivot Off Results with New Indicators Discovered Derive Indicator & Search KB Determine Indicator Resource Query Resource Doc Results in KB Indicator Elsewhere? Additional Stimulus? Stimulus End Indicator Analysis Cycle
  • 29. NovaInfosec.com@grecs, WHERE TO LEARN MORE Fundamentals OpenSecurityTraining.info Training/Certifications Defensive Challenges Top 5 Steps for Those Starting Out Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 30. Where to Learn More Fundamentals - Linux • Contains Many Analysis Tools by Default • Basics – Commands: ls, mkdir, cd, pwd, rm, mv, find, cat, file, … – Help: man • Intermediate – Commands: more/less, grep, wc, head/tail, strings – Operators: |, >, >>, … • Advanced – Commands: sort, uniq, cut, xargs, … – Regular Expressions – Scripting: awk, sed, bash, Python NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 31. Where to Learn More Fundamentals – Networking Basics • Understand Basic Networking Concepts • Overall OSI Model, TCP/IP Stack • Common Ports & Protocols
  • 32. Where to Learn More Fundamentals - PCAP Analysis • Understand How to Analyze Collected Traffic • Wireshark • Tshark • Tcpdump • Snort
  • 33. Where to Learn More Fundamentals - Flow Analysis • Statistical Data on Who Talked to Who • Usually Limited to 5-Tuples – Source/Destination IP & Port – Protocol • Tools (SiLK, Argus, etc.) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes
  • 34. Where to Learn More Fundamentals - Log Analysis • Network Device/Service Logs – Proxy – Firewall/Router/Switch – DNS, SMTP, HTTP • Host Logs – Windows (System, Application, Security, etc.) – End-Point Protection (IDS/IPS, Firewall, AV, etc.) NovaInfosec.com@grecs,Network Monitoring & Analysis: N00b to Ninja in 60 Minutes Just Basic Understanding So Can Use During Analysis
  • 35. Where to Learn More OpenSecurityTraining.info
  • 36. Where to Learn More • OpenSecurityTraining.info – Flow Analysis & Network Hunting – Introduction to Network Forensics – Pcap Analysis & Network Hunting • Training/Certifications – GCIA, GCIH – 8570 CND-A/IR Certs if Gov  (CEH, GCIA, GCIH) – Vendor Certs for Common Tools (e.g., ArcSight, SourceFire, etc.) – Security Onion Course
  • 37. Where to Learn More • Defensive Challenges – Malware-Traffic-Analysis.net Exercises • Challenge followed by answers • http://www.malware-traffic-analysis.net/training- exercises.html – Shell-Storm.org CTF Repo • CTF Repository from major conferences • http://shell-storm.org/repo/CTF/ – Many, Many Others…
  • 38. Where to Learn More • Top 5 Tips for Those Starting Out – Setup SO at Home & Start Investigating – Don’t Cherry-Pick; Don’t Measure by Counts – Alert Sensor Admins of Recurring FPs – Never Touch Adversary Infrastructure • Even Safe External Sites (e.g., to deobfuscate base64), Quick Bash or Perl Script is Safer – Know Your Network and Sensor/Support Placement Inside and Out – It’ll Help You Know Where to Go in Your Analysis
  • 39. Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting