![Page 1: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/1.jpg)
Catching Breaches with NBAD
Charles Herring
@charlesherring
http://f15hb0wn.com
![Page 2: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/2.jpg)
Agenda
• Definitions
• NBAD Specific Detection Approaches
• Example Breaches
![Page 3: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/3.jpg)
Overview - Definitions
• What is NBAD?
• What is NetFlow?
• Detection Schools
![Page 4: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/4.jpg)
What is NBAD?
• Network Behavioral Anomaly Detection
• Data source = Network MetaData (NetFlow)
• Probe locations = Core or deeper
• Quantity/Metric Centric (not Pattern/Signature Centric)
• Sometimes used to refer to NetFlow Security Tools
![Page 5: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/5.jpg)
OSS NBAD - SilK/PySiLK
5
![Page 6: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/6.jpg)
Commercial Solutions
• Arbor PeakFlow
• IBM Qradar
• Invea-Tech FlowMon
• Lancope StealthWatch
• ManageEngine
• McAfee NTBA
• Plixer Scrutinizer
• ProQSys FlowTraq
• Riverbed Cascade (formerly Mazu)
* For comparison see Gartner Network Behavior Analysis Market December 2012 (G00245584)
6
![Page 7: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/7.jpg)
Network Logging Standards
8
Basic/Common Fields
• NetFlow v9 (RFC-3950)
• IPFIX (RFC-5101)
• Rebranded NetFlow• Jflow – Juniper• Cflowd – Juniper/Alcatel-Lucent• NetStream – 3Com/Huawei• Rflow – Ericsson• AppFlow - Citrix
![Page 8: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/8.jpg)
Detection Methods
• Signature = Inspect Object against blacklist• IPS
• Antivirus
• Content Filter
• Behavioral = Inspect Victim behavior against blacklist• Malware Sandbox
• NBAD/UBAD
• HIPS
• SEIM
• Anomaly = Inspect Victim behavior against whitelist• NBAD/UBAD
![Page 9: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/9.jpg)
Comparison of Detection Methods
Signature Behavior Anomaly
Known Exploits Best Good Limited
0-Day Exploits Limited Best Good
Credential Abuse Limited Limited Best
![Page 10: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/10.jpg)
Overview – NBAD Detection Approaches
• Signature
• Behavioral
• Anomaly
![Page 11: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/11.jpg)
NBAD Detection - Signature
• Segmentation Enforcement
• Policy Violations
• C&C Connections
• Pro’s: Certainty can be established; Easy to set up; Deep visibility (without probes)
• Con’s: Only detects “Known Threats”
![Page 12: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/12.jpg)
Boolean Detection
13
IDS Signature?
VA marked vulnerable?
NetFlow shows
returned data?
Trigger Breach Alarm
• Requires understanding of “bad” scenario• Dependent on reliable (non-compromised)
data sources• Data sources rely on signature (known
bad) detection• NetFlow usage limited to communication
tracking
![Page 13: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/13.jpg)
NBAD Detection - Behavioral
• Scanning
• SYN Flood
• Flag Sequences
• Pro’s: Doesn’t need to know exploit
• Con’s: Must establish host counters
![Page 14: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/14.jpg)
NBAD Detection – Anomaly
• Pro’s: Can Catch Sophisticated/Targeted/Unknown Threats
• Con’s:• Requires Host and User Profiles
• Requires Specific Baselines/Policies
• Output requires interpretation
• Requires massive data collection/processing
• Requires Algorithmic Calculation
![Page 15: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/15.jpg)
Algorithmic Detection
16
• Based on knowing normal• Dependent on raw NetFlow MetaData (multiple
sources)• Does not require understanding of attack• Output is security indices focused on host activity
Host Concern Index =
1,150,000
Slow Scanning
Activity : Add 325,000
Abnormal connections: Add 425,000
Internal pivot activity: Add
400,000
![Page 16: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/16.jpg)
NBAD Detection – Anomaly Types
• Service Traffic Threshold Anomaly
• Service Type Anomaly
• Geographic Traffic Anomaly
• Time of Day Anomaly
• Geographic User Anomaly
• Data Hoarding
• Data Disclosure
![Page 17: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/17.jpg)
NBAD Detection - Anomaly
• Service Traffic Threshold Anomaly
![Page 18: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/18.jpg)
NBAD Detection - Anomaly
• Service Type Anomaly
![Page 19: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/19.jpg)
NBAD Detection - Anomaly
• Geographic Traffic Anomaly
![Page 20: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/20.jpg)
NBAD Detection - Anomaly
• Time of Day Anomaly
![Page 21: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/21.jpg)
NBAD Detection - Anomaly
• Geographic User Anomaly
![Page 22: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/22.jpg)
NBAD Detection - Anomaly
• Data Hoarding
![Page 23: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/23.jpg)
NBAD Detection - Anomaly
• Data Disclosure
![Page 24: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/24.jpg)
Overview – Specific NBAD Breaches
• Health Care vs. State Sponsored
• State/Local Government vs. Organized Crime
• Agriculture vs. State Sponsored
• Higher Education vs. State Sponsored
• Manufacture vs. Activists
![Page 25: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/25.jpg)
Patient Data to East Asia
• Victim Vertical: Healthcare
• Probable Assailant: State Sponsored
• Objective: Theft of patient healthcare records
• Motivation: Geopolitical/Martial
• Methodology: • Keylogging Malware
• Configuration change of infrastructure
• NBAD Type: Enforcement Monitoring
![Page 26: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/26.jpg)
Geographical Anomaly
![Page 27: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/27.jpg)
Cardholder Data to East Europe
• Victim Vertical: State/Local Government
• Probable Assailant: Organized Crime
• Objective: Theft of cardholder data
• Motivation: Profit
• Methodology: • Coldfusion exploit of payment webserver• Recoded Application• Staged data on server; uploaded to East Europe FTP server
• NBAD Type: • Geographic Anomaly• Traffic Anomaly
![Page 28: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/28.jpg)
Geographical Traffic Anomaly
![Page 29: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/29.jpg)
Intellectual Property to East Asia
• Victim Vertical: Agriculture
• Probable Assailant: State Sponsored
• Objective: Theft of food production IP
• Motivation: Profit/National Competition
• Methodology: • Spearphish of administrator• Pivot via VPN• Pivot via monitoring servers• Direct exfiltration
• NBAD Type: • Geographic Traffic Anomaly• Geographic User Anomaly• Traffic Anomaly
![Page 30: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/30.jpg)
Recon from Monitoring Servers
![Page 31: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/31.jpg)
Geographical Anomaly
![Page 32: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/32.jpg)
Theft of Research Data
• Victim Vertical: Higher Education
• Probable Assailant: State Sponsored
• Objective: Theft sensitive research data
• Motivation: Geopolitical/Martial
• Methodology: • Direct access to exposed RDP Servers• Bruteforce of credentials
• NBAD Type: • Service Traffic Anomaly• Geographic Traffic Anomaly
![Page 33: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/33.jpg)
Traffic Anomaly
![Page 34: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/34.jpg)
Theft of Customer Data
• Victim Vertical: Manufacturing
• Probable Assailant: Activist
• Objective: Publish stolen customer data
• Motivation: Embarrassing Victim
• Methodology: • SQL Injection to Customer Portal
• NBAD Type: • Recon detection• Traffic Anomaly to Internet• Traffic Anomaly to Webserver from DB
![Page 35: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/35.jpg)
Recon before SQLi
![Page 36: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/36.jpg)
Anomalous Data Exfiltration
![Page 37: Catching Breaches with NBAD•IBM Qradar •Invea-Tech FlowMon •Lancope StealthWatch •ManageEngine •McAfee NTBA •Plixer Scrutinizer •ProQSys FlowTraq •Riverbed Cascade](https://reader033.vdocument.in/reader033/viewer/2022042219/5ec5dd620d82183fe609ee8a/html5/thumbnails/37.jpg)
Catching Breaches with NBAD
Charles Herring
@charlesherring
http://f15hb0wn.com
Questions?