embracing the chaos mark lorenc [email protected]
Post on 19-Dec-2015
224 views
TRANSCRIPT
![Page 2: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/2.jpg)
2 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• cyber security geek
• ORNL for a year
• formerly unix sysadmin
• open networks
![Page 3: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/3.jpg)
3 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
virtual computing data cloud
![Page 4: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/4.jpg)
4 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 5: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/5.jpg)
5 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
![Page 6: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/6.jpg)
6 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
“What could possibly go wrong?”
![Page 7: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/7.jpg)
7 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 8: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/8.jpg)
8 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 9: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/9.jpg)
9 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 10: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/10.jpg)
10 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 11: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/11.jpg)
11 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
netflow version 5
• source IP address
• destination IP address
• next hop router IP address
• packet count
• byte count
• source port
• destination port
• TCP flags
• layer 4 protocol
• time at start of flow
• time at end of flow
![Page 12: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/12.jpg)
12 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 13: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/13.jpg)
13 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 14: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/14.jpg)
14 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 15: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/15.jpg)
15 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
SANS top 10?
hot botnet of the week?
today’s curre
nt spearphish
ing attack?
long term trending?
advanced host /network filtering?
unflattering Halloween costume?
![Page 16: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/16.jpg)
16 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others
flow-tools
discrete remote IPs and timestamps
database of your liking
grind through data, possibly index
profit!
![Page 17: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/17.jpg)
17 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 18: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/18.jpg)
18 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• easy to get lost in the minutiae• duplication of work amongst analysts• make sure your datasets are complete
• documentation is the sad answer• mailing lists• command line entries• full blown ticketing system (please no)• sit everyone in the same room
problems:
solutions:
![Page 19: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/19.jpg)
19 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 20: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/20.jpg)
20 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 21: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/21.jpg)
21 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 22: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/22.jpg)
22 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 23: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/23.jpg)
23 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +
DNS Logs
![Page 24: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/24.jpg)
24 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 25: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/25.jpg)
25 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
URL Common Logs (urlsnarf)
160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"
![Page 26: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/26.jpg)
26 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 27: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/27.jpg)
27 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 28: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/28.jpg)
28 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
Homebrew data sources
#!/bin/bash
unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l`
total=`netstat -an |grep :9997 |grep EST |wc -l`
echo "netstat total=$total unique=$unique"
![Page 29: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/29.jpg)
29 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 30: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/30.jpg)
30 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 31: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/31.jpg)
31 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
WindowsEventLogs
![Page 32: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/32.jpg)
32 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
A few notes about windows event logs for the brave...
• Different operating systems have different codes
• Overloaded variable names exist in one event
• Inconsistent formats between applications
• Forced API usage – no flat text file interface
• Difficult to adjust what should or should not be logged
• Designed around forensics and not discovery
![Page 33: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/33.jpg)
33 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 34: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/34.jpg)
34 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
PCAP – raw data capture
• your largest dataset
• easily the hardest to use
• computationally intensive
• smoking gun (unless the traffic is encrypted...)
• location of the tap?
• software used?
• tcpdump, time machine, wireshark, tshark... many technologies
All of these technologies can be combined to create something beautiful!
![Page 35: Embracing the chaos mark lorenc lorencm@ornl.gov](https://reader037.vdocument.in/reader037/viewer/2022103005/56649d3a5503460f94a150f4/html5/thumbnails/35.jpg)
35 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
thanks!