Upload
trinhdien
View
225
Download
4
Embed Size (px)
Citation preview
Long Term Packet Capture in Critical Infrastructures
Creating a Circle of Goodness for Security Operations
Introduction Michael Meason, Manager of Technical Service - Western Farmers Electric Cooperative
Telecommunications Engineering
Network Engineering/Operations/Maintenance
Cyber Security Operations and Critical Infrastructure Protection
Letters
BS in CIS, MS in Telecommunications, CISSP, CSFI-DCOE, NSTISSI 4011 4015, CNSSI 4012 4013 4014 4016
Others
Husband/Father, KG5DQA, Aviation, @SigmetXray
Employer Slide Western Farmers Electric Cooperative
WFEC supplies the electrical needs of more than two-thirds of the
geographical region of Oklahoma, part of New Mexico, as well as small portions of Texas and Kansas
The Circle of Goodness (C.O.G.)
Industrial Control Systems.. That’s What We do.
This is what we protect, but…..
Lessons learned can be applied to any infrastructure that is critical to your business or operations
Don’t dismiss the methodology as inherent to control systems
Imagine if You Could……..
Go back in time 2-8 weeks when an intrusion event occurs
Set the needle pre-event
DeLorean + Flux Capacitor + 1.21 Gigawatts = Network Data Recorder
Security Value
Reconstruct the Sequence of Events (SOE)
Incident response
Situational Awareness
Packet Analysis
Packet Retention
Protocol Analysis
Operational Malfunctions
Evasion Techniques
Baseline Traffic
IOC Replay
Operational Value Identify operational misconfigurations
High frequency low impact operational events
ILO & DRAC (DHCP Request Broadcast)
Other awesome examples
Low frequency high impact events
Monday night outages (sending sys logs for all file opens and closes and old syslog servers)
The Circle of Goodness (C.O.G.)
Organizational Value
Importance of relationship between SOT and operations (OT/IT)
The NDR is a relationship “enhancer”
Help OT/IT help themselves
The Circle of Goodness (C.O.G.)
Survey of the Tools: Commercial Network Data Recorders (NDR)
Wildpackets
GigaStor - Network Instruments
Solera DeepSee Blackbox Recorder
Survey of Tools: Open Source
Wireshark
TCPDump
DaemonLogger (Martin Roesch)
Moloch
Commercial -VS- Open Source How is commercial different from TCPDump and Uber Storage?
Color coded results
Easily filtered
Easily searched
Organized by timelines
Forensic search capabilities
Packet analysis capabilities
Commercial -VS- Open Source
Integration of hardware/software
Front end/back end integration challenges
You need ninja level foo
There is however, possibly a down-and-dirty solution
Not a Silver Bullet
A tool in the belt
Noce Te Ipsum (Literally)
Systems don’t secure systems
Active hunting
Link between controls and reality
The Circle of Goodness (C.O.G.)