Download pdf - SecOps Face Off · Forensic investigation and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL STEP Upon first receiving the alert about the potential brute force attack, the

Transcript
Page 1: SecOps Face Off · Forensic investigation and damage assessment begins. 1 TOOL REQUIRED 1 MANUAL STEP Upon first receiving the alert about the potential brute force attack, the

Failed Login Attempts

Analyst manually queries network flow logs, DB logs, and client logs, if available.

Analyst is no longer able to obtain forensic evidence

from DB logs about exactly which data, and how much,

was taken.

Several failed logins by a client on a sensitive database. Potential brute force login attempt.

Successfully Logged In

Client successfully logs into sensitive DB.

Client attempts to initiate download of data from DB. Database responds in affirmative and commences delivering data.

Client instructs DB to delete audit table (logs).

Client initiates FTP session with strange IP address outside corporate IP space.

STOP

Multi-Tool Workflow

Reveal(x) Multi-Tool Workflow

Analyst receives alert identifying IP address of suspicious client and must query DHCP logs and CMDB for contextual information about the client.

Analyst manually gathers database logs, if available.

Analyst manually checks SIEM for logs of the suspicious IP address accessing the DB, if available.

DHCP LOGS

Analyst manually checks LDAP logs or other auth logs to understand the relationship between the client and DB in question.

LDAP LOGS

Automatically detected. Forensic evidence, including

all transaction details and packets between client and DB automatically

gathered and correlated.

DATABASE LOGS

DATABASE LOGS

SIEM

SIEM

POTENTIAL BRUTE FORCE ALERT

BRUTE FORCEDETECTED

Analyst is provided

evidence of suspicious DB access and can

proactively assess the situation and

respond.

Analyst manually queries DB logs.

Analyst manually queries logs from client via SIEM, if available.

WIR

E DATA

LOG

S/AG

ENTS

7 TOOLS REQUIRED

9 MANUAL STEPS

DATA DOWNLOADED

LOGS DELETED

FTP CONNECTION WITH EXTERNAL IP ADDRESS

FLOW LOG PROVIDER

Analyst consults packet-capture solution, and downloads multi-Gigabyte PCAP file to examine in Wireshark. The file takes several minutes to open, and much longer to manually comb through for evidence of malicious action by the client on the database.

PCAP & WIRESHARK

If no transaction-level detail or DB logs available, analyst must conjecture whether or not data was delivered, and what it might have been.

DATABASE LOGS

Analyst manually queries logs for internal client, if available.

SIEM

Analyst manually queries flow data between client and External IP address, which indicates volume of data transferred, but doesn’t have filenames or other forensic details.

FLOW

Analyst downloads new PCAP of all transactions with the suspicious client and examines in Wireshark.

WIRESHARK

Reveal(x) sees exactly which data the client is attempting

to download by decoding the contents of the client

request and DB responses, so analysts can determine

instantly whether or not the action is malicious.

Reveal(x) sees client initiate FTP session with external

client, and sees exactly which files are being transferred,

providing further conclusive evidence and forensic detail about the malicious action.

Reveal(x) sees the client issue a DROP command against the audit table,

which should never be done, proving incontrovertibly that

this is a malicious action.

ALERTNew alert is not correlated with earlier suspicious behavior from this client.

Having spent several hours, or even days, manually investigating separate alerts about the same attack, the security analyst discovers that sensitive data has been exfiltrated, and initiates a painful forensic investigation and reporting process.

Forensic investigation and damage assessment begins.

1 TOOL REQUIRED

1 MANUAL STEP

Upon first receiving the alert about the potential brute force attack, the analyst cut off access to the DB for the suspicious client, then drilled down to transaction details and packets using Reveal(x) to confirm that the DB access was malicious.

Attack averted.

GRAND TOTALS

SecOps Face Off:

CUSTOMER VALUE

Reveal(x)

95%IMPROVEMENT IN TIME TO DETECT

77%IMPROVEMENT IN TIME TO RESOLVE

59%REDUCTIONIN STAFF TO RESOLVE

Automated Investigation vs. Manual Meltdown

EXTRAHOP.COM/REVEALX

UNPRECEDENTED VISIBILITY. DEFINITIVE INSIGHTS. IMMEDIATE ANSWERS.

See how Reveal(x) automates security workflows for faster detection, investigation, and remediation.

ALERT OVERLOAD. MANUAL INVESTIGATION.ENDLESS GUESSWORK.

ATTACK AVERTEDFURTHER INVESTIGATION OF THE INCIDENT CAN OCCUR WITHOUT

FEAR OF DAMAGE.

Recommended

07 Brute Force
07 Brute Force Documents
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ? Technology
Brute Force Algorithm
Brute Force Algorithm Documents
wb brute 'I'llk
wb brute 'I'llk Documents
Dev secops engineering-marketing-sheet
Dev secops engineering-marketing-sheet Technology
BRUTE® containers
BRUTE® containers Documents
Algoritma Brute Force
Algoritma Brute Force Documents
Powering the Practice of SecOps placeholder for cover
Powering the Practice of SecOps placeholder for cover Documents
These materials are © 2018 John Wiley & Sons, Inc. Any ... · and key SecOps roles (Chapter 1) Important SecOps capabilities (Chapter 2) How to evaluate SecOps tools (Chapter 3)
These materials are © 2018 John Wiley & Sons, Inc. Any ... · and key SecOps roles (Chapter 1) Important SecOps capabilities (Chapter 2) How to evaluate SecOps tools (Chapter 3) Documents
BRUTE MAGNUM · 2017-01-06 · BRUTE MAGNUM Page 5 Section 1 GENERAL INFORMATION USING THIS MANUAL – Because the Brute Magnum Boilers and Brute Magnum Water Heaters are identical
BRUTE MAGNUM · 2017-01-06 · BRUTE MAGNUM Page 5 Section 1 GENERAL INFORMATION USING THIS MANUAL – Because the Brute Magnum Boilers and Brute Magnum Water Heaters are identical Documents
Crowdsourcing SecOps Through REN -ISAC - Internet2 · Crowdsourcing SecOps Through REN -ISAC . Kim Milford, REN-ISAC Executive Director. Chris O’Donnell, REN-ISAC Lead Security
Crowdsourcing SecOps Through REN -ISAC - Internet2 · Crowdsourcing SecOps Through REN -ISAC . Kim Milford, REN-ISAC Executive Director. Chris O’Donnell, REN-ISAC Lead Security Documents
Blue Brute Web
Blue Brute Web Documents
Security at a Crossroad - Qualys · Agile SecOps. SecOps focus on monitoring & response. Drastically reduce security solutions deployed after the fact. New generation of Security
Security at a Crossroad - Qualys · Agile SecOps. SecOps focus on monitoring & response. Drastically reduce security solutions deployed after the fact. New generation of Security Documents
Brute Force Algorithms
Brute Force Algorithms Documents
root brute force
root brute force Documents
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops world Engineering
The SecOps Playbook · 2018-01-05 · THE SECOPS PLAYBOOK • 6 PrACTICAL STEPS TO SuCCEEd AT SECOPS 4 Here are the six steps that we consider necessary to succeeding with SecOps
The SecOps Playbook · 2018-01-05 · THE SECOPS PLAYBOOK • 6 PrACTICAL STEPS TO SuCCEEd AT SECOPS 4 Here are the six steps that we consider necessary to succeeding with SecOps Documents
EMA Report Summary: Integrating SecOps With Operations ... · PDF fileReport Summary – Integrating SecOps With Operations, Development, and ITSM in the Age of Cloud and Agile PAGE
EMA Report Summary: Integrating SecOps With Operations ... · PDF fileReport Summary – Integrating SecOps With Operations, Development, and ITSM in the Age of Cloud and Agile PAGE Documents