Upload
savvius-inc
View
107
Download
1
Embed Size (px)
Citation preview
www.wildpackets.com© WildPackets, Inc.
Forensics Backwards and
Forwards with Omnipeek
March 2015
Keatron Evans
Security Researcher
@infoseckeatron
© WildPackets, Inc. 2
Agenda
• The Bad Guys Are Winning
• Security Attack Analysis with Network Forensics
© WildPackets, Inc. 3
How are we doing?
• Ok, but not great…
• Bad guys are getting more advanced and
organized.
• We keep doing the same things.
• We’re defending against last years attacks.
• They’ve moved on to newer and better.
© WildPackets, Inc. 4
The good!
• FireEye, BlueCoat, and other advanced threat
detection/prevention technology
• Great for telling us something is wrong
• Time gap from breach to notification is
improving….slowly.
© WildPackets, Inc. 5
The Bad!
• Most security teams are missing key skills
and threat/attack knowledge.
• Are often limited to whatever the expensive
boxes can automate.
© WildPackets, Inc. 6
The bad!
• Not only are they losing….
• They’re not even in the game.
‒Many security personnel have become
spectators, watching the threat actors
and their appliances do battle.
© WildPackets, Inc. 7
Network Forensics
• Find needles in haystacks! Big haystacks…
• Once the needles are found put “some” hay back to
gain context (what, when, where, how).
• Put together the pieces.
• Operating Systems and Host based forensics tools
can be made to lie (Anti-Forensics Techniques/Rootkits)
• Packets always tell the truth
7
© WildPackets, Inc. 8
Timeline of Events
• Something has happened!‒ FireEye
‒ BlueCoat
‒ Cisco IDS/IPS
• What has happened and where’s the evidence?‒ Omnipeek and OmniPliances
‒ Custom Scripts
• Let’s examine the evidence in detail and keep this
from happening again.‒ IDA Pro
‒ Malware Reverse Engineering
‒ File and Data Analysis
8
© WildPackets, Inc. 9
What I’ll demonstrate
• Client Side Web Browser exploit
• Covert Channel Attack
• Then forensics on both using just packet data
(pcaps) and Omnipeek.
9
© WildPackets, Inc. 10
Summary
• We need to stop the “Bad Guys” from winning.
‒Analyst and security professionals need to get back in
the game!
‒Ominpeek is a great bridge between the big data
hardware/appliances and malware/attack tool
reversing.