Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time. Reports cataloging trends in data breaches reveal a systematic problem in our ability to detect that they ever occurred. Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are needed.The purpose of the session is to review how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks. These technologies can be used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic. We will demonstrate how to these records can be used to discover active attacks in each phase of the attacker’s “kill chain.” We will also cover how these records can be utilized to determine the scope of successful breaches and document the timeline of the attacks.The session will demonstrate
- Using NetFlow for Forensic Investigations and Compliance
- NetFlow to process historical Indicators of Compromise (IOC)
- Using NetFlow for signature and behavioral detection of advanced attackers
About Charles Herring
Charles Herring is Consulting Security Architect at Lancope. Charles spent 10 years on active duty with the US Navy. His last position in the Navy was as the Lead Network Security Analyst for the Naval Postgraduate School. After leaving the Navy, he spent six years consulting with the Federal government as well as serving as a contributing network security product reviewer for the InfoWorld Test Center. Charles spends much of his time assisting enterprise organization with detecting and responding to advanced and insider attacks.