Network Forensic Analysis in an Encrypted World

Presented at BSidesLV 2017, July 26, 2017, 11 a.m. (55 minutes).

The movement to encrypt network communications has created a new set of challenges and critical choices for information security and risk operations personnel and executives. Network security monitoring (NSM) and network forensics is essential to secure a modern enterprise but many wonder if the changing landscape will shift the balance of power to attackers. While encryption renders many legacy network security monitoring tools useless, there are compelling cases for maintaining user privacy. This talk will examine how the increasing adoption of encryption in common network protocols impacts security architectures and present new techniques to build threat intelligence and detection streams that operate on top of encrypted traffic. Further, the talk will present research and statistics based upon the techniques to show how real threat actors have been detected and shut down even when hiding behind the veil of encryption. The talk will close by presenting a maturity model helping organizations to understand their maturity level in terms of monitoring encrypted traffics. Attendees will leave no longer wondering how encrypting "all the things" prevents their team from analyzing those things.

Presenters:

  • Justin Warner - Principal Security Engineer - ICEBRG
    Justin Warner (@sixdub) is a security engineer at ICEBRG focusing on helping customers to gain large visibility into their enterprise and ultimately detect and analyze malicious activity. Justin is an Air Force Academy graduate, former USAF Cyber Ops officer, and former red team lead at a consulting company where he focused on adversary emulation operations against several fortune 100 companies as well a federal, state, and local government organizations. Justin has a passion for threat research, reverse engineering, and red team operations. Justin actively develops on numerous open source projects and has spoken at several conferences including CarolinaCon, BSidesLV and several other BSides events.
  • William Peteroy - Co-Founder and CEO - ICEBRG
    William has over a decade of experience in network and software security. Prior to co-founding ICEBRG, William worked in a number of business and technical leadership positions as a Technical Lead, Technical Director and Subject Matter Expert for the Department of Defense (DoD) as well as a Security Strategist at Microsoft. While at Microsoft, he represented the Microsoft Security Response Center on Microsoft's Crypto Board, focusing on encryption and privacy, including driving the deprecation of RC4 and SHA1 in Windows 8.1 and Windows 10. William holds a Master's of Science in Engineering and Computer Science from the Johns Hopkins Whiting School of Engineering and served as an instructor at the National Cryptologic School at Fort Meade, a researcher at Dartmouth College and speaks regularly at global information security conferences including RECON, DerbyCon, SECTOR, Kiwicon, ACSC and a number of Security BSides.

Links:

Similar Presentations: