Verifying network IoC hits in millions of packets

Presented at TROOPERS18 (2018), March 14, 2018, 5:20 p.m. (Unknown duration).

Detection of a network breach usually leads to a number of single packet "Indicators of Compromise" (IoC) located in a pile of millions of network packets. This talk will walk through an example of extracting the full conversation flows for each hit with little manual effort to be able to qualify events as false or true positive.

A common approach to investigating networks for Indicators of Compromise is to gather network packets from Internet uplinks or other network locations (e.g. traffic for servers suspected of being compromised). The amount of data recorded can vary from a few MByte to hundreds of GByte or even TByte in some cases.

Tools like Snort or Suricata can be used to scan for malicious patterns in an efficient way, but they usually return single packet hits. IDS/IPS systems deployed at strategic locations have the same issue - it's quite difficult for analysts to qualify hits based on a packet alone. Having the full conversation would allow inspecting request and response details, and I'll show how to do that in an easy way, even if the pile of packets is really huge.


Presenters:

  • Jasper Bongertz
    Jasper Bongertz is a network security expert with focus on network forensics and incident response at Airbus Defence and Space CyberSecurity. In 2013, he joined Airbus Defence and Space CyberSecurity, focusing on IT security, Incident Response and Network Forensics. Jasper is the creator of the packet analysis tool "TraceWrangler", which can be used to extract or edit packets and sanitize PCAP files. His blog regarding network analysis, network forensics and general security topics can be found at blog.packet-foo.com.

Links:

Similar Presentations: