Security Operations
Mister_Security
SecOpsweek4lesson1-MaliciousTrafficAnalysis.pptxCyber Security operations – Malicious traffic analysis
Learning objectives
Can perform technical analysis of security information
Be able to perform traffic analysis to detect malicious activities.
Given a set of data related to an incident, be able to analyze the data and understand how the incident has been performed.
Indication of Compromise
Geolocation irregularities
Increase in database read volume;
Nonstandard port activity
Unusual outbound network traffic
Malware
System crashes, slow system or browser response
Modified or missing files
Unfamiliar processes or services running, unknown TCP or UDP ports open
3
Evasion methods
Encryption and tunneling – hide or scramble the malware content
Resource exhaustion – keep the host device too busy to detect the invasion
Traffic fragmentation – split the malware into multiple packets
Protocol-level misinterpretation – sneak by the firewall
Pivot – use a compromised network device to attempt access to another device
Rootkit – allow the hacker to avoid detection as well as hide software installed by the hacker
4
Demo ARP Storm
5
arp.opcode == 1 : request
arp.opcode == 2 : reply
demo_arp-storm.pcap
Demo An attack attempt
6
Servers receive SYN request, but clients should not!
demo_unexpected_SYN.pcap
Demo ARP cache poisoning as an MITM attack
7
ARP request should be broadcast
demo_arp-MITM.pcap
| Role | Device Type | IP addr | MAC addr |
| Victim | Dell | 172.16.0.107 | 00:21:70:c0:56:f0 |
| Router | Cisco | 00:26:0b:21:07:33 | |
| Attacker | HP | 172.16.0.1?? | 00:25:b3:bf:91:ee |
Demo nmap
8
almost all ports are closed => TCP RST
More than thousands TCP/UDP conversations
demo_nmap.pcapng
Demo demo_CyberEYE
9
CyberEYE is a popular Turkish-born tool used to create RAT executables and administrator compromised hosts.
demo_nmap.pcapng
An alert generated by the IDS:
The Snort rule fires on the string ANA BILGI, which is Turkish for BASIC INFORMATION
