Register now for SANS Cyber Defense Initiative 2016 and save $400.

US Cyber Crime Conference

Leesburg, VA | Sun, Apr 27 - Mon, Apr 28, 2014

Lethal Network Forensics

LETHAL NETWORK FORENSICS focuses on expanding your forensic mindset to include transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still had to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Whether your threats include nation-state actors, insider threats, script kiddies, or other online miscreants, the knowledge acquired in this course ensure you are prepared to face such dynamic adversaries in a rapidly changing environment.

This course provides you with the skill set necessary to investigate a compromised network environment or design solutions for an existing environment that will minimize the time and cost necessary to investigate a potential compromise in the future. We use hands-on exercises derived from real-world attacks to ensure you are prepared to address the threats that every Internet-facing network faces daily. Because the ephemeral nature of network-based data means that raw packet captures are not always available for analysis, we also discuss how to glean insight into past network activities from the variety of log data created by various infrastructure devices that operate on a typical network.

The material covers low-level packet capture approaches and techniques to use high-level data for scoping a compromise, identifying attack traffic, and routing out network-based data theft. Students use a wide range of tools, including tcpdump, Wireshark, nfdump, Logstash, hex editors, visualization tools, and more.

Students receive the Linux-based SIFT Workstation, with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course. Using only open-source tools, we show how you can effectively conduct network investigations covering a wide range of attack profiles.

Course Syllabus
Course Contents
  Section 1: Day 1
Overview

On day one, we will start with a brief review on how the network forensic discipline has evolved from its roots in the broader field of computer forensics. Students will learn about the different approaches necessary when investigating a live environment, including how to prevent introducing unintended data to the environment and how to avoid tipping off an attacker about the investigation. We will cover the means of acquiring network data and the formats used to store it, as well as how developers can extend tools' functionality and build custom features using standardized software libraries. We will also conduct a step-by-step review of an incident using evidence only from a web proxy server. Finally, we will address the use of NetFlow data, historically used for network management and optimization, as a means to quickly establish a high-level understanding of network incidents.

Exercises

Hands-on Exercises

  • Installing Linux SIFT Workstation and Review Network Forensic Tool Additions
  • Hands-on tcpdump and Wireshark
  • Carving Exfiltrated File from Packet Logs
  • NetFlow Analysis

Topics

Introduction

  • History of Network Forensics
  • Difference in mindset between computer forensics and network forensics
  • Operational security (OPSEC) concerns

Foundational Network Forensics Tools: tcpdump and Wireshark

  • tcpdump re-introduction
    • pcap file format
    • Berkeley Packet Filter (BPF)
  • Wireshark re-introduction
    • User interface
    • Display filters
    • Useful features for network forensic analysis

Network Evidence Sources and Types

  • Capture devices: hubs, taps, NetFlow
  • Logs as ancillary evidence sources

Packet Capture Applications and Data

  • Ephemeral nature of network data
  • libpcap storage format
  • Components of network acquisition strategies
    • Project management
    • Planning
    • Commercial solutions
    • Home-grown platforms
    • High-level analysis tools and utilities

Automated Tools and Libraries

  • Common tools that can facilitate large-scale analysis
  • Chaining tools together effectively
  • Libraries that can be linked to custom tools and solutions

Web Proxy Server Examination

  • Role of a web proxy
  • Proxy solutions - commercial and open source
  • Squid proxy server
    • Configuration
    • Logging
    • Automated analysis
    • Cache extraction

Introduction to NetFlow

  • Origins and evolution
  • NetFlow protocol
  • Architectural components

NetFlow Collection Approaches

  • Using the Splunk analysis suite to collect NetFlow
  • Commonly-available enterprise scale NetFlow collectors

Open-Source Flow Tools

  • Using open-source tool sets to examine NetFlow data
    • nfcapd and nfdump
    • nfsen
    • SiLK

 
  Section 2: Day 2
Overview

During the second day, we will cover how to use visualization tools to provide overviews of large data sets and quickly identify leads for further investigation. We will also identify how HTTP server logs can provide key insights to an attacker's actions on a compromised server or as they conduct reconnaissance against their targets. Log data from firewalls and intrusion detection systems can also be leveraged because these devices are so ubiquitous in today's network environments. Given the varied sources and formats of log data, we will also cover how to effectively aggregate and analyze such data in a way that efficiently furthers the investigation. Finally, we will discuss some of the solutions available from the commercial software market that may be present in a victim environment or be worth considering for your own applications.

Exercises

Hands-on Exercises

  • Visualization of Large Data Sets
  • Parse Search Terms from HTTP URLs
  • Retrieving Firewall & IDS Configuration and Logs
  • Log Aggregation and Analysis

Topics

Visualization Techniques and Tools

  • Making big data sources easily digestible
  • Visually identifying trends and outliers

HTTP Server Logs

  • Log formats
  • Methods, return codes, additional headers
  • Analysis methods

Firewall and Intrusion Detection Systems

  • Repurposing infrastructure for investigations
  • Firewalls
    • Families of firewall solutions
    • Additional features
    • Syntax and log formats
    • iptables
    • Packet flow process
    • iptables as an intelligence tool
  • Intrusion Detection Systems
    • Rules and signatures
    • Families of IDS solutions
    • Snort
      • Configuration
      • Logging

Log Data Collection, Aggregation, and Analysis

  • Benefits of aggregation: scale, scope, independent validation, efficiency
  • Known weaknesses and mitigations
    • Reliability
    • Queuing
    • Security
  • SIEM tools
    • Splunk
    • ELSA
    • Logstash

Commercial Network Forensics

  • Common commercial platforms that you may encounter
  • Using existing platforms and tools in a client environment
  • Trade-offs between commercial and open-source solutions

 
Additional Information
 
  Laptop Required

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

Your host system can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64 bit system processor is mandatory)
  • RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 6 GB of RAM or higher to get the most out of the course)
  • Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player)
  • Networking: Wireless 802.11 B, G, or N
  • DVD/CD Combo Drive
  • USB 2.0 or higher Port(s)
  • 200 Gigabyte Host System Hard Drive minimum
  • ~80 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)
  • The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

  1. Install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 (higher versions are ok)
  2. Download and install 7Zip

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.