Professional Documents
Culture Documents
Chapter 12 Security Monitoring Operational Challenges
Chapter 12 Security Monitoring Operational Challenges
Monitoring Operational
Challenges
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Chapter 12 - Sections & Objectives
12.1 Security Monitoring and Encryption
12.2 Security Monitoring and Network Address Translation
12.3 Security Monitoring and Event Correlation Time
Synchronization
12.4 DNS Tunneling and other Exfiltration Methods
12.5 Security Monitoring and Tor
12.6 Security Monitoring and Peer-to-Peer Communication
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
12.1 Security Monitoring
and Encryption
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Security Monitoring Challenges
Security Monitoring and Encryption
Encryption has great benefits for security and privacy
Encryption can be used for protection of information and
communications by govt., corporations and individuals
It can also be used by threat actors for evasion and obfuscation
Govt. try to regulate the use and exportation of encryption
technologies (Wassenaar Arrangement)
Law enforcement agencies often try to force vendors to
leave certain investigative techniques in their software
Another idea is “encrypt everything”
Many security products can intercept, decrypt, and re-
encrypt encrypted traffic payload
This is often considered as man-in-the-middle (MITM)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Security Monitoring Challenges
Security Monitoring and NAT
Network Address Translation (NAT) can present a challenge
when:
• you’re performing security monitoring and analyzing logs
• NetFlow and other data
Because device IP can be seen in the logs as “translated” IP
addresses versus the “real” IP address.
Even more pronounced in the case of Port Address
Translation (PAT)
Security products like Lancope provide features that can be
used to correlate and “map” translated IP addresses with
NetFlow
The feature is called NAT stitching in Lancope
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Security Monitoring Challenges
Security Monitoring Contd.
Security Monitoring and Event Correlation Time Synchronization
Logs are useless if it shows th wrong date and time
Best practices is to configure all network devices to use
Network Time Protocol (NTP)
DNS Tunneling and Other Exfiltration Methods
Threat actors can send data over DNS using tunneling
Encoding methods can be used to put sensitive data in the
payload of DNS packets, examples are:
• Base64 encoding
• Binary (8-bit) encoding
• NetBIOS encoding
• Hex encoding
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Security Monitoring Challenges
DNS Tunneling and Other Exfiltration Methods
DNS tunneling utilities include:
• DeNiSe
• dns2tcp
• DNScapy
• DNScat or DNScat-P
• DNScat (DNScat-B)
• Heyoka
• Iodine
• Nameserver Transfer Protocol (NSTX)
• OzymanDNS
• psudp
• Feederbot and Moto
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Security Monitoring Challenges
Security Monitor and Tor (The onion router)
Many people uses tools such as Tor for privacy
Tor enables its users to surf the web anonymously
Tor usage makes security monitoring and incident response
more difficult
Malware are known to use Tor to cover their tracks
“onion routing” is accomplished by encrypting application
layer of a communication protocol stack that’s “nested” just
like the layers of an onion
The data is encrypted multiple times and sends it through a
“network or circuit” of randomly selected Tor relays
Tor exit node is the last Tor node or the gateway where the
encrypted traffic “exits” to the Internet
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Security Monitoring Challenges
Security Monitor and Tor (The onion router)