Using Wireshark to Gather Forensic Evidence on Malware ...
Using Wireshark to Gather Forensic Evidence on Malware ...
Using Wireshark to Gather Forensic Evidence on Malware ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SEC-5 <str<strong>on</strong>g>Using</str<strong>on</strong>g> wireshark <str<strong>on</strong>g>to</str<strong>on</strong>g> gather forensic<br />
evidence <strong>on</strong> malware outbreaks<br />
Christian Landström - Senior C<strong>on</strong>sultant<br />
CASSIDIAN Cyber Security<br />
1
Outline<br />
Not much slides – more time for demo and Q&A<br />
• Commercial products vs. <str<strong>on</strong>g>Wireshark</str<strong>on</strong>g><br />
• DNS analysis<br />
• Callback analysis<br />
• Exploits in wireshark<br />
• Q&A<br />
2
3<br />
House rules
Commercial products vs. <str<strong>on</strong>g>Wireshark</str<strong>on</strong>g><br />
• Not a versus<br />
– Have both, use both<br />
– Have <strong>on</strong>ly <strong>on</strong>e of them… ;)<br />
• Best practice:<br />
– SecTools / SecAppliances for au<str<strong>on</strong>g>to</str<strong>on</strong>g>mated m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>ring and<br />
pre-analysis<br />
– <str<strong>on</strong>g>Wireshark</str<strong>on</strong>g> for detailed analysis and correlati<strong>on</strong><br />
4
DNS Analysis<br />
• Time c<strong>on</strong>suming<br />
• Very effective<br />
• Recommended as permanent process<br />
• Combined usage of GUI and CLI<br />
• Recommended add<strong>on</strong>s:<br />
– Good Text Edi<str<strong>on</strong>g>to</str<strong>on</strong>g>r + Spreadsheet Edi<str<strong>on</strong>g>to</str<strong>on</strong>g>r<br />
– “Linux” Tools like grep, cat, uniq, sort etc.<br />
5
Callback Analysis<br />
• Dependent <strong>on</strong> pro<str<strong>on</strong>g>to</str<strong>on</strong>g>cols used by malware<br />
• TCP quite standard / UDP hard <str<strong>on</strong>g>to</str<strong>on</strong>g> tell<br />
• How can you tell ?<br />
always depends <strong>on</strong> applicati<strong>on</strong> knowledge<br />
• Learn your standard pro<str<strong>on</strong>g>to</str<strong>on</strong>g>cols<br />
• Look for anomalies, be creative<br />
6
A few words <strong>on</strong> exploits<br />
• Main focus of IDS / IPS<br />
• Harder <str<strong>on</strong>g>to</str<strong>on</strong>g> spot compared <str<strong>on</strong>g>to</str<strong>on</strong>g> the later acti<strong>on</strong>s<br />
• Usually hard <str<strong>on</strong>g>to</str<strong>on</strong>g> interpret<br />
– Obfuscated<br />
– Packed<br />
– Crypted<br />
• Not necessarily needed<br />
7
Worst case<br />
• <strong>Malware</strong> already inside<br />
your networks<br />
• AV does not trigger<br />
• IPS didn’t throw events<br />
• unknown threat<br />
• unknown damage<br />
<str<strong>on</strong>g>Forensic</str<strong>on</strong>g>s <str<strong>on</strong>g>to</str<strong>on</strong>g> the max.<br />
8
In-depth analysis<br />
• Baselining every c<strong>on</strong>necti<strong>on</strong><br />
• Explaining every data transfer<br />
• Fighting through lots of false positives<br />
• At worst: evaluate every single packet<br />
9
Commercial products vs. <str<strong>on</strong>g>Wireshark</str<strong>on</strong>g><br />
• Not a versus<br />
– Have both, use both<br />
– Have <strong>on</strong>ly <strong>on</strong>e of them… ;)<br />
• Best practice:<br />
– SecTools / SecAppliances for au<str<strong>on</strong>g>to</str<strong>on</strong>g>mated m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>ring and<br />
pre-analysis<br />
– <str<strong>on</strong>g>Wireshark</str<strong>on</strong>g> for detailed analysis and correlati<strong>on</strong><br />
10
Thanks for your attenti<strong>on</strong> !<br />
??? Questi<strong>on</strong>s ???<br />
11
Change language