Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM

1Threat Hunting with Network Flow

April 19, 2017

© 2017 Carnegie Mellon University

This material has been approved for public release and unlimited distribution. 1

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213

Threat Hunting with Network Flow© 2017 Carnegie Mellon University

This material has been approved for public release and unlimited distribution.

Threat Hunting with Network Flow

Austin Whisnant


April 19, 2017



Copyright 2017 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie

Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily

reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON

AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS

TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,

EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY

WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-

US Government use and distribution.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at

[email protected].

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

http://creativecommons.org/licenses/by-nc-nd/4.0/


April 19, 2017





me@linux:~$ echo “Where’s my cursor?”


April 19, 2017




April 19, 2017





Pros Cons

Small

Automatable

Privacy

No validation

Summary

Yet another tool


April 19, 2017






April 19, 2017





Adversary

Victim

Capabilities

Infrastructure


April 19, 2017





IP Address

Network

Flow

IP Address

Network

Flow

Timestamp

Pcap


April 19, 2017





APT IP

Addresses

Network

Flow

/24

Network

Flow


April 19, 2017





Internal IP Logs

New Malicious

IPs

IDS


April 19, 2017





Pros

Small (Quick)


April 19, 2017





Pros

Critical thinking


April 19, 2017





Pros

Small (Quick)

Automatable

Privacy

Critical thinking

Cons

No validation

Summary

Yet another tool


April 19, 2017





Profile

DNS: xxxxxx

NAT: xxxxxxxxxx

VPN: xxx

Web: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…


April 19, 2017





me@linux:~$ echo “Just Linux command line skills”


April 19, 2017



Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213



Threat Hunting with Network Flow

Austin Whisnant

Documents

Threat Hunting with Network Flow - sans.org · Network Flow Austin Whisnant. Title: Presentation Title Author: Austin B. Whisnant Created Date: 4/19/2017 3:30:33 PM