SM
Uploaded bySylvain Martinez
313 views

OFFENSIVE IDS

The document provides an overview of Offensive Intrusion Detection Systems (IDS) including their introduction, benefits, and methods for analyzing and capturing network traffic. It emphasizes the capabilities of IDS in identifying vulnerabilities, alerting on cyber security attacks, and extracting sensitive information from large datasets. Additionally, it discusses practical components and configurations for implementing IDS effectively within a network security context.

Embed presentation

Downloaded 21 times
OFFENSIVE IDS OVERVIEW VERSION: 1.4a DATE: 27/02/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC14-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
2 CONTENTS PUBLIC {elysiumsecurity} cyber protection & response • IDS Introduction; • Topology Example; • IDS Benefits; • Offensive IDS Overview; • Topology Revisited; • Benefits Revisited; • Capturing traffic; • Core Components; • Tweaking; • Finding the needle; • Free credentials; • IDS Dashboard example; BEYONDUSE CASESSETUPCONCEPTCONTEXT • Not just defence; • Resources.
3PUBLIC {elysiumsecurity} cyber protection & response IDS INTRODUCTION ANALYSIS OPTIONS SIGNATURES PATTERNS & BEHAVIOURS ACTIVE PASSIVE CONFIGURATION OPTIONS NIDS HIDS IDS IPS IDS HIGH LEVEL CONCEPT TRAFFIC & EVENTS ANALYSIS ALERTS & ACTIONS Icons from the Noun Project unless specified otherwise BEYONDUSE CASESSETUPCONCEPTCONTEXT
4PUBLIC {elysiumsecurity} cyber protection & response TOPOLOGY EXAMPLE GUEST WIFI USERS SERVERS DMZ DUPLICATED TRAFFIC EXTERNAL DUPLICATED TRAFFIC INTERNAL INTERNET TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS Icons from VMWARE IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
5PUBLIC {elysiumsecurity} cyber protection & response IDS MAIN BENEFITS CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) ALERTS INVESTIGATION BEYONDUSE CASESSETUPCONCEPTCONTEXT
6PUBLIC {elysiumsecurity} cyber protection & response OFFENSIVE IDS OVERVIEW TO USE THE POWER OF IDS TO HELP FIND INTERESTING TIMELINE, VULNERABILITIES AND SENSITIVE DATA GOAL TO HELP GOING THROUGH LARGE VOLUME OF CAPTURED DATA AND RE-PURPOSE THE BENEFITS OF IDS WHY CAPTURING TRAFFIC AND EVENTS IN A PCAP FILE AND REPLAY IT INTO A STANDALONE IDS IN A VM HOW BEYONDUSE CASESSETUPCONCEPTCONTEXT
7PUBLIC {elysiumsecurity} cyber protection & response NETWORK TOPOLOGY - REVISITED GUEST WIFI USERS SERVERS DMZ INTERNET DUPLICATED TRAFFIC PCAP FILES DUPLICATED TRAFFIC PCAP FILES TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS, FILES, PASSWORDS, ETC. FILES EXTRACTION PCAP FILES IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
8PUBLIC {elysiumsecurity} cyber protection & response IDS MAIN BENEFITS - REVISITED CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) SPEED UP NETWORK TRAFFIC ANALYSIS IDENTIFY INTERESTING TIMELINES IDENTIFY VULNERABILITIES TO EXPLOIT IDENTIFY TARGETS OF INTEREST EXTRACT SENSITIVE INFORMATION PROFILE USERS AND APPLICATIONS BEYONDUSE CASESSETUPCONCEPTCONTEXT
9PUBLIC {elysiumsecurity} cyber protection & response CAPTURING TRAFFIC NO OPERATIONAL IMPACT PHYSICAL ACCESS REQUIRED IN MOST CASES TAP TRAFFIC AGAINST KEY TARGETS POWERED/UNPOWERED SOLUTIONS DUMMY CAPTURE DEVICES: - SMALL ROUTER; - THROWING STAR LAN; INTELLIGENT CAPTURE DEVICES: - RASPBERRY PI; - HAK5 PACKET SQUIRREL. BEYONDUSE CASESSETUPCONCEPTCONTEXT
10PUBLIC {elysiumsecurity} cyber protection & response CORE COMPONENTS BEYONDUSE CASESSETUPCONCEPTCONTEXT USE TCPREPLAY YOU CAN ACCELERATE IF YOU DON’T MIND ABOUT TIMELINE. REPLAY TRAFFIC DECIDE WHICH ENGINE TO USE: SURICATA OR SNORT IDS ENGINE USE A FREE IDS DISTRIBUTION SUCH AS SECURITY ONION OR SELKS SET IT UP AS A STANDALONE VM VIRTUAL MACHINE
11PUBLIC {elysiumsecurity} cyber protection & response TWEAKING BEYONDUSE CASESSETUPCONCEPTCONTEXT LOOPBACK NIC DOES NOT WORK WITH TCPREPLAY ON A VM USE A DUMMY NIC INSTEAD CONFIGURE YOUR IDS TO MONITOR THAT NIC
12PUBLIC {elysiumsecurity} cyber protection & response FINDING THE NEEDLE BEYONDUSE CASESSETUPCONCEPTCONTEXT • FIND THE SECRET CONTRACT XYZ • YOU ARE ONLY GIVEN 3 EMPLOYEES NAME SCENARIO • 50GB OF INTERCEPTED TRAFFIC OVER A WEEK PERIOD • YOU DON’T KNOW WHERE TO LOOK • WIRESHARK DOESN’T LIKE THAT FILE SIZE SO MUCH…CHALLENGES • REPLAYED THE 50GB OF DATA TO A STANDALONE IDS • ABLE TO PINPOINT DAYS AND TIME OF PEAK ACTIVITY AND TYPE OF ACTIVITY (FILE TRANSFER) • GO BACK TO WIRESHARK WITHIN A MUCH SMALLER TIMEFRAME AND FIND THE DOCUMENT! IDS TO THE RESCUE
13PUBLIC {elysiumsecurity} cyber protection & response FREE CREDENTIALS BEYONDUSE CASESSETUPCONCEPTCONTEXT • ACCESS THE ACCOUNT OF A TOP EXECUTIVE SCENARIO • THE EXECUTIVE IS PARANOID AND DID NOT FALL FOR PHISHING • THE EXECUTIVE IS VERY CAREFUL WITH HER SOCIAL MEDIA PRESENCE • HER LAPTOP IS FULLY PATCHED • NETWORK TRAFFIC INTERCEPTED IS TOO BIG TO BE USEFULCHALLENGES • REPLAYED NETWORK TRAFFIC TO A STANDALONE IDS • ALERT FOR A PASSWORD SENT IN CLEAR TEXT • THE EXECUTIVE IS UPDATING A CHARITY BLOG USING AN ALIAS • SHE USES THE SAME PASSWORD ON HER CORPORATE ACCOUNTIDS TO THE RESCUE
14PUBLIC {elysiumsecurity} cyber protection & response IDS DASHBOARD EXAMPLE BEYONDUSE CASESSETUPCONCEPTCONTEXT
15PUBLIC {elysiumsecurity} cyber protection & response NOT JUST DEFENSE BEYONDUSE CASESSETUPCONCEPTCONTEXT DETECT ATTACKINVESTIGATE ALERT IDS ENVIRONMENT, LIKE MOST SECURITY DEFENSE TOOLS ENVIRONMENT, CONTAINS SENSITIVE DATA AND MUST BE PROTECTED SO THEIR INFORMATION IS NOT USED AGAINST YOU!
16PUBLIC {elysiumsecurity} cyber protection & response RESOURCES BEYONDUSE CASESSETUPCONCEPTCONTEXT SNORT BASED ENGINE: HTTPS://WWW.SNORT.ORG/ SURICATA BASED ENGINE: HTTPS://SURICATA-IDS.ORG/ IDS VIRTUAL MACHINE DISTRIBUTION - SECURITY ONION (SO): HTTPS://SECURITYONION.NET/ - SELKS: HTTPS://WWW.STAMUS-NETWORKS.COM/OPEN-SOURCE/ GREAT COMMUNITY IS HERE TO HELP; SO AND SELKS AUTHORS ARE VERY ACTIVE; PROFESSIONAL SUPPORT AVAILABLE FROM THEM TOO; VARIOUS INSTALL GUIDE AVAILABLE: HTTPS://WWW.ELYSIUMSECURITY.COM/BLOG/GUIDES/POST7.HTML
{elysiumsecurity} cyber protection & response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

PDF
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
PDF
Mobile Security Assessment
bySylvain Martinez
 
PDF
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
PDF
INCIDENT RESPONSE OVERVIEW
bySylvain Martinez
 
PDF
The Art of CTF
bySylvain Martinez
 
PDF
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
PDF
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
PDF
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
Mobile Security Assessment
bySylvain Martinez
 
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
INCIDENT RESPONSE OVERVIEW
bySylvain Martinez
 
The Art of CTF
bySylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 

What's hot

PDF
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PDF
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
PDF
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
bySylvain Martinez
 
PDF
OFFICE 365 SECURITY
bySylvain Martinez
 
PDF
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
PPTX
Ict conf td-evs_pcidss-final
byDejan Jeremic
 
PPTX
2015 ISA Calgary Show: IACS Cyber Incident Preparation
byCimation
 
PPTX
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
byDejan Jeremic
 
PDF
Critical Infrastructure Protection from Terrorist Attacks
byBGA Cyber Security
 
PPTX
Ivan dragas get ahead of cybercrime
byDejan Jeremic
 
PPTX
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
byInternetwork Engineering (IE)
 
PDF
What Happens Before the Kill Chain
byOpenDNS
 
PDF
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
PDF
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
byBGA Cyber Security
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PDF
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byCrowdStrike
 
PPTX
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
byCristian Garcia G.
 
PDF
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
byKaspersky
 
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
bySylvain Martinez
 
OFFICE 365 SECURITY
bySylvain Martinez
 
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
Ict conf td-evs_pcidss-final
byDejan Jeremic
 
2015 ISA Calgary Show: IACS Cyber Incident Preparation
byCimation
 
Ict 2015 saga - cisco cybersecurity rešenja- Viktor Varga
byDejan Jeremic
 
Critical Infrastructure Protection from Terrorist Attacks
byBGA Cyber Security
 
Ivan dragas get ahead of cybercrime
byDejan Jeremic
 
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
byInternetwork Engineering (IE)
 
What Happens Before the Kill Chain
byOpenDNS
 
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
byBGA Cyber Security
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
Cyber Security Governance
byPriyanka Aash
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byCrowdStrike
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
byCristian Garcia G.
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
byKaspersky
 

Similar to OFFENSIVE IDS

PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
PDF
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
PDF
2023 NCIT: Introduction to Intrusion Detection
byAPNIC
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PDF
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
byREVULN
 
PPTX
IDS+Honeypots Making Security Simple
byGregory Hanis
 
PPTX
Security Operation Center Presentat.pptx
byImranKhan441149
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
byBarry Greene
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
byAPNIC
 
PDF
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
PPTX
Defend-Against-Next-Gen-Attacks-with-Wire-Data-by-Pete-Anderson.pptx
byadrianitoterremoto
 
PPTX
Cyber Security
byfrcarlson
 
PDF
Information Security Risk Management
byipspat
 
PPTX
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
PDF
Visualizing Threats: Network Visualization for Cyber Security
byCambridge Intelligence
 
PDF
Cisco Security Architecture
byCisco Canada
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 
PPTX
Cybersecurity Training for Nonprofits
byCommunity IT Innovators
 
PPTX
Tsc2021 cyber-issues
byErnest Staats
 
PPTX
Scalar Security Roadshow - Vancouver Presentation
byScalar Decisions
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
2023 NCIT: Introduction to Intrusion Detection
byAPNIC
 
intrusion detection system (IDS)
byAj Maurya
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
byREVULN
 
IDS+Honeypots Making Security Simple
byGregory Hanis
 
Security Operation Center Presentat.pptx
byImranKhan441149
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
byBarry Greene
 
Are you ready for the next attack? Reviewing the SP Security Checklist
byAPNIC
 
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
Defend-Against-Next-Gen-Attacks-with-Wire-Data-by-Pete-Anderson.pptx
byadrianitoterremoto
 
Cyber Security
byfrcarlson
 
Information Security Risk Management
byipspat
 
Hands-On Security - Disrupting the Kill Chain
bySplunk
 
Visualizing Threats: Network Visualization for Cyber Security
byCambridge Intelligence
 
Cisco Security Architecture
byCisco Canada
 
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 
Cybersecurity Training for Nonprofits
byCommunity IT Innovators
 
Tsc2021 cyber-issues
byErnest Staats
 
Scalar Security Roadshow - Vancouver Presentation
byScalar Decisions
 

More from Sylvain Martinez

PDF
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
PDF
PHISHING PROTECTION
bySylvain Martinez
 
PDF
IOT Security
bySylvain Martinez
 
PDF
ARE YOU RED TEAM READY?
bySylvain Martinez
 
PPTX
GDPR SECURITY ISSUES
bySylvain Martinez
 
PDF
Risk on Crypto Currencies
bySylvain Martinez
 
PDF
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
PPTX
Ethical Hacking
bySylvain Martinez
 
PDF
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
PDF
Talk2 esc2 muscl-wifi_v1_2b
bySylvain Martinez
 
PDF
Talk1 muscl club_v1_2
bySylvain Martinez
 
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
PHISHING PROTECTION
bySylvain Martinez
 
IOT Security
bySylvain Martinez
 
ARE YOU RED TEAM READY?
bySylvain Martinez
 
GDPR SECURITY ISSUES
bySylvain Martinez
 
Risk on Crypto Currencies
bySylvain Martinez
 
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
Ethical Hacking
bySylvain Martinez
 
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
Talk2 esc2 muscl-wifi_v1_2b
bySylvain Martinez
 
Talk1 muscl club_v1_2
bySylvain Martinez
 

Recently uploaded

PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
WebXR in Android and Linux with OpenXR
byIgalia
 
MathML Core in WebKit
byIgalia
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 

OFFENSIVE IDS

  • 1.
    OFFENSIVE IDS OVERVIEW VERSION: 1.4a DATE:27/02/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC14-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
  • 2.
    2 CONTENTS PUBLIC {elysiumsecurity} cyber protection &response • IDS Introduction; • Topology Example; • IDS Benefits; • Offensive IDS Overview; • Topology Revisited; • Benefits Revisited; • Capturing traffic; • Core Components; • Tweaking; • Finding the needle; • Free credentials; • IDS Dashboard example; BEYONDUSE CASESSETUPCONCEPTCONTEXT • Not just defence; • Resources.
  • 3.
    3PUBLIC {elysiumsecurity} cyber protection &response IDS INTRODUCTION ANALYSIS OPTIONS SIGNATURES PATTERNS & BEHAVIOURS ACTIVE PASSIVE CONFIGURATION OPTIONS NIDS HIDS IDS IPS IDS HIGH LEVEL CONCEPT TRAFFIC & EVENTS ANALYSIS ALERTS & ACTIONS Icons from the Noun Project unless specified otherwise BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 4.
    4PUBLIC {elysiumsecurity} cyber protection &response TOPOLOGY EXAMPLE GUEST WIFI USERS SERVERS DMZ DUPLICATED TRAFFIC EXTERNAL DUPLICATED TRAFFIC INTERNAL INTERNET TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS Icons from VMWARE IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 5.
    5PUBLIC {elysiumsecurity} cyber protection &response IDS MAIN BENEFITS CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) ALERTS INVESTIGATION BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 6.
    6PUBLIC {elysiumsecurity} cyber protection &response OFFENSIVE IDS OVERVIEW TO USE THE POWER OF IDS TO HELP FIND INTERESTING TIMELINE, VULNERABILITIES AND SENSITIVE DATA GOAL TO HELP GOING THROUGH LARGE VOLUME OF CAPTURED DATA AND RE-PURPOSE THE BENEFITS OF IDS WHY CAPTURING TRAFFIC AND EVENTS IN A PCAP FILE AND REPLAY IT INTO A STANDALONE IDS IN A VM HOW BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 7.
    7PUBLIC {elysiumsecurity} cyber protection &response NETWORK TOPOLOGY - REVISITED GUEST WIFI USERS SERVERS DMZ INTERNET DUPLICATED TRAFFIC PCAP FILES DUPLICATED TRAFFIC PCAP FILES TRAFFIC ANALYSIS SIGNATURES PATTERNS / BEHAVIOURS SECURITY ALERTS, FILES, PASSWORDS, ETC. FILES EXTRACTION PCAP FILES IDS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 8.
    8PUBLIC {elysiumsecurity} cyber protection &response IDS MAIN BENEFITS - REVISITED CYBER SECURITY ATTACKS ALERTS (PORT SCANS, C2C, BRUTE FORCE, ETC) CYBER SECURITY ISSUES ALERTS (CLEAR TEXT PASSWORD, OUTDATED APP, ETC) VULNERABLE HOSTS ALERTS (CVE, EXPLOITS, ETC.) VULNERABLE APPLICATIONS ALERTS (CVE, EXPLOITS, ETC.) NETWORK ACTIVITY VIEW (IP SOURCE & DESTINATION, PORTS, PROTOCOLS) NETWORK DATA FLOW VIEW (NETWORK ENTITY RELATIONSHIPS) NETWORK ANOMALIES VIEW (SUSPICIOUS TIMELINE, ACTIVITY SPIKES & VOLUME) NETWORK CONTENT VIEW (HTTP, FTP, SMB, ETC.) SPEED UP NETWORK TRAFFIC ANALYSIS IDENTIFY INTERESTING TIMELINES IDENTIFY VULNERABILITIES TO EXPLOIT IDENTIFY TARGETS OF INTEREST EXTRACT SENSITIVE INFORMATION PROFILE USERS AND APPLICATIONS BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 9.
    9PUBLIC {elysiumsecurity} cyber protection &response CAPTURING TRAFFIC NO OPERATIONAL IMPACT PHYSICAL ACCESS REQUIRED IN MOST CASES TAP TRAFFIC AGAINST KEY TARGETS POWERED/UNPOWERED SOLUTIONS DUMMY CAPTURE DEVICES: - SMALL ROUTER; - THROWING STAR LAN; INTELLIGENT CAPTURE DEVICES: - RASPBERRY PI; - HAK5 PACKET SQUIRREL. BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 10.
    10PUBLIC {elysiumsecurity} cyber protection &response CORE COMPONENTS BEYONDUSE CASESSETUPCONCEPTCONTEXT USE TCPREPLAY YOU CAN ACCELERATE IF YOU DON’T MIND ABOUT TIMELINE. REPLAY TRAFFIC DECIDE WHICH ENGINE TO USE: SURICATA OR SNORT IDS ENGINE USE A FREE IDS DISTRIBUTION SUCH AS SECURITY ONION OR SELKS SET IT UP AS A STANDALONE VM VIRTUAL MACHINE
  • 11.
    11PUBLIC {elysiumsecurity} cyber protection &response TWEAKING BEYONDUSE CASESSETUPCONCEPTCONTEXT LOOPBACK NIC DOES NOT WORK WITH TCPREPLAY ON A VM USE A DUMMY NIC INSTEAD CONFIGURE YOUR IDS TO MONITOR THAT NIC
  • 12.
    12PUBLIC {elysiumsecurity} cyber protection &response FINDING THE NEEDLE BEYONDUSE CASESSETUPCONCEPTCONTEXT • FIND THE SECRET CONTRACT XYZ • YOU ARE ONLY GIVEN 3 EMPLOYEES NAME SCENARIO • 50GB OF INTERCEPTED TRAFFIC OVER A WEEK PERIOD • YOU DON’T KNOW WHERE TO LOOK • WIRESHARK DOESN’T LIKE THAT FILE SIZE SO MUCH…CHALLENGES • REPLAYED THE 50GB OF DATA TO A STANDALONE IDS • ABLE TO PINPOINT DAYS AND TIME OF PEAK ACTIVITY AND TYPE OF ACTIVITY (FILE TRANSFER) • GO BACK TO WIRESHARK WITHIN A MUCH SMALLER TIMEFRAME AND FIND THE DOCUMENT! IDS TO THE RESCUE
  • 13.
    13PUBLIC {elysiumsecurity} cyber protection &response FREE CREDENTIALS BEYONDUSE CASESSETUPCONCEPTCONTEXT • ACCESS THE ACCOUNT OF A TOP EXECUTIVE SCENARIO • THE EXECUTIVE IS PARANOID AND DID NOT FALL FOR PHISHING • THE EXECUTIVE IS VERY CAREFUL WITH HER SOCIAL MEDIA PRESENCE • HER LAPTOP IS FULLY PATCHED • NETWORK TRAFFIC INTERCEPTED IS TOO BIG TO BE USEFULCHALLENGES • REPLAYED NETWORK TRAFFIC TO A STANDALONE IDS • ALERT FOR A PASSWORD SENT IN CLEAR TEXT • THE EXECUTIVE IS UPDATING A CHARITY BLOG USING AN ALIAS • SHE USES THE SAME PASSWORD ON HER CORPORATE ACCOUNTIDS TO THE RESCUE
  • 14.
    14PUBLIC {elysiumsecurity} cyber protection &response IDS DASHBOARD EXAMPLE BEYONDUSE CASESSETUPCONCEPTCONTEXT
  • 15.
    15PUBLIC {elysiumsecurity} cyber protection &response NOT JUST DEFENSE BEYONDUSE CASESSETUPCONCEPTCONTEXT DETECT ATTACKINVESTIGATE ALERT IDS ENVIRONMENT, LIKE MOST SECURITY DEFENSE TOOLS ENVIRONMENT, CONTAINS SENSITIVE DATA AND MUST BE PROTECTED SO THEIR INFORMATION IS NOT USED AGAINST YOU!
  • 16.
    16PUBLIC {elysiumsecurity} cyber protection &response RESOURCES BEYONDUSE CASESSETUPCONCEPTCONTEXT SNORT BASED ENGINE: HTTPS://WWW.SNORT.ORG/ SURICATA BASED ENGINE: HTTPS://SURICATA-IDS.ORG/ IDS VIRTUAL MACHINE DISTRIBUTION - SECURITY ONION (SO): HTTPS://SECURITYONION.NET/ - SELKS: HTTPS://WWW.STAMUS-NETWORKS.COM/OPEN-SOURCE/ GREAT COMMUNITY IS HERE TO HELP; SO AND SELKS AUTHORS ARE VERY ACTIVE; PROFESSIONAL SUPPORT AVAILABLE FROM THEM TOO; VARIOUS INSTALL GUIDE AVAILABLE: HTTPS://WWW.ELYSIUMSECURITY.COM/BLOG/GUIDES/POST7.HTML
  • 17.
    {elysiumsecurity} cyber protection &response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.