28C3 - Version 2.3.5
28th Chaos Communication Congress
Behind Enemy Lines
Speakers | |
---|---|
Chris Kubecka |
Schedule | |
---|---|
Day | Day 3 - 2011-12-29 |
Room | Saal 2 |
Start time | 13:15 |
Duration | 00:30 |
Info | |
ID | 4767 |
Event type | Lecture |
Track | Hacking |
Language used for presentation | English |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
Security Log Visualization with a Correlation Engine
What's inside your network?
This brief session focuses on the visualization of actual security incidents, network forensics and counter surveillance of covert criminal communications utilizing large data sets from various security logs and a very brief introduction to correlation engine logic. Visually displaying security or network issues can express the risk or urgency in a way a set of dry logs or other methods might not be able to. Additionally, many organizations rely on a more singular approach and react to security events, many times from a high false positive rate source such as isolated intrusion prevention or firewall alerts, or relying only on anti-virus alerts. Utilizing a correlation engine (especially open source) or similar applications could offer a method of discovering or in some cases proactively detecting issues. The research discussed involves analysis and interrogation of firewall, intrusion detection and prevention systems, web proxy logs and available security research. What does a compromised server infected with spam malware look like or cyber warfare?
A 20 minute presentation of data visualization and investigation scenarios of five actual issues discovered using various security logs and a correlation engine. The lecturer will take you on a visual journey from seemingly mundane entries in firewall logs through to detecting covert communications between a corporate web server and a cyber-criminal drop zone. Additional visualizations presented: a United Kingdom based portion of the South Korean DNS Distributed Denial of Service attacks of July/August 2008, what bypassing deep packet inspection using HTTPS/SSL/TLS looks like, detecting a rouge corporate email server, malicious DNS usage and more. Although the presenter used a commercial correlation engine, the presentation will conclude with the discussion of an open source correlation engine.