Bro Befriends Suricata by Michal Purzynski
How do use Bro and Suricata together to fight malware?
Malware gets more and more sophisticated. Your networks grow larger and more become more complex. Development process is nowhere like ever before, with all that tools that require broad access and some of actions reassemble early stages of attacks.
It is not rarely possible to tell about the infection just by looking at your IDS logs — and that’s why we have NSM which gives us tools like full packet capture.
What if I told you, that I can detect, investigate and confirm (or not) malware without using full packet capture? That it is impossible for us to run it 24/7/365, due to privacy reasons.
I’d like to go over the process we use for daily malware hunting, starting with Suricata and Bro logs, Intel Framework and notices. Tactics will be shared on how we use threat intelligence and adding carefully chosen logs from other systems to make sure we only escalate true positives — and why.
This talk is supported by data from a real malware infections.
Speaker Bio: Michal Purzynski is a Senior Security Engineer responsible for the Threat Management in the Enterprise Information Security group in Mozilla. His responsibilities range from coordinating and writing various kinds of detection mechanisms, network and system based, through supporting the group during incident response with the right data, to developing new ways of modeling and tracing threat actor in your environment.
He created a Network Security Monitoring in Mozilla with Bro, Suricata, netsniff-ng spanning 3 continents, 8 offices, a datacenter and AWS.
Slides: https://www.bro.org/brocon2016/slides/purzynski_suricata.pdf
Видео Bro Befriends Suricata by Michal Purzynski канала Zeek
Malware gets more and more sophisticated. Your networks grow larger and more become more complex. Development process is nowhere like ever before, with all that tools that require broad access and some of actions reassemble early stages of attacks.
It is not rarely possible to tell about the infection just by looking at your IDS logs — and that’s why we have NSM which gives us tools like full packet capture.
What if I told you, that I can detect, investigate and confirm (or not) malware without using full packet capture? That it is impossible for us to run it 24/7/365, due to privacy reasons.
I’d like to go over the process we use for daily malware hunting, starting with Suricata and Bro logs, Intel Framework and notices. Tactics will be shared on how we use threat intelligence and adding carefully chosen logs from other systems to make sure we only escalate true positives — and why.
This talk is supported by data from a real malware infections.
Speaker Bio: Michal Purzynski is a Senior Security Engineer responsible for the Threat Management in the Enterprise Information Security group in Mozilla. His responsibilities range from coordinating and writing various kinds of detection mechanisms, network and system based, through supporting the group during incident response with the right data, to developing new ways of modeling and tracing threat actor in your environment.
He created a Network Security Monitoring in Mozilla with Bro, Suricata, netsniff-ng spanning 3 continents, 8 offices, a datacenter and AWS.
Slides: https://www.bro.org/brocon2016/slides/purzynski_suricata.pdf
Видео Bro Befriends Suricata by Michal Purzynski канала Zeek
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Zeek Community Call, 3 August 2022Indicators of CompromiseZeekWeek 2022 - Zeek Known Services Classification - Fatema Bannat WalaZeek Community Call, 1 March 2023Zeek From Home - Zeek Agent - Seth Hall - 15 AprilZeekWeek 2022 - Keynote: Building Killbot-Killing-Killbots for Fun and ?Profit? - Nicholas WeaverThe More You Bro: Basics of BroControl (Bro v2.3.2 and below)Distributed Network Detection with Bro and The Cloud by Mike ReevesCisco OpenSOC Hadoop Design with Bro by Kurt GrutzmacherRunning Bro in the Cloud at Scale by Alan CommikeBest practices for Securing the Science DMZ by Nick BuraglioBro Integrations by Jon SchippBroCon 2016 Keynote Address by Karen Sandler, Software Freedom ConservancyBroadmap, v2.5 and beyond by Robin and SethvZW20 - Day - 3 - Starting to Zeek - Steve SmootZeek Community Call, 7 June 2023File Analysis FrameworkZeekWeek 2022 - Lightning Talk on Dev Container - Benjamin BannierVisualizing, Analyzing and Filtering Zeek Events using a Graphical Frontend and OpenGL, Nick SkelseyvZW20- Day 3 - Packaging Zeek's policy scripts w/better zkg templating - V. Grigorescu & C. KreibichVAST Demo by Matthias Vallentin