Bro Befriends Suricata by Michal Purzynski

How do use Bro and Suricata together to fight malware?

Malware gets more and more sophisticated. Your networks grow larger and more become more complex. Development process is nowhere like ever before, with all that tools that require broad access and some of actions reassemble early stages of attacks.

It is not rarely possible to tell about the infection just by looking at your IDS logs — and that’s why we have NSM which gives us tools like full packet capture.

What if I told you, that I can detect, investigate and confirm (or not) malware without using full packet capture? That it is impossible for us to run it 24/7/365, due to privacy reasons.

I’d like to go over the process we use for daily malware hunting, starting with Suricata and Bro logs, Intel Framework and notices. Tactics will be shared on how we use threat intelligence and adding carefully chosen logs from other systems to make sure we only escalate true positives — and why.

This talk is supported by data from a real malware infections.

Speaker Bio: Michal Purzynski is a Senior Security Engineer responsible for the Threat Management in the Enterprise Information Security group in Mozilla. His responsibilities range from coordinating and writing various kinds of detection mechanisms, network and system based, through supporting the group during incident response with the right data, to developing new ways of modeling and tracing threat actor in your environment.

He created a Network Security Monitoring in Mozilla with Bro, Suricata, netsniff-ng spanning 3 continents, 8 offices, a datacenter and AWS.

Slides: https://www.bro.org/brocon2016/slides/purzynski_suricata.pdf

Видео Bro Befriends Suricata by Michal Purzynski канала Zeek