up

2020-03-23

Due to extended spring break, DNS has been moved to the last week.

We’re now moving from the Network Security portion of the course to the Forensics part of the course.

Looks like no homework just yet, but there will be a lab on Friday.

Network Forensics

Are we under attack at the current time?

We look at three kinds of data:

• packet captures
  • lots and lots of data
• flow data
  • packet headers and some packet data
  • use a new tool called Silk
• log data
  • Includes events coming from applications and operating systems

We are going to try and take pcaps and run them through an IDS.

Keep data for a while, because what looks innocent today could be interesting later.

Determining what data is malicious is an art form.

Collecting data

• easy wins
  • flow data from switches and such
• find out what you’re missing
  • Find areas with low visibility
  • identify trouble spots
• Increase monitoring in trouble spots

Analyzing Data

SEIM - security event and incident manager

Network coverage

• You may want different detections on different segments
• You may want monitoring outside the firewall to identify blocked attacks

Collection could be at a low level and be increased by some event