Foi liiile oi no money.

!"#$ &' # ()*+,&$- ./),#012'

3)2$), 4(.35
Evenis IDS
Managemeni
Sysiem
Analysi
Sysiems
Analysis
Coniexiual
Info
Repoiiing
Incideni
Response
!"- 61 -1+ 2))6 # (.37
Ceniial locaiion io colleci
infoimaiion on ilieais
Exieinal Tlieais
Inieinal Tlieais
Usei aciiviiy
Loss of sysiems and peisonal oi
sensiiive daia
Piovide evidence in invesiigaiions
Keep youi oiganizaiion iunning
Healil of youi neiwoil and sysiems
8'29$ # :&,);#<<= 8>( 1, ?@ )21+A"7
! Fiiewall is aciive and lnown by aiiacleis
! Pioiecis youi sysiems, noi youi useis
! Anii-Viius
! Lag-iime io caicl new ilieais
! Maicles fles, bui noi iiac paiieins.
! IDS aleiis on evenis, bui doesn'i piovide coniexi
! Sysiem logs
! Pioxy logs
! DNS logs
! Infoimaiion fiom oilei people
Piivaie
Neiwoil
People
Managemeni
Useis
Oilei Expeiis
Analysis
Lab
Analysi Sysiems
Managemeni
Sysiems
IDS
($,+*$+,) 1B # (.3
vs
!"#$%" '(%)* +",-./%0" /"#$ 1234
C,&D#$) 2)$;1,E
! Secuie communicaiion beiween
! IDS
! Managemeni Sysiem
! Analysi Sysiems
! Managemeni and updaie of IDS and iules
8>( '-'$)F
Secuied OS
IDS Sofiwaie
Snoii
Bainyaid:
Pulled Poil
siunnel
Paclei capiuie
TCPDump
Daemonloggei
G#2#A)F)2$ '-'$)F
Secuied OS
LAMP
Managemeni
Sofiwaie
BASE, Snoiby, OCCIM,
Splunl, Nagios, eic.
?2#<-'$ (-'$)F'
Secuied OS
Managemeni
Sysiem Inieiface
Analysis iools
Wiieslail
Tcpdump
Neiwiiness
Bui I ilougli
you wanied a secuie
sysiem!
H#I
! Tesi sysiem
! Tesi iules on ile IDS
! Tesi Confguiaiion clanges
! Can be used as a baclup
! A safe enviionmeni io:
! Play wiil malwaie
! Tiy lacls
Tlese aciiviiies can lelp you io discovei ile ciiieiia io build
cusiom iules foi ile IDS.
Ii's piobably a good idea io use VM's foi youi lab.
?2#<-'$' 4$") F)#$ 1B $") 1/),#0125
! You need liglly slilled people wlo:
Know neiwoiling
Undeisiand aiiacls
Undeisiand Malwaie
Aie comfoiiable wiil
ilings lile souice
code, lex, eic.
Aie open io new ideas
Aie cieaiive ilinleis
Aie good ai deduciive
ieasoning and ciiiical
ilinling
Have a passion foi ilis
Don'i blinl
Don'i evei call in sicl
Don'i need sleep
Love io leep leaining
.$"), )J/),$'
! Sysiem]Neiwoil Adminisiiaiois
! Keep ile wlole iling woiling
! Tune IDS iules
! Foiensics Expeiis
! Foi moie in-depil analysis
! Incideni Response
! To miiigaie incidenis afiei iley lappen
! Exieinal eniiiies
! Goveinmeni, law enfoicemeni, eic.
K'),' 4$") 1$"), ;"&$) F)#$5
! Repoii ilings
! Plisling emails
! Siolen piopeiiy
! Loss of daia
! Do ilings
! Download malwaie
! Engage in inappiopiiaie aciiviiies
! Tle mosi widely deployed IDS you lave
! If "iuned" piopeily.
G#2#A)F)2$
! To inieiface wiil oilei eniiiies
! Keep all ile pieces fiom falling apaii
! Male ii iain (decide wlo geis ile money)
! I guess someone las io male decisions...
Neiwoil Evenis
Log fles
Fiiewalls
Hosis
Pioxy Seiveis
DNS Seiveis
Plone calls]
emails]
oilei
souices
L") 6#$#
M#26<&2A #<< $"#$ 6#$#
5-- /$,/ 6,/,7
8%-/"+%)*
8,-(" 9:(%/%;"(
!$+"($:-6%)*
<,/"*:+%=,/%:)
3#$)A1,&N#012
<,/"*:+> ?,0"
CAT o Exeicise]Neiwoil Defense Tesiing
CAT i Successful unauiloiized Access
CAT : Denial of seivice
CAT Successful insiallaiion oi posi-insiall beaconing of malicious code
CAT ( Impiopei Usage
CAT Scans]piobes]Aiiempied Access
CAT 6 Invesiigaiion
US-CERT Recommends ile following caiegoiies foi evenis
?2#<-N&2A '1F)$"&2A <&E) F#<;#,)
G&0A#012O82*&6)2$ P)'/12')
! Usei educaiion
! Usei access coniiols
! Siop giving useis adminisiiaiive access
! Pioxy seiveis and fiewalls
! Deny access io lnown bad siies
! Deny ceiiain linds of downloads
! Blocl posiing io lnown bad IP's