1
00:00:06,690 --> 00:00:09,350
- Security analyst in the
security operations center,

2
00:00:09,350 --> 00:00:12,450
in the SOC, always have to try

3
00:00:12,450 --> 00:00:14,300
to have complete visibility

4
00:00:14,300 --> 00:00:16,180
into what's happening in the network.

5
00:00:16,180 --> 00:00:19,910
However, that task is
easier said than done.

6
00:00:19,910 --> 00:00:22,010
There are a lot of different challenges

7
00:00:22,010 --> 00:00:24,390
that can lead into false negatives.

8
00:00:24,390 --> 00:00:25,710
So, in other words,

9
00:00:25,710 --> 00:00:27,610
where you cannot detect malicious

10
00:00:27,610 --> 00:00:29,830
or abnormal activity in the network.

11
00:00:29,830 --> 00:00:32,510
And here I'm actually, I'm gonna go over

12
00:00:32,510 --> 00:00:34,890
and highlight some of these challenges

13
00:00:34,890 --> 00:00:38,980
that you will indeed face in
the security operation center.

14
00:00:38,980 --> 00:00:42,470
The first one by far, is encryption.

15
00:00:42,470 --> 00:00:45,040
Encryption has a lot of
benefits for security,

16
00:00:45,040 --> 00:00:47,010
a lot of benefits for privacy.

17
00:00:47,010 --> 00:00:49,500
But in the world of instant
response and forensics

18
00:00:49,500 --> 00:00:52,410
it can present a lot of
different challenges.

19
00:00:52,410 --> 00:00:55,870
Even law enforcement
agencies have been fascinated

20
00:00:55,870 --> 00:00:59,360
with the dual nature use of encryption.

21
00:00:59,360 --> 00:01:01,180
Whenever you protect information

22
00:01:01,180 --> 00:01:03,500
and communications, definitely encryption

23
00:01:03,500 --> 00:01:05,150
has numerous benefits.

24
00:01:05,150 --> 00:01:08,490
However, the same mechanisms can be used

25
00:01:08,490 --> 00:01:13,083
by threat actors as a method
of evasion and obfuscation.

26
00:01:15,490 --> 00:01:19,330
Now, many security products
including next generation IPS

27
00:01:19,330 --> 00:01:23,730
and next generation firewalls
can intercept, decrypt

28
00:01:23,730 --> 00:01:27,120
and inspect, and then
re-encrypt the traffic,

29
00:01:27,120 --> 00:01:29,020
even ignore the encrypted traffic payloads

30
00:01:29,020 --> 00:01:30,350
in some cases, right?

31
00:01:30,350 --> 00:01:32,710
However, some people may consider this

32
00:01:32,710 --> 00:01:34,360
a man in the middle attack

33
00:01:34,360 --> 00:01:37,900
and specifically nowadays with
a lot of privacy concerns,

34
00:01:37,900 --> 00:01:40,310
a lot of companies are
actually trying to divorce

35
00:01:40,310 --> 00:01:42,690
from that specially, because
of regulation, right?

36
00:01:42,690 --> 00:01:45,020
Think about GDPR for example.

37
00:01:45,020 --> 00:01:49,530
Now, you can still use
metadata from network traffic

38
00:01:49,530 --> 00:01:51,960
and other different security event sources

39
00:01:51,960 --> 00:01:55,330
to investigate and solve security issues.

40
00:01:55,330 --> 00:01:57,330
Now, you can obtain a
lot of good information

41
00:01:57,330 --> 00:01:59,980
by leveraging things like
net flow, firewall logs,

42
00:01:59,980 --> 00:02:03,410
web proxy logs, user
authentication information

43
00:02:03,410 --> 00:02:06,560
and even passive DNS data.

44
00:02:06,560 --> 00:02:09,180
Now, Cisco has a technology

45
00:02:09,180 --> 00:02:11,660
called encrypted traffic analytics

46
00:02:11,660 --> 00:02:15,170
which basically, is
integrated into Stealthwatch

47
00:02:15,170 --> 00:02:19,800
and cognitive security,
which will help you determine

48
00:02:19,800 --> 00:02:23,120
if some type of communication
may be malicious

49
00:02:23,120 --> 00:02:26,020
by examining that network
metadata, you know,

50
00:02:26,020 --> 00:02:29,080
including net flow and logs from servers,

51
00:02:29,080 --> 00:02:31,490
logs from firewalls and so on,

52
00:02:31,490 --> 00:02:32,880
to be able to determine that, right?

53
00:02:32,880 --> 00:02:35,690
And it also uses behind the scenes

54
00:02:35,690 --> 00:02:37,833
something that we call cognitive security.

55
00:02:39,070 --> 00:02:41,670
Another challenge that you may encounter

56
00:02:41,670 --> 00:02:44,020
in the security operations world, right,

57
00:02:44,020 --> 00:02:47,170
is whenever you are inspecting traffic

58
00:02:47,170 --> 00:02:51,370
that may be, you know,
coming after a device

59
00:02:51,370 --> 00:02:54,550
is actually performing network
address translation or NAT.

60
00:02:54,550 --> 00:02:56,780
And specifically, also whenever

61
00:02:56,780 --> 00:02:59,270
you're doing port address translation,

62
00:02:59,270 --> 00:03:01,630
in other words, PAT, right?

63
00:03:01,630 --> 00:03:03,240
That can present a challenge whenever

64
00:03:03,240 --> 00:03:04,960
you're performing security monitoring

65
00:03:04,960 --> 00:03:07,430
and analyzing logs and you know,

66
00:03:07,430 --> 00:03:09,340
many other things like even net flow

67
00:03:09,340 --> 00:03:12,820
that we just mentioned
because what you're seeing

68
00:03:12,820 --> 00:03:16,460
in the log is the
translated IP address versus

69
00:03:16,460 --> 00:03:19,740
the real IP address that each
of the systems has, right?

70
00:03:19,740 --> 00:03:22,160
So, in the case of port
address translation

71
00:03:22,160 --> 00:03:26,500
or PAT, this could become
even more problematic

72
00:03:26,500 --> 00:03:30,450
because many different
hosts behind that device,

73
00:03:30,450 --> 00:03:32,120
behind that network infrastructure device,

74
00:03:32,120 --> 00:03:35,290
whether it's a firewall
or a router, you know,

75
00:03:35,290 --> 00:03:38,270
a switch and so on, can be translated

76
00:03:38,270 --> 00:03:41,540
to a single address,
making the correlation

77
00:03:42,810 --> 00:03:45,240
basically impossible to achieve, right?

78
00:03:45,240 --> 00:03:47,050
Now, some security products

79
00:03:47,050 --> 00:03:50,210
like the Cisco StealthWatch system,

80
00:03:50,210 --> 00:03:52,910
it provides features that can be used

81
00:03:52,910 --> 00:03:56,090
to correlate a map, or unquote, map

82
00:03:56,090 --> 00:03:59,650
that translated IP address
with things like NetFlow.

83
00:03:59,650 --> 00:04:02,700
This feature in the StealthWatch system

84
00:04:02,700 --> 00:04:04,880
is called NAT stitching.

85
00:04:04,880 --> 00:04:07,830
And basically this accelerates
the incident response task

86
00:04:07,830 --> 00:04:11,030
and uses the continuous
security, you know,

87
00:04:11,030 --> 00:04:14,400
monitoring operations
within your environment.

88
00:04:14,400 --> 00:04:18,630
Another big challenge in a
security operations center

89
00:04:18,630 --> 00:04:21,550
and basically, in your
security operations as a whole,

90
00:04:21,550 --> 00:04:23,840
is whenever different systems

91
00:04:23,840 --> 00:04:26,330
are not using the correct time.

92
00:04:26,330 --> 00:04:30,210
And that's why it's
extremely important for you

93
00:04:30,210 --> 00:04:33,660
to use the network time
protocol, to ensure

94
00:04:33,660 --> 00:04:35,340
that the correct time is actually set

95
00:04:35,340 --> 00:04:37,570
in all the devices within the network

96
00:04:37,570 --> 00:04:39,450
and they're synchronized.

97
00:04:39,450 --> 00:04:42,520
That's because it actually will help you,

98
00:04:42,520 --> 00:04:44,620
I mean, of course
correlate the information.

99
00:04:44,620 --> 00:04:47,390
Imagine if you have a log saying

100
00:04:47,390 --> 00:04:48,730
that it's two o'clock in the morning

101
00:04:48,730 --> 00:04:51,130
and you know, something
malicious was happening,

102
00:04:51,130 --> 00:04:53,220
and the next device that you're trying

103
00:04:53,220 --> 00:04:54,640
to correlate the information from,

104
00:04:54,640 --> 00:04:56,850
it says that no, it's three
o'clock in the morning.

105
00:04:56,850 --> 00:04:58,610
So, it makes it extremely hard

106
00:04:58,610 --> 00:05:01,070
if not impossible for you to be able

107
00:05:01,070 --> 00:05:04,060
to correlate and protect your network.

108
00:05:04,060 --> 00:05:06,360
Now, another best practice
kind of, related right,

109
00:05:06,360 --> 00:05:09,930
is try to reduce the
number of duplicate logs.

110
00:05:09,930 --> 00:05:11,660
That's why you have to think

111
00:05:11,660 --> 00:05:14,580
and plan ahead as to
where exactly you want

112
00:05:14,580 --> 00:05:16,730
to deploy things like NetFlow

113
00:05:16,730 --> 00:05:19,750
and how will you correlate
it with other events

114
00:05:19,750 --> 00:05:23,223
like syslog from other devices, and so on.

115
00:05:24,680 --> 00:05:27,510
Now, for many years, threat
actors have been using

116
00:05:27,510 --> 00:05:29,930
many different non-traditional techniques

117
00:05:29,930 --> 00:05:32,890
to steal data from corporate networks.

118
00:05:32,890 --> 00:05:35,680
That includes things like
DNS tunneling, right?

119
00:05:35,680 --> 00:05:38,430
As you probably know, you
know, DNS is a protocol

120
00:05:38,430 --> 00:05:42,170
that enables systems to
resolve domain names.

121
00:05:42,170 --> 00:05:45,750
For example, if you want
to resolve hacker.org,

122
00:05:45,750 --> 00:05:49,390
cisco.com, et cetera,
that's how you translate it

123
00:05:49,390 --> 00:05:52,500
or you resolve it to an IP address.

124
00:05:52,500 --> 00:05:55,840
Now, DNS is not intended
for a command channel

125
00:05:55,840 --> 00:05:58,160
or even tunneling for that matter.

126
00:05:58,160 --> 00:06:00,990
However, attackers have developed software

127
00:06:00,990 --> 00:06:03,840
that enable tunneling over DNS.

128
00:06:03,840 --> 00:06:07,200
And as a matter of fact, you
can also tunnel, you know,

129
00:06:07,200 --> 00:06:10,570
data and tunnel traffic
over other protocols.

130
00:06:10,570 --> 00:06:12,940
For example, NTP the protocol

131
00:06:12,940 --> 00:06:15,410
that we were just talking
about as a best practice,

132
00:06:15,410 --> 00:06:18,550
the network time protocol
also have been used

133
00:06:18,550 --> 00:06:19,810
for exfiltration.

134
00:06:19,810 --> 00:06:21,630
And there are many different other ones

135
00:06:21,630 --> 00:06:22,710
that also have been used

136
00:06:22,710 --> 00:06:26,670
and specifically, since
attackers know that probably,

137
00:06:26,670 --> 00:06:29,020
these protocols are not gonna be blocked

138
00:06:29,020 --> 00:06:32,030
within the organization, it allows them

139
00:06:32,030 --> 00:06:36,180
to either encode sensitive
data, like, for example

140
00:06:36,180 --> 00:06:39,420
put Base64 encoding, and then putting

141
00:06:39,420 --> 00:06:42,820
that type of data whether
it's a stolen credit card,

142
00:06:42,820 --> 00:06:45,090
personal identifiable information,

143
00:06:45,090 --> 00:06:47,250
many different types of data

144
00:06:47,250 --> 00:06:50,700
in the payload of the DNS packet, right?

145
00:06:50,700 --> 00:06:53,390
And that, then subsequently,

146
00:06:53,390 --> 00:06:55,720
it's actual traded outside
of the organization.

147
00:06:55,720 --> 00:06:58,440
And nowadays, just like we were mentioning

148
00:06:58,440 --> 00:07:00,170
in the beginning of this lesson,

149
00:07:00,170 --> 00:07:03,150
encryption is being
used very, very heavily.

150
00:07:03,150 --> 00:07:06,350
So, if you actually have
an encrypted payload

151
00:07:06,350 --> 00:07:10,270
inside of a DNS packet
that you cannot inspect,

152
00:07:10,270 --> 00:07:12,240
then of course, as a recipe to disaster,

153
00:07:12,240 --> 00:07:14,940
because an attacker can then of course,

154
00:07:14,940 --> 00:07:17,160
embed any type of sensitive data

155
00:07:17,160 --> 00:07:19,260
that is actually able to, you know,

156
00:07:19,260 --> 00:07:22,930
trying to steal and
successfully exfiltrated

157
00:07:22,930 --> 00:07:24,990
from the corporation.

158
00:07:24,990 --> 00:07:27,140
So, these are some of the most common,

159
00:07:27,140 --> 00:07:28,990
different types of evasion techniques

160
00:07:28,990 --> 00:07:31,773
and challenges of the
security operations center.