1 00:00:06,960 --> 00:00:08,640 - [Instructor] Encryption has great benefits 2 00:00:08,640 --> 00:00:10,730 for security and privacy. 3 00:00:10,730 --> 00:00:14,300 But in the world of incident response and forensics, 4 00:00:14,300 --> 00:00:17,640 encryption introduces several challenges. 5 00:00:17,640 --> 00:00:21,520 Even law enforcement agencies actually have been fascinated 6 00:00:21,520 --> 00:00:26,520 in the use of encryption and the dual nature of encryption. 7 00:00:28,530 --> 00:00:30,940 When protecting information and communications, 8 00:00:30,940 --> 00:00:34,850 encryption actually has numerous benefits for everyone, 9 00:00:34,850 --> 00:00:37,060 from governments, the military, 10 00:00:37,060 --> 00:00:39,200 to corporations and individuals. 11 00:00:39,200 --> 00:00:42,490 On the other hand, some of the same mechanisms 12 00:00:42,490 --> 00:00:44,550 can be used by threat actors 13 00:00:44,550 --> 00:00:47,380 as a method of evasion and (muffled speaking) right? 14 00:00:47,380 --> 00:00:51,070 So to avoid being detected. 15 00:00:51,070 --> 00:00:53,070 Now historically even governments 16 00:00:53,070 --> 00:00:55,700 have tried to regulate the use of, 17 00:00:55,700 --> 00:00:58,370 and exportation of encryption technologies, right? 18 00:00:58,370 --> 00:01:01,420 A good example is the Wassenaar Arrangement, 19 00:01:01,420 --> 00:01:03,800 which is a multinational arrangement 20 00:01:03,800 --> 00:01:06,010 with the goal to regulate 21 00:01:06,010 --> 00:01:09,300 the export of technologies like encryption. 22 00:01:09,300 --> 00:01:14,300 Another example is the allegedly US National Security Agency 23 00:01:14,310 --> 00:01:16,000 or NSA backdoor, 24 00:01:16,000 --> 00:01:18,170 in the Dual Elliptic Curve 25 00:01:18,170 --> 00:01:23,170 Deterministic Random Bit Generator, or the Dual EC DRGB. 26 00:01:23,380 --> 00:01:24,390 And this, you know, 27 00:01:24,390 --> 00:01:28,280 is actually done to allow for clear text extraction 28 00:01:28,280 --> 00:01:30,170 of many algorithms 29 00:01:30,170 --> 00:01:34,040 seeded by the pseudo-random number generator, right, 30 00:01:34,040 --> 00:01:38,350 is by that dual EC DRBG. 31 00:01:38,350 --> 00:01:40,910 Now some folks have shared the idea 32 00:01:40,910 --> 00:01:43,100 of encrypting everything. 33 00:01:43,100 --> 00:01:44,780 In that case, encrypting everything 34 00:01:44,780 --> 00:01:47,860 will actually have very serious consequences, 35 00:01:47,860 --> 00:01:50,190 not only for law enforcement agencies, 36 00:01:50,190 --> 00:01:52,790 but for incident response professionals, right? 37 00:01:52,790 --> 00:01:53,940 Something to remember 38 00:01:53,940 --> 00:01:56,210 about the concept of encrypting everything, 39 00:01:56,210 --> 00:01:59,000 is that the deployment of an end-to-end encryption 40 00:01:59,000 --> 00:02:02,030 is difficult and can leave unencrypted data 41 00:02:02,030 --> 00:02:03,970 at risk to an attack. 42 00:02:03,970 --> 00:02:06,340 Now, there are many security products, 43 00:02:06,340 --> 00:02:08,540 including the next generation IPS 44 00:02:08,540 --> 00:02:10,350 and next generation firewalls 45 00:02:10,350 --> 00:02:13,060 that can intercept, decrypt, inspect 46 00:02:13,060 --> 00:02:14,910 and also re-encrypt 47 00:02:14,910 --> 00:02:18,160 or even ignore encrypted traffic payloads, right? 48 00:02:18,160 --> 00:02:20,050 Several people consider this 49 00:02:20,050 --> 00:02:21,950 a man-in-the-middle attack, right? 50 00:02:21,950 --> 00:02:24,950 And have many, you know, privacy concerns. 51 00:02:24,950 --> 00:02:25,783 On the other hand, 52 00:02:25,783 --> 00:02:29,080 you can actually use metadata from network traffic 53 00:02:29,080 --> 00:02:31,380 and other security event sources 54 00:02:31,380 --> 00:02:36,200 to still be able to investigate and solve security issues. 55 00:02:36,200 --> 00:02:38,630 You can attain a lot of good information, 56 00:02:38,630 --> 00:02:40,670 leveraging things like net flow, 57 00:02:40,670 --> 00:02:43,260 firewall logs, web proxy logs 58 00:02:43,260 --> 00:02:47,840 user authentication information, and even passive DNS data. 59 00:02:47,840 --> 00:02:49,950 Now, in some cases, the combination of these logs 60 00:02:49,950 --> 00:02:53,500 can make encrypted contents of malware payloads 61 00:02:53,500 --> 00:02:56,270 and other traffic fairly relevant, right? 62 00:02:56,270 --> 00:02:59,650 So of course, this is as long as you can detect 63 00:02:59,650 --> 00:03:01,150 its traffic patterns, 64 00:03:01,150 --> 00:03:03,830 to be able to actually remediate the incident. 65 00:03:03,830 --> 00:03:05,300 It is important to recognize 66 00:03:05,300 --> 00:03:07,640 that from a security monitoring perspective, 67 00:03:07,640 --> 00:03:09,340 it is technically possible 68 00:03:09,340 --> 00:03:11,500 to monitor some encrypted communications, 69 00:03:11,500 --> 00:03:14,220 like we mentioned before, in the case of next generation IPS 70 00:03:14,220 --> 00:03:15,820 and next generation firewalls, 71 00:03:15,820 --> 00:03:18,200 however from a policy perspective, 72 00:03:18,200 --> 00:03:19,700 is a different story, right? 73 00:03:19,700 --> 00:03:22,860 Especially depending on your geographical location 74 00:03:22,860 --> 00:03:26,840 and also your local laws around privacy. 75 00:03:26,840 --> 00:03:27,900 Now, another technology 76 00:03:27,900 --> 00:03:30,820 that introduces some challenges to security monitoring, 77 00:03:30,820 --> 00:03:33,770 is the network address translation or NAT. 78 00:03:33,770 --> 00:03:36,500 By using NAT, a firewall or a router 79 00:03:36,500 --> 00:03:38,500 hides the internal private address 80 00:03:38,500 --> 00:03:41,680 from the unprotected network or the internet, 81 00:03:41,680 --> 00:03:44,710 and exposes only its own address 82 00:03:44,710 --> 00:03:46,880 or a public range of addresses, 83 00:03:46,880 --> 00:03:50,200 or predetermined address, IP address. 84 00:03:50,200 --> 00:03:52,410 Now this enables a network professional 85 00:03:52,410 --> 00:03:54,620 to actually use any IP address space 86 00:03:54,620 --> 00:03:56,730 as the internal network. 87 00:03:56,730 --> 00:03:58,970 Now, NAT or network address translation 88 00:03:58,970 --> 00:04:02,020 can present a challenge when performing security monitoring 89 00:04:02,020 --> 00:04:04,330 and analyzing logs, right? 90 00:04:04,330 --> 00:04:07,730 And also when analyzing net flow and or the data, 91 00:04:07,730 --> 00:04:11,000 since device IP addresses can be seen in the logs 92 00:04:11,000 --> 00:04:13,530 as the translated IP address, 93 00:04:13,530 --> 00:04:16,080 versus the actual real IP address, right? 94 00:04:16,080 --> 00:04:18,970 In the case of port address translation or PAT, 95 00:04:18,970 --> 00:04:21,080 this could even be more problematic 96 00:04:21,080 --> 00:04:22,700 since many different hosts 97 00:04:22,700 --> 00:04:25,510 can be translated to a single address, 98 00:04:25,510 --> 00:04:28,770 making the correlation almost impossible to achieve. 99 00:04:28,770 --> 00:04:31,070 Now there's some good news, a few security products, 100 00:04:31,070 --> 00:04:34,150 such as the Cisco Lancope StealthWatch system, 101 00:04:34,150 --> 00:04:37,460 provides features such as NAT stitching, 102 00:04:37,460 --> 00:04:39,760 that can be used with net flow 103 00:04:39,760 --> 00:04:41,870 and other data in the network, 104 00:04:41,870 --> 00:04:43,470 to actually be able to correlate, 105 00:04:43,470 --> 00:04:48,420 and map translated IP addresses in a NAT environment, right. 106 00:04:48,420 --> 00:04:50,950 Now this accelerates the incident response task, 107 00:04:50,950 --> 00:04:55,590 and also ease the continuous security monitoring operations. 108 00:04:55,590 --> 00:04:57,960 Another technology that introduces some challenges 109 00:04:57,960 --> 00:05:01,430 to security monitoring, is DNS tunneling, right? 110 00:05:01,430 --> 00:05:03,800 Attackers actually have developed software 111 00:05:03,800 --> 00:05:07,790 that enabled tunneling over DNS for years, right? 112 00:05:07,790 --> 00:05:09,060 They actually have been using this 113 00:05:09,060 --> 00:05:13,610 to exfiltrate data from their victims for years. 114 00:05:13,610 --> 00:05:18,000 These threat actors like to use protocols, 115 00:05:18,000 --> 00:05:21,240 that traditionally are not designed for data transfer 116 00:05:21,240 --> 00:05:22,800 since they're less inspected 117 00:05:22,800 --> 00:05:24,610 in terms of security monitoring, right? 118 00:05:24,610 --> 00:05:27,080 So undetected DNS tunneling, 119 00:05:27,080 --> 00:05:30,010 otherwise known as DNS exfiltration, 120 00:05:30,010 --> 00:05:34,270 represents a significant risk to any organization. 121 00:05:34,270 --> 00:05:38,353 Now, in many cases, malware can use Base64 encoding 122 00:05:39,278 --> 00:05:42,490 and other types of encoding to put sensitive data, 123 00:05:42,490 --> 00:05:46,643 things like credit cards, personal identifiable information, 124 00:05:48,740 --> 00:05:51,540 and other type of sensitive information 125 00:05:51,540 --> 00:05:54,180 in the payload of DNS packets, 126 00:05:54,180 --> 00:05:55,090 to actually, you know, 127 00:05:55,090 --> 00:05:57,760 exfiltrate that data from their victims. 128 00:05:57,760 --> 00:06:01,000 These are some examples of encoding methods 129 00:06:01,000 --> 00:06:03,540 that actually can be used by attackers, right? 130 00:06:03,540 --> 00:06:06,760 So including Base64, binary encoding, 131 00:06:06,760 --> 00:06:09,180 NETBIOS encoding, and also hex encoding. 132 00:06:09,180 --> 00:06:11,060 There're several utilities 133 00:06:11,060 --> 00:06:12,180 that actually have been created 134 00:06:12,180 --> 00:06:14,710 to perform DNS tunneling, right. 135 00:06:14,710 --> 00:06:17,550 For the good, and also for the bad. 136 00:06:17,550 --> 00:06:19,370 Here I'm actually including a few example 137 00:06:19,370 --> 00:06:20,790 for your reference, right? 138 00:06:20,790 --> 00:06:23,230 So one thing to highlight is that some of these tools 139 00:06:23,230 --> 00:06:26,880 were not created with the intent to steal data, 140 00:06:26,880 --> 00:06:30,780 but cyber criminals actually have used it for years, 141 00:06:30,780 --> 00:06:32,690 you know, for their own purposes, right, 142 00:06:32,690 --> 00:06:35,293 to exfiltrate data from the network. 143 00:06:36,140 --> 00:06:38,180 Another tool that presents some challenges 144 00:06:38,180 --> 00:06:41,110 to security monitoring, is Tor. 145 00:06:41,110 --> 00:06:43,630 Otherwise known as The Onion Router, right? 146 00:06:43,630 --> 00:06:48,630 Many people nowadays use tools like Tor for privacy. 147 00:06:48,670 --> 00:06:52,370 Tor is actually a free tool, that enables its users 148 00:06:52,370 --> 00:06:55,120 to actually surf the web anonymously. 149 00:06:55,120 --> 00:06:58,480 However, you know, Tor actually works, 150 00:06:58,480 --> 00:07:02,810 by routing IP traffic through a free worldwide network 151 00:07:02,810 --> 00:07:06,370 consisting of thousands of Tor relays, right? 152 00:07:06,370 --> 00:07:09,020 That's what we call Tor relays. 153 00:07:09,020 --> 00:07:12,500 Then Tor actually constantly changes 154 00:07:12,500 --> 00:07:14,210 the way it routes traffic, 155 00:07:14,210 --> 00:07:17,490 in order to obscure a user's location 156 00:07:17,490 --> 00:07:20,180 from anyone monitoring the network. 157 00:07:20,180 --> 00:07:23,010 The usage of Tor also makes it more difficult 158 00:07:23,010 --> 00:07:26,060 for security monitoring and incident responses, right? 159 00:07:26,060 --> 00:07:30,510 Since it can be hard to attribute and trace back 160 00:07:30,510 --> 00:07:33,100 the traffic to a specific user 161 00:07:33,100 --> 00:07:35,250 or of a specific user, right? 162 00:07:35,250 --> 00:07:37,120 So different types of malware 163 00:07:37,120 --> 00:07:41,610 are also known to use Tor to actually cover their tracks, 164 00:07:41,610 --> 00:07:43,320 and actually to communicate, 165 00:07:43,320 --> 00:07:46,400 between the malware and the attacker, right? 166 00:07:46,400 --> 00:07:47,630 So this onion routing 167 00:07:47,630 --> 00:07:51,310 is actually accomplished by encrypting the application layer 168 00:07:51,310 --> 00:07:55,150 of a communication protocol stack that are nested 169 00:07:55,150 --> 00:07:57,780 just like the layers of an onion, 170 00:07:57,780 --> 00:08:00,530 thus the name, The Onion Router. 171 00:08:00,530 --> 00:08:03,110 the Tor client encrypts the data multiple times 172 00:08:03,110 --> 00:08:06,700 and sends it through a network or a circuit. 173 00:08:06,700 --> 00:08:10,540 And that includes randomly selected Tor relays, right? 174 00:08:10,540 --> 00:08:13,860 Each of the relays actually decrypt a layer of the onion, 175 00:08:13,860 --> 00:08:18,350 and then reveal only the information to the next relay, 176 00:08:18,350 --> 00:08:21,180 so it can then route the remaining encrypted data 177 00:08:21,180 --> 00:08:24,090 and then so on, you know, and reach the destination. 178 00:08:24,090 --> 00:08:26,693 Here I'm actually showing the Tor browser, right. 179 00:08:27,600 --> 00:08:29,930 There you can see the Tor circuit, 180 00:08:29,930 --> 00:08:33,160 where the user actually access cisco.com 181 00:08:33,160 --> 00:08:34,860 from the Tor browser, right? 182 00:08:34,860 --> 00:08:38,320 So first one to a host in the Netherlands, 183 00:08:38,320 --> 00:08:41,680 then a host in Sweden, a host in France, 184 00:08:41,680 --> 00:08:43,573 and finally to cisco.com. 185 00:08:44,410 --> 00:08:48,320 Tor exit nodes are basically the last Tor node 186 00:08:48,320 --> 00:08:51,370 or the gateways, where the Tor encrypted traffic 187 00:08:51,370 --> 00:08:52,870 exits to the internet, right? 188 00:08:52,870 --> 00:08:55,810 So a Tor exit node can be targeted 189 00:08:55,810 --> 00:08:58,070 to monitor Tor traffic, right? 190 00:08:58,070 --> 00:09:01,100 Many organizations block Tor exit nodes 191 00:09:01,100 --> 00:09:02,510 in their environment, 192 00:09:02,510 --> 00:09:05,520 to actually, protect, you know, their communications, 193 00:09:05,520 --> 00:09:07,300 and to actually make sure that, 194 00:09:07,300 --> 00:09:10,760 no internal devices, are you actually using Tor? 195 00:09:10,760 --> 00:09:13,690 Now, the Tor project actually has a dynamic list 196 00:09:13,690 --> 00:09:15,430 of Tor exit nodes, 197 00:09:15,430 --> 00:09:19,300 that makes, you know, this task a little bit easier. 198 00:09:19,300 --> 00:09:22,290 You know, this is actually the Tor exit node list 199 00:09:22,290 --> 00:09:23,740 that actually can be downloaded 200 00:09:23,740 --> 00:09:26,330 from the link that I'm actually sharing in here, 201 00:09:26,330 --> 00:09:29,290 from the torproject.org website. 202 00:09:29,290 --> 00:09:30,210 Now, security products 203 00:09:30,210 --> 00:09:33,190 like the Cisco Next-Generation Firepower, 204 00:09:33,190 --> 00:09:36,500 you know, appliances and Firepower Threat Defense, 205 00:09:36,500 --> 00:09:39,870 provide the ability to dynamically learn, 206 00:09:39,870 --> 00:09:42,080 and block Tor exit nodes, right? 207 00:09:42,080 --> 00:09:43,300 That's actually a beauty 208 00:09:43,300 --> 00:09:46,073 of this next generation platforms. 209 00:09:47,100 --> 00:09:48,650 Peer-to-peer communication 210 00:09:48,650 --> 00:09:50,670 also presents some security challenges, right? 211 00:09:50,670 --> 00:09:54,300 So the peer-to-peer is actually referred to, 212 00:09:54,300 --> 00:09:55,770 as the distributed architecture 213 00:09:55,770 --> 00:09:58,450 that divides task between participants, 214 00:09:58,450 --> 00:09:59,920 competing peers, right? 215 00:09:59,920 --> 00:10:01,340 In a peer-to-peer network, 216 00:10:01,340 --> 00:10:03,860 the peers are equally privileged, right? 217 00:10:03,860 --> 00:10:08,750 This is why they're called a peer-to-peer network of nodes. 218 00:10:08,750 --> 00:10:11,830 Now peer-to-peer participant computers or nodes, 219 00:10:11,830 --> 00:10:13,960 reserve a chunk of their resources, 220 00:10:13,960 --> 00:10:18,400 like you know, CPU, memory, disc, and network bandwidth, 221 00:10:18,400 --> 00:10:20,810 so that the other peers or participants 222 00:10:20,810 --> 00:10:24,230 can actually access those resources, right? 223 00:10:24,230 --> 00:10:25,063 This is all done 224 00:10:25,063 --> 00:10:27,990 without the need of a centralized server. 225 00:10:27,990 --> 00:10:29,840 In peer-to-peer networks, 226 00:10:29,840 --> 00:10:32,930 each peer can be both a supplier, 227 00:10:32,930 --> 00:10:36,710 as well as a consumer of resource or data. 228 00:10:36,710 --> 00:10:40,840 A good example was the music sharing application, 229 00:10:40,840 --> 00:10:42,186 you know, that was actually very popular 230 00:10:42,186 --> 00:10:44,793 in the '90s, called Napster. 231 00:10:46,790 --> 00:10:48,350 Now peer-to-peer networks, 232 00:10:48,350 --> 00:10:51,090 not only have been used to share music, videos, 233 00:10:51,090 --> 00:10:52,990 stolen books and other data, 234 00:10:52,990 --> 00:10:55,870 but even legitimate multimedia applications, 235 00:10:55,870 --> 00:10:58,490 like, you know, an example is Spotify, right? 236 00:10:58,490 --> 00:11:00,650 It actually uses a peer-to-peer network, 237 00:11:00,650 --> 00:11:02,800 along with the streaming servers 238 00:11:02,800 --> 00:11:05,853 to stream audio and video to their clients, right? 239 00:11:06,700 --> 00:11:09,840 There's even an application called Peercoin, 240 00:11:09,840 --> 00:11:11,820 also known as PP coin, 241 00:11:11,820 --> 00:11:16,160 which is a peer-to-peer cryptocurrency platform 242 00:11:16,160 --> 00:11:19,640 that actually utilizes both proof of stake, 243 00:11:19,640 --> 00:11:21,930 and also proof of work systems, 244 00:11:21,930 --> 00:11:26,210 to actually do, you know, Bitcoin mining, 245 00:11:26,210 --> 00:11:29,530 and you know, cryptocurrency transactions, right. 246 00:11:29,530 --> 00:11:31,710 Now universities like MIT and Penn state 247 00:11:31,710 --> 00:11:35,098 actually have created a project called LionShare. 248 00:11:35,098 --> 00:11:36,210 And that it's actually designed 249 00:11:36,210 --> 00:11:39,390 to share files among educational institutions globally. 250 00:11:39,390 --> 00:11:43,520 So again, not only for the bad, but also peer-to-peer, 251 00:11:43,520 --> 00:11:46,580 actually has been used for the good as well, right. 252 00:11:46,580 --> 00:11:48,920 Now, from a security perspective, 253 00:11:48,920 --> 00:11:52,350 peer-to-peer systems introduce a unique challenge, right? 254 00:11:52,350 --> 00:11:54,620 Malware has actually used peer-to-peer networks 255 00:11:54,620 --> 00:11:57,820 to communicate and also to spread, 256 00:11:57,820 --> 00:12:01,560 you know, other instances of the same malware 257 00:12:01,560 --> 00:12:02,930 to victims, right? 258 00:12:02,930 --> 00:12:06,940 So many free or stolen music and movie files 259 00:12:06,940 --> 00:12:10,070 usually come with a surprise of malware as well. 260 00:12:10,070 --> 00:12:12,220 So that's one thing to actually keep in mind. 261 00:12:12,220 --> 00:12:15,270 Additionally, like any other form of software, 262 00:12:15,270 --> 00:12:16,540 peer-to-peer applications 263 00:12:16,540 --> 00:12:18,960 are not immune to security vulnerabilities, right? 264 00:12:18,960 --> 00:12:22,670 This of course introduces risk for peer-to-peer software 265 00:12:22,670 --> 00:12:25,180 to be more susceptible to remote exploits, 266 00:12:25,180 --> 00:12:28,820 due to the nature of the peer-to-peer network architecture. 267 00:12:28,820 --> 00:12:31,550 Another challenge is actually to keep network telemetry 268 00:12:31,550 --> 00:12:34,780 and logs from all sources in sync. 269 00:12:34,780 --> 00:12:38,350 Now, server logs, endpoint logs, NAT flows, syslog data, 270 00:12:38,350 --> 00:12:42,020 and any other security monitoring data will be useless 271 00:12:42,020 --> 00:12:46,570 if it is actually showing the run date and the run time. 272 00:12:46,570 --> 00:12:49,300 This is why is a best practice, 273 00:12:49,300 --> 00:12:52,230 that you should configure all network devices 274 00:12:52,230 --> 00:12:54,710 and your servers, and you know, everything, 275 00:12:54,710 --> 00:12:58,700 to actually use network time protocol or NTP. 276 00:12:58,700 --> 00:13:03,700 So by using NTP, we ensure that the correct time is set, 277 00:13:04,120 --> 00:13:06,330 and is also synchronized 278 00:13:06,330 --> 00:13:08,750 between all the devices within the network 279 00:13:08,750 --> 00:13:11,940 and all the sources of telemetry, you know. 280 00:13:11,940 --> 00:13:13,070 Another best practice, 281 00:13:13,070 --> 00:13:18,070 is to try to reduce the amount of duplicate logs, right? 282 00:13:18,760 --> 00:13:21,320 Now these best practices will save you time, 283 00:13:21,320 --> 00:13:24,630 and will also increase your operational efficiency 284 00:13:24,630 --> 00:13:26,963 whenever you're monitoring your network.