DeepSec 2019 Training: Analysing Intrusions with Suricata – Peter Manev & Eric Leblond
Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as to identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce the course’s concepts while utilizing the latest Suricata features. Come and see what you’ve been missing in your network and unlock the full potential of network security, detection, and response with Threat Hunting with Suricata at the DeepSec 2019 training.
In this course, students will learn through a combination of lecture and approximately 15 hands-on labs (depending on workshop duration):
- Identify key strategies for network security architecture and visibility
- Learn the fundamentals of rule writing and rule comprehension
- Understand how to manage rule sources and create effective rulesets
- Develop methods for establishing network baselines
- Recognize traffic anomalies
- Use Suricata to capture network traffic and replay PCAPS
- Utilize log aggregation and shipping services to build a complete picture
- Perform traffic analysis and create visualizations with Kibana
- Develop a custom network sensor with Suricata and ELK
- Analyze suspicious traffic to determine maliciousness
- Learn how to pivot off of key attack indicators using threat intelligence
- Analyze true positive and false positive alerts
- Leveraging rules specifically for threat hunting
- Deploying honey tokens
We asked Peter and Eric a few more questions about their training.
Please tell us the top 5 facts about your talk.
- Attendees will analyze the major phases of malware operations, performing deep technical analysis and come away with experience for detecting and hunting for threat actors. This will form the basis of an effective threat hunting program, or provide ideas to help increase the efficiency of existing programs.
- Attendees will learn how much more Suricata can do outside of generating alerts. Protocol specific logs, file extraction, full packet capture and TLS fingerprinting are some of the primary features the latest version of Suricata offers. In addition, they will see how to build an extensive monitoring and analysis solution with open-source software for a comprehensive security solution.
- Students will learn how to formulate proactive threat hunting strategies to help reduce the time from compromise to detection. They will also be able to utilize these strategies to develop effective approaches for proactive threat hunting activities. Network monitoring creates a large amount of data, this course will help attendees be able to pick out key information from all of the noise.
- This class offers extensive hands-on experiences that will take Suricata users and developers, and those familiar with similar IDS systems, from the efficient and fast set-up of correct operations to successful threat hunting examples in massive traffic jams with Suricata.
- This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Protecting an enterprise network requires constant vigilance, deep technical understanding and effective security programs. With the number of breaches on the rise and the impact they have on not only the business, but also its customers, we felt that we can help the community by training them on how to perform threat hunting and develop effective strategies around it. This, in turn, can help increase an organizations ability to detect and respond to threats, minimizing the time between initial compromise and detection. This course was designed to cover the fundamental aspects of Suricata such as rule comprehension, managing rule sets, validating alerts, working through false positive/negatives and customizing rules to provide more visibility into your traffic. In-depth analysis of network traffic and the development of threat hunting strategies to detect anomalous or malicious activity will be accomplished with tools such as Moloch, Kibana and CyberChef. Hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the course. Threat intelligence feeds and other online resources will also be explored to learn how to pivot between data sources while performing proactive threat hunting activities. This is an ideal course for security analysts, blue teams and malware researchers to get hands-on diving deep into malicious traffic.
Why do you think this is an important topic?
Closing the gap between when an infection occurs and when it is detected is a key goal of an effective threat hunting program. While many security solutions focus on detecting adversarial activity in real time, skilled threat actors have demonstrated the ability to bypass these security tools. This can leave an organization vulnerable to further compromise and data breaches. Having the right data available during an incident or when performing proactive threat hunting activities is crucial for success. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as identify new threats through structured data aggregation and analysis.
Is there something you want everybody to know – some good advice for our readers maybe?
Effective threat hunting programs can help provide greater visibility into what is going on in your networks and increase your ability to detect threat actors. This course will focus on utilizing open-source tools such as Suricata, Moloch and Kibana to generate data, perform exhaustive traffic analysis and develop comprehensive threat hunting strategies. The goal is to come away with ideas, strategies and tools to develop, implement and possibly refine a threat hunting program at your organization.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
While adversary tactics change, the use of the network for such activities as command-and-control, lateral movement and data exfiltration remains. This makes monitoring a network a crucial piece of any organizations security and will remain a valuable source for detecting malicious activity. Therefore, network traffic analysis will remain a pillar on which effective security programs are built and learning how to properly defend them critical.
Peter Manev (aka pevma, in some countries also DonPedro / pevman)
Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS – an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.
Eric Leblond (aka regit) is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.