This brief session focuses on the visualization of actual security incidents, network forensics and counter surveillance of covert criminal communications utilizing large data sets from various security logs and a very brief introduction to correlation engine logic. Visually displaying security or network issues can express the risk or urgency in a way a set of dry logs or other methods might not be able to. Additionally, many organizations rely on a more singular approach and react to security events, many times from a high false positive rate source such as isolated intrusion prevention or firewall alerts, or relying only on anti-virus alerts. Utilizing a correlation engine (especially open source) or similar applications could offer a method of discovering or in some cases proactively detecting issues. The research discussed involves analysis and interrogation of firewall, intrusion detection and prevention systems, web proxy logs and available security research. What does a compromised server infected with spam malware look like or cyber warfare? A 20 minute presentation of data visualization and investigation scenarios of five actual issues discovered using various security logs and a correlation engine. The lecturer will take you on a visual journey from seemingly mundane entries in firewall logs through to detecting covert communications between a corporate web server and a cyber-criminal drop zone. Additional visualizations presented: a United Kingdom based portion of the South Korean DNS Distributed Denial of Service attacks of July/August 2008, what bypassing deep packet inspection using HTTPS/SSL/TLS looks like, detecting a rouge corporate email server, malicious DNS usage and more. Although the presenter used a commercial correlation engine, the presentation will conclude with the discussion of an open source correlation engine.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.