RSA Admin

Finding deceptive bad guys with NetWitness - training exercise

Discussion created by RSA Admin Employee on Oct 31, 2012
Latest reply on Nov 5, 2012 by RSA Admin

One of the presentations at TechFest this year was designed to show the perspective of a bad guy performing a hack on a ficticious company network.  The attack incorporated a few elements of deception designed to make the life of anyone investigating the incident (good guys like us!) just a little harder. 

As part of this exercise a PCAP was captured on the border of the fake corporate network so that security guys and girls can load it up in NetWitness Investigator and take a look at what can be seen.  The PCAP is only about 2MB, so it is very easy to play with.  Open it up using the NetWitness Investigator freeware if that is all you have... it still works well for training purposes.


Before looking at the PCAP it is useful to watch the videos accompanying the "hack".  Videos are attached and show the perspective of our hacker and target user.  Now that you have seen what actually happened in the attack open up the PCAP and see just how hard this activity is to find.  Imagine if this data was hidden among terrabyts of other network data, could you isolate and understand what actually took place?


To be fair, in the majority of financially motivated cyber crime incidents the bad guys don't bother with all of the deception techniques used in this exercise.  However, if they did you can appreciate it can be nearly impossible to spot the evidence or understand all the actions undertaken in a network compromise. 


Things to look for in the pcap include:

Can you see evidence of the reconnaissance in any of the traffic?

What is the first evidence of malicious behaviour on the network? How easy is this to spot or differentiate from normal network traffic?

If you were investigating this incident without full knowledge of the attack could you piece together what had happened?


If you were the bad guy what could you have done different to make life for a SA even harder?


Being a good SA means thinking from the perspective of offense as much as defence.  This exercise was aimed at getting people to think about the perspecitve of a bad guy in order to better understand network evidence left behind in modern attacks.