You are on page 1of 20

Enterprise Information Services

Remote DFIR Investigations – Distributed Moloch

Scott Sattler
Rich Baker
Optum Technology
November 16, 2017

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Business in the Front, Party in the Back

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Mergers and Acquisitions (Acquired Entities)


• Big companies are
purchasing smaller,
high margin companies
to sustain growth
• The smaller companies
are usually in the
process of purchasing
even smaller
companies to sustain
growth…
© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

DFIR Investigation Issues with Acquired Entities


 Network Visibility (DPI, Netflow)
 Lack of endpoint investigation resources
 Inconsistent or non-existent DNS logs
 Logging of critical infrastructure devices
(Firewalls, proxies, domain controllers, dhcp,
etc)
 Inexperienced personnel
 Centrally managed information security systems
 Old technology
© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Addressing the DFIR Investigation Issues


 Rapidly deployed bastion host
 Minimal impact on AE staff and network
 Low cost toolset that maps to core commercial
tool functionality
 Reduce the amount of time DFIR resources are
deployed onsite
 Augment AE information security personnel
 Utilize commercial intelligence services (if
available)
© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

The Open Advanced Forensic Examiner

O.A.F.E.

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

What is the OAFE?


 Function – Assists with network and endpoint forensic analysis at remote
locations.

 Design – Initially designed for centrally managed networks (hub and spoke), but
can be utilized for small branches or entities.

 Hardware – Designed to operate on a modest platform. Previous generation


servers work well.

 Deployment – Rapidly deployable on average hardware in a matter of hours.


 Technologies – Deep packet inspection, netflow, big data analytics and
visualization, log aggregation, network malware detection, malware analysis, incident
response tickteting, endpoint forensic analysis, endpoint detection and response, and
many others…

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Enterprise System to OAFE Technology Mapping


Technology Enterprise System OAFE Tools Notes
Deep Packet Inspection Symantec/BlueCoat/Solera Moloch, Bro
Cisco AMP, McAfee Advance
Network Malware Inspection Threat Defense, FireEye Maltrail

Endpoint Forensics FTK, X-Ways, F-Response, EnCase Google Rapid Response

Incident Response Ticketing ServiceNow, Remedy, Resilient Fast Incident Response

Data Analytics and Visualization Cybereason, IBM, Fortscale Elasticsearch, Logstash, Kibana

Log Management Qradar, Splunk Filebeat ingest to ELK


Tanium, CarbonBlack, RSA eCat, Integration in early July.
Endpoint Detection & Response FireEye HX Lima Charlie Currently in dev branch.
FAME is currently in
Malware Static Analysis Viper, FAME testing.

Neflow Cisco, ManageEngine Ntopng

DNS Logging InfoBlox, BIND, AD DNS Bro w/ Logstash ingest to Elastic

FAME may necessitate the


addition of cuckoo
Malware Dynamic Analysis Cisco ThreatGrid, Joe Sandbox Cuckoo modified.

Intrusion Detection/Prevention IBM, TippingPoint, Radware, Cisco Suricata, Bro

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Here’s the “good stuff”, presented by Scott Sattler

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Rich Toolset – All tools want a TAP/SPAN


 IPS/IDS
 SIEM
 Netflow
 Event Correlation Systems (SQRRL, Firemon,
JASK)
 User Based Analytics
 NTOP

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Cost and Complexity


 Arrista, Netoptics support many monitor ports
– Costly to deploy and ship worldwide
 Disrupts production traffic to install HW TAP
 Not cost effective for smaller sites
 Must deploy tools to many remote sites
 Potential cost savings on licenses
 Remote sites sometimes have limited skillset

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Remote Moloch Capture Engine


 Installed in a Vmware image
 Uploaded to remote site easily
– No import taxes (Benefits international businesses)
– No shipping costs
 ERSPAN or Port SPAN on existing equipment
 Metadata returned to central Moloch instance

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Moloch Central Hub


 Elasticsearch cluster
 Moloch Viewer, with integrated intelligence
tagging via WISE, provides an interface for the
analyst
 Moloch Capture is not running
 WISE runs of 1-2 small VMware instances
– Clustered through VIP

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Moloch Remote Nodes – What’s Running


 Not Elasticsearch
 Moloch Capture
– Approximately 2 weeks of local stored PCAPs
 Molochviewer
– Pull PCAP views to central console

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Aren’t you killing the bandwidth

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

What can you do


 Reuse the metadata
– Feed other tools
 Monitor all sites centrally
 Threat intelligence view across the enterprise

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

SPI metadata feed to other systems

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

SPI data ingested to Firemon Immediate Insight

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Monitoring
 Processes
– Scripts to restart processes
 CPU Utilization
 Disk Space
– Run scripts to reallocate disk space
 Services
– Scripts to start/stop/restart services
 Memory
© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.
Enterprise Information Services

Questions/Discussion

© 2017 UnitedHealth Group. Any use, copying or distribution without written permission from UnitedHealth Group is prohibited.