--[ A Network Analysis Workshop

Instructor

Jamin Becker is the Chief Technology Officer at Dynamite Analytics and has worn many hats during his career, ranging from security operations to software engineering. Jamin is the maintainer of several open-source projects related to network analysis and began developing PacketTotal in 2015 when he noticed there was no easy way for security researchers to quickly analyze and share malicious network traffic. Since then, he has continued to maintain and extend the capabilities of PacketTotal for the benefit of the security community.

Adam Pumphrey is the Chief Operations Officer at Dynamite Analytics. He has worked in cybersecurity for over 20 years specializing in network traffic analysis, threat detection, forensics, and incident response. Adam spent his early career creating and leading security operations teams for the federal government before transitioning to the private sector where he now focuses on technology integration, solution engineering and customer success.

Abstract

In Part 1 of this workshop, we'll dive into some of the differences between on-premise and cloud environments. We'll look closely at how organizations can help address one of the largest risks faced when moving to the cloud: a lack of visibility. Traffic acquisition in the cloud has traditionally required complex network architectures or 3rd-party software agents running on individual endpoints. However, new capabilities have been made available by cloud service providers that offer unprecedented access to network communications using the Software Defined Network itself for packet acquisition. We'll describe this new capability, how its configured, deployed, and operationalized. We'll examine some best practices and lessons learned to keep in mind when planning a cloud network defense strategy that includes network traffic analysis.

In Part 2 of this workshop, we'll pivot to analyzing PCAP samples using PacketTotal.com (PackeTotal). PacketTotal is a free cloud service based on Zeek and Suricata for static packet-capture (PCAP) analysis. The service equips cybersecurity researchers and analysts, with a database of over 100,000 indexed PCAP samples uploaded by the security community for contextualizing malicious network behaviors and cybersecurity alerts.

The solution facilitates the community sharing of traffic samples and allows researchers to search for indicators of compromise, download the corresponding network traffic, and see examples of how malware communicates across a variety of environments. PacketTotal's emerging search API also allows researchers to find PCAPs containing any domain name, IP address, malware strain, protocol used and discover relationships between PCAPs including common malicious traffic characteristics.

During Part 2 of this workshop, we will demonstrate how PacketTotal uses Zeek and Suricata to extract evidence relevant to security investigations, and how it can be integrated into security processes through the open-source SDK.