The internet has enabled the perpetration of crimes at huge distances with impunity. But defenders can inspect network traffic for signs of malicious activity and where it originates.
This session examines how we can use the MITRE ATT&CK framework to codify and share intelligence on attacker behaviors derived from network traffic analysis. We will look at how traffic is collected, stored and analyzed. We provide an overview of tools for analysis of network packets and flows, and explain how these tools can help us identify the malicious use of non-standard protocols, protocol abuse, tunneling, port scanning, lateral movement, command and control, and data ex-filtration. We will also discuss automated detection of suspicious traffic using signature-based, behavior-based, rule-based, and anomaly-based algorithms. Finally, we will introduce Security Onion, a Linux distro similar to Kali Linux, but for defenders.