Knowing the unknown - Discover your organization’s attack surface using Suricata data

Building a vision of an information system is critical in a lot of situations like a MSSP working with a new customer or an incident response case. It is important to know the unknown. Without a clear understanding, decisions about priority and responses will be wrong. This training will introduce a methodology using passive network data monitoring to fix that situation using data that is commonly captured but often disregarded.

Network Security Monitoring data generated by Suricata can be used to build a representation of the internal attack surface within a company network. Inventory tools are often used to determine things such as the list of services on the network but this is a declarative approach and it can not be considered as the ultimate truth. In the case of a large organization, the difference between what is declared in the inventory and the actual reality can differ significantly.

Traditional approaches to complement inventory rely on scanning the network to find services. Although useful, this scan will not provide information about the usage of these systems and services. And it will not instantly detect updates to the information systems such as a new service being set up and used.

In this training, we will show how you can use data collected passively from Suricata sensors to build the attack surface of an organization and track its changes.

The training will consist of hands-on exercises where the trainee will analyze PCAP files with Suricata and build searches and dashboards using Kibana and Splunk as well as JQ for fast command line based results and Jupyter notebook for an algorithmic approach.

About the Speakers