Networks and Incident Response: how to leverage tools and patterns for network-based incident detection

Abstract

Networks and Incident Response: how to leverage tools and patterns for network-based incident detection.

During Incident Response or Threat Hunting, steps must be taken at a very fast pace. Network-based Incident Detection plays a fundamental role for speeding-up incident scoping and detection.

What simple tools and detection patterns can be used to speed up detection of incidents and malicious activities? This presentation provides practical answers to help incident response teams setup a baseline for network-based incident detection. It brings a simple yet extensible analysis environment for network-based incident detection, covering basics from traffic capture and conversion, over to detection patterns and analysis and visualisation. It makes use of open source tools from the network forensics realm, such as tcpdump, tshark and Elasticsearch.

Keywords: traffic analysis, network forensics, incident response, visualisation

Talk

• slides, recording

JoÃo Collier de MendonÇa

João (~John//Johannes) is a senior Incident Responder at the Cyber Defense Center of Deutsche Telekom Group, where he investigates security breaches for companies of various sizes. His work is focused on network-based incident detection and on the setup and improvement of Incident Detection and Response Capabilities across the Deutsche Telekom Group.