Michał Sołtysik - Deep Packet Inspection Analysis - Examining One Packet Killers (ENG)

Описание: Other content:    • Michał Sołtysik - Cybersecurity content  

Official website: https://michalsoltysik.com/

Michał Sołtysik is a Cybersecurity Consultant and Blue Team, Purple Team, and Red Team Analyst, bringing a broad and in-depth range of expertise to his cybersecurity practice.

He is also a Digital and Network Forensics Examiner, Cyber Warfare Organizer, and SOC Trainer, specializing in SOC operational capability and maturity development, network edge traffic profiling, and adversary emulation in EDR testing.

0:00 Start

1:51 Title of the lecture: Deep Packet Inspection Analysis: Examining One Packet Killers.

2:30 Description of the lecture: Security Operations Center (SOC) teams monitor network traffic using SIEM and IPS solutions, along with other security tools. However, these tools can sometimes fall short in their capability, particularly when faced with complex attacks that exploit legitimate network protocols, such as a single, crafted packet. To combat these threats, SOC teams must adopt advanced techniques such as Deep Packet Inspection (DPI). The webinar explores DPI analysis techniques to detect and mitigate "One Packet Killers", using real-world examples from DHCP, H.225.0, Modbus over TCP, WTP, and BAT_GW protocols. Furthermore, it examines the intricacies of each protocol and highlights how specific message manipulations within these protocols can activate Denial-of-Service (DoS) attacks or disrupt communication flows. By mastering DPI techniques and addressing these protocol security weaknesses, SOC teams can enhance their ability to maintain a robust network security posture.

Content:

1:37 Opening words
3:58 Why IPS, WAF, and SIEM solutions are not enough.
7:07 Summary of the need for deep packet inspection analysis.
10:14 The four main categories of weaknesses/vulnerabilities.
10:53 DoS Attack Categories.
12:39 One Packet Killer via a vulnerability (CVE-2021-45105).
13:45 One Packet Killer via a weak protocol design in DHCP.
16:03 One Packet Killer via a weak protocol design in Modbus over TCP.
21:52 One Packet Killer via a weak protocol design in WTP.
22:53 One Packet Killer via a weak protocol design in BAT_GW.
26:13 One Packet Killer via a weak protocol design in H.225.0.
31:40 Findings (a breakdown of the possibilities and limitations behind functionalities within protocols which can be misused for DoS attacks under specific circumstances).
32:45 Protocol-based DoS Attacks.
33:48 DoS Attacks: Classification and Protocol Weakness Examples.
35:00 Some possible reasons why an attacker might send a single such packet ('One Packet Killer').
36:46 Conclusions of the webinar.
39:42 Recommendations on protocol weaknesses.
41:16 An example of a 'Silent Killer' using a ubiquitous protocol DNS.
47:35 Q&A.
58:47 Closing words.

Contact:
Mail: [email protected]
LinkedIn:   / michal-soltysik-ssh-soc  
GitHub: https://github.com/MichalSoltysikSOC
Accredible: https://www.credential.net/profile/mi...
Credly: https://www.credly.com/users/michal-s...

Link to download the presentation in .pdf format: https://files.fm/f/5gh6bawv36