Bro, I Can See You Moving Laterally

BSidesNOVA 2017

Presented by: Richie Cyrus
Date: Saturday February 25, 2017
Time: 14:30 - 15:00
Location: Cafeteria
Track: Track 2

Post-compromise, threat actors are using the Server Message Block (SMB) protocol to move laterally and carry out their objectives. How does an organization go about detecting this activity designed to blend in with normal traffic? Enabling Windows event logs to audit access to file shares may assist in detection. However, sifting through the sheer volume of logs created during normal day to day operations is not ideal. Actors may also move malware from share to share, undetected by an organization’s particular anti-virus solution. Bro Network Security Monitor provides the functionality and flexibility needed to detect some of these techniques on the wire. This session is designed to show defenders the capability of Bro to detect malicious SMB activity, specifically during lateral movement. The scripts and examples introduced can be used right away in environments with Bro deployed.

Richie Cyrus

Richie Cyrus is an Incident Responder at CME Group with five years of security experience, primarily focused in the areas of digital forensics, incident response, and intrusion detection. He holds a number of security certifications to include GREM, GCFE, GCIH, GWAPT, CISSP and GCIA. He is also pursuing a masters degree in Information Security Engineering at SANS Technology Institute.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats