Where Networking and Security Collide

Category: Misc

True Crime – 1st 48 hours in your network….

What a fun day! Thanks to all who attended my session at the Northern Ohio Security Summit “TRUE CRIME – the first 48 hours in your network” it was a packed house!

As promised, here are some resources to enable you to LIGHT up your network.

Feel free to hit me up on Linkedin with any questions.

Link to presentation – TimRoth_ClevelandSecuritySummit10_26  




->Interrogating the Network (means to pull data from the network)

Means to enable packet capture – just an example

 Packet Capture in Cisco Router and Switches


Application visibility with Netflow (NO FIREROUTER required)

Available IPIX/NETFLOW records

Cisco Netflow support Matrix

->Collecting the Artifacts (means to collect the data) 

1.Flow Collection

ELK Stack  – collection of Netflow with ELK Stack + ElasticFlow


Setup Elastiflow (Netflow visual tool for ELK Stack)




2.Packet Collection


SNORT Detection Strategies

Run snort on your Cisco Router


 An Introduction to Threat Hunting With Zeek (Bro)


ETA/JOY – encrypted traffic analytics 


Presentation on Cisco ETA/Project Joy

Slide Deck – Cisco ETA/Project Joy


Resources Referenced 



https://talosintelligence.com/software (Open Source Projects – Snort, Immunet)

Books Referenced




Stegano exploit kit…hacking through browser ads

Check out the following articles on the Stegano exploit kit.



My take:

Hackers can go after our systems with advertisements on popular news sites we all visit. To the naked eye, these advertisements look legit, they may even look like security solutions that will protect us online. In reality, if you click on these advertisements they leverage your web browser to run scans against your machine. If the scans detect vulnerable software that can be exploited, your system is fair game.

“In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to further compromise by various malicious payloads including backdoors, spyware and banking Trojans.” (welivesecurity.com)

Reading this quote makes me think of my friends and family who are non-technical. Every day they read something in the news about Cyber Security. When an ad appears on the side of a popular news page they visit, claiming to provide security, they assume this product is safe and will truly protect them. This product is doing the exact opposite; it could be potentially owning your system.

This is a good reminder to me.  I need to educate those around me and help them understand basic security best practices. Selfishly, this saves me time too, because then I won’t have compromised systems to troubleshoot.

“The best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.” (hacknews.com)

OpenDNS…more than just a home internet filter

When Cisco first acquired OpenDNS I was indifferent.  I perceived their service to be free content filtering for home and SMB.  After hearing all the buzz, from co-workers, security market, customers etc. I knew there had to be more to OpenDNS.

I learned that it provides an advanced cloud security platform called Umbrella.  Umbrella can be used to protect any user or any device, from anywhere,  it doesn’t matter if I am sitting in Starbucks or on the corporate network.  If you give me a little room here…I like to classify OpenDNS Umbrella as a cloud firewall/gateway that can be used to prevent attacks before it hit your users or network.

The Umbrella Data Sheet states that with Umbrella you can:

  • “Reduce malware infections up to 98%”
  • “Cut the number of alerts from your IPS, AV, and SIEM by as much as 50%”
  • “Decrease remediation time by 20%”

Umbrella in action:

Take for example, I open my email and receive a message from USPSS (which looks like USPS), the title states “check the status of your package.” Knowing that Christmas is coming, I get excited thinking one of my friends sent me a gift.  Little do I know the link within my email takes me to a false page, USPSS look alike page, and in the background my computer is reaching out to a known malicious ransomware domain.

If I was using a traditional DNS service, like Google,  it wouldn’t block the lookup to the ransomware domain, instead it would provide the ip address for the ransomware domain.


OpenDNS umbrella will block the DNS request for the  malicious domain, stopping the attack before it hits my client or network.


OpenDNS has over 65 million users and roughly 80 billion internet request daily.  OpenDNS builds security intelligence from internet data, big data analytics, machine learning, and super smart security engineers.  With this threat intel, OpenDNS can understand which domains are malicious and block the attack via DNS before it hits your network.




Umbrella components

1.Cloud Management – Umbrella provides a cloud dashboard…much like Meraki.  In this dashboard you can control and manage your security policies and gain visibility into your network traffic. “Umbrella provides visibility into internet activity across all devices, over all ports, even when users are off your corporate network. You can even retain the logs forever.” https://umbrella.cisco.com/products/features

2.Umbrella network protection- To protect your devices on your corporate network simply redirect your external DNS request to OpenDNS.  “To switch to Umbrella, you need to explicitly change the DNS settings in your operating system or hardware firewall/router to use IP addresses of the Umbrella name servers and turn off the automatic DNS servers provided by your ISP.”

3.Umbrella Client- To protect your clients off net, you can leverage a lightweight umbrella roaming client.  There is even a plugin for AnyConnect VPN, if you are disconnected from VPN your traffic will be protected by OpenDNS.

With Umbrella roaming client, you can also protect IP based traffic.  “Alternatively, OpenDNS’s IP layer enforcement provides protection over any port, and from any location through the use of the OpenDNS Roaming Client, an endpoint client that acts as a DNS request forwarder.”https://blog.opendns.com/2015/11/03/opendns-adds-ip-layer-enforcement-umbrella/

More Details AnyConnect Umbrella  client 

More Detail Umbrella Roaming client

OpenDNS Umbrella is very different from traditional proxy type services.  It  provides protection across all ports (not just 80/443) without proxying all your traffic to an on-prem device or somewhere in the cloud. “Instead of proxying all requests, Umbrella selectively routes suspicious URLs for deeper inspection. Effectively protect without delay or performance impact.” https://umbrella.cisco.com/products/features/intelligent-proxy

OpenDNS is not a silver bullet but it dramatically can increase security.  To me, that is very powerful.  The increased security helps to take the load off my firewall,  it adds an extra layer of  protection to any device anywhere and  gain visibility into network traffic.

Stay tuned for my future posts on security and OpenDNS.