Network Forensic Analysis in an Encrypted World

Explore network forensic analysis techniques in an encrypted world through this BSidesLV conference talk. Delve into the impact of encryption on network security monitoring, learn how to leverage encrypted traffic metadata, and discover strategies for shifting the balance of power to defenders. Examine hunting techniques, including analyzing asset and request distributions, and send/receive ratios by server name. Investigate the implications of free SSL certificates and their potential for abuse. Gain insights into basic detection and forensics processes, and understand how encryption affects the network security monitoring model. Equip yourself with knowledge to adapt and thrive in an increasingly encrypted digital landscape.

Intro
Justin Warner (@sixdub)
NSM Quadrant
Encryption's Impact on the Quadrant
What this Means for Network Defenders
Encrypted Traffic Metadata
Leverage Encryption as an Advantage to Shift Balance of Power to Defenders
Hunting Primer
What is Normal?
Commonality - Asset / Request Distributions
Send/Recy Ratios by Server Name
Let's Encrypt Things!
Different Levels of Certificates
Changing The Mindset
Who would abuse free certificates?
Basic Detection → Forensics Process
So... Encryption Isn't the End of the World
Encrypted NSM Security Model (ECNSMM)