Fumble Around and Find Out: Decrypting Packet Captures at Small to Medium Scale

Presented by
  • Josh Baugh
  • Speaker Photo

    Josh Baugh

    Founder of the Center for Kids Who Can't Ops Good and Who Wanna Learn to Ops Good

    Fumble Around and Find Out: Decrypting Packet Captures at Small to Medium Scale

    Many small to medium sized businesses have network security appliances like firewalls that provide IDS/IPS (Intrusion Detection/Prevention System) functionality. These appliances often capture network traffic associated with an alert. However, the majority of the data in these packet captures is often encrypted network traffic. This can be frustrating for incident responders that are trying to determine if an alert is actionable or a false positive. The goal of this talk is to show the audience a few example scenarios requiring insight into encrypted traffic that has been captured by a security device. In one scenario, a security device has fired an alert and provided a packet capture of the traffic that caused the alert, but the traffic is encrypted and is of little value to responders. We will see how a little work up front can go a long way to help responders in this scenario. The audience will see how to use Wireshark in conjunction with other data to manually decrypt a single packet capture file. After that, we will extrapolate this to show how this technique may be modified to scale to automatically do this for any encrypted packet capture that is collected. After that, we will see how this process can be further enhanced to leverage open source tools to automatically analyze the decrypted packet capture data to and index observable data from the packet captures in a centralized log platform.

    About Josh Baugh

    Josh Baugh is a tech junkie, learning enthusiast, and fun haver. He loves all things related to security, DevOps, and automation. Josh runs with a gang of infosec hooligans.