SIEM Based Intrusion Detection

Jim Beechey
March 2010
GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN

SANS Technology Institute - Candidate for Master of Science Degree 1

1
 Objective

• Attackers are more sophisticated and

targeted in their attacks.
• Defenders need systems which help
provide visibility and altering across
numerous security systems.
• SIEM adoption driven by compliance
• Gartner says “more than 80%”
• Put “Security” back into SIEM using
real world examples.
SANS Technology Institute - Candidate for Master of Science Degree 2
 SIEM System Setup

SANS Technology Institute - Candidate for Master of Science Degree 3

 Basics – Outbound Traffic

• Outbound SMTP, DNS and IRC

• Unexpected outbound connections

SANS Technology Institute - Candidate for Master of Science Degree 4
 New Hosts and Services

• Scanner integration for new host

and service discovery

SANS Technology Institute - Candidate for Master of Science Degree 5

 Darknets

• Network segments without any live

systems, but are monitored
• Any traffic considered suspicious
• Qradar defines Darknets at setup
• Qradar Rule: Suspicious Activity:
Communication with Known Watched
Networks
SANS Technology Institute - Candidate for Master of Science Degree 6
 Brute-force Attacks

• Create reports to generate statistical

data on failed logins by device, source IP
and locked accounts per day.
• Qradar provides several alerts for brute
force attacks. Login Failures Followed by
Success and Repeated Login Failures
Single Host being the most helpful
• Customize alerts for maximum impact
SANS Technology Institute - Candidate for Master of Science Degree 7
 Brute-force Attacks

SANS Technology Institute - Candidate for Master of Science Degree 8

 Windows Accounts
• Report of accounts created by whom
• Alerts for:
– accounts not using std naming convention
– outside of creation script timeframe
– workstation account created
– group membership adds to key groups
• Understand the account management
process and alert accordingly
SANS Technology Institute - Candidate for Master of Science Degree 9
 IDS Context/Correlation
• Reduce noise by reporting based upon
high value systems or asset weights
• Add context of target operating system
• Add knowledge of vulnerabilities
• Rules
• Target Vulnerable to Detected Exploit
• Vulnerable to Detected Exploit on Different Port
• Vulnerable to Different Exploit than Detected on
Attacked Port
SANS Technology Institute - Candidate for Master of Science Degree 10
 Web Application Attacks
• Analyze WAF logs if possible as header
data (POST) not available in server logs
• Create regular expressions to look for
signs of attack, for example
• /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or --
• Create and alert on web honeytokens
• Fake admin page in robots.txt
• Fake credentials in html code
SANS Technology Institute - Candidate for Master of Science Degree 11
 Data Exfiltration

• Collection of flows or session data is

extremely helpful
• Reports/Alerts based upon
– Size/destination of outbound flows “Large
Outbound Data Transfer”
– Application data inside specific protocols
– Frequency of requests/application usage
– Session Duration “Long Duration Flow”
SANS Technology Institute - Candidate for Master of Science Degree 12
 Client Side Attacks

• Information in Windows event logs:

– Process Information
• Start (592/4688) Ends (593/4689)
– New Service Installed (601/4697)
– Scheduled Tasks Created (602/4689)
– Audit Policy Changed and Cleared
• (612/4719) and (517/1102)

• Integration with third-party tools

SANS Technology Institute - Candidate for Master of Science Degree 13
 Sample Attack

SANS Technology Institute - Candidate for Master of Science Degree 14

 Summary
• Defenders need to look for indicators of
compromise across many sources
• SIEM solution centralize data
• Start small with basic methods, test,
and move to more advanced techniques
• Goal is to detect compromise and
provide as much information as possible
before starting incident response
SANS Technology Institute - Candidate for Master of Science Degree 15