Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN
SANS Technology Institute - Candidate for Master of Science Degree 1
1 Objective
• Attackers are more sophisticated and
targeted in their attacks. • Defenders need systems which help provide visibility and altering across numerous security systems. • SIEM adoption driven by compliance • Gartner says “more than 80%” • Put “Security” back into SIEM using real world examples. SANS Technology Institute - Candidate for Master of Science Degree 2 SIEM System Setup
SANS Technology Institute - Candidate for Master of Science Degree 3
Basics – Outbound Traffic
• Outbound SMTP, DNS and IRC
• Unexpected outbound connections
SANS Technology Institute - Candidate for Master of Science Degree 4 New Hosts and Services
• Scanner integration for new host
and service discovery
SANS Technology Institute - Candidate for Master of Science Degree 5
Darknets
• Network segments without any live
systems, but are monitored • Any traffic considered suspicious • Qradar defines Darknets at setup • Qradar Rule: Suspicious Activity: Communication with Known Watched Networks SANS Technology Institute - Candidate for Master of Science Degree 6 Brute-force Attacks
• Create reports to generate statistical
data on failed logins by device, source IP and locked accounts per day. • Qradar provides several alerts for brute force attacks. Login Failures Followed by Success and Repeated Login Failures Single Host being the most helpful • Customize alerts for maximum impact SANS Technology Institute - Candidate for Master of Science Degree 7 Brute-force Attacks
SANS Technology Institute - Candidate for Master of Science Degree 8
Windows Accounts • Report of accounts created by whom • Alerts for: – accounts not using std naming convention – outside of creation script timeframe – workstation account created – group membership adds to key groups • Understand the account management process and alert accordingly SANS Technology Institute - Candidate for Master of Science Degree 9 IDS Context/Correlation • Reduce noise by reporting based upon high value systems or asset weights • Add context of target operating system • Add knowledge of vulnerabilities • Rules • Target Vulnerable to Detected Exploit • Vulnerable to Detected Exploit on Different Port • Vulnerable to Different Exploit than Detected on Attacked Port SANS Technology Institute - Candidate for Master of Science Degree 10 Web Application Attacks • Analyze WAF logs if possible as header data (POST) not available in server logs • Create regular expressions to look for signs of attack, for example • /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or -- • Create and alert on web honeytokens • Fake admin page in robots.txt • Fake credentials in html code SANS Technology Institute - Candidate for Master of Science Degree 11 Data Exfiltration
• Collection of flows or session data is
extremely helpful • Reports/Alerts based upon – Size/destination of outbound flows “Large Outbound Data Transfer” – Application data inside specific protocols – Frequency of requests/application usage – Session Duration “Long Duration Flow” SANS Technology Institute - Candidate for Master of Science Degree 12 Client Side Attacks
• Information in Windows event logs:
– Process Information • Start (592/4688) Ends (593/4689) – New Service Installed (601/4697) – Scheduled Tasks Created (602/4689) – Audit Policy Changed and Cleared • (612/4719) and (517/1102)
• Integration with third-party tools
SANS Technology Institute - Candidate for Master of Science Degree 13 Sample Attack
SANS Technology Institute - Candidate for Master of Science Degree 14
Summary • Defenders need to look for indicators of compromise across many sources • SIEM solution centralize data • Start small with basic methods, test, and move to more advanced techniques • Goal is to detect compromise and provide as much information as possible before starting incident response SANS Technology Institute - Candidate for Master of Science Degree 15