Post on 21-Jan-2018
Incident Response on a Shoestring Budget
DetectingAttackersonYourNetworkUsingOpenSourceTools
Who, what, when?
• AtBHISwestillrarelyseeeffectiveloggingandmonitoringfordetectingattackeractivity
• Effectiveingress/egressnetworktrafficlogstodeterminewhatwentwhereandwhen
• Consolidatedendpointloggingfordeterminingwhatranonwhatsystemandwhen
• Freeandopensourcecanprovidethisthenecessaryvisibility
Bio
• SecurityAnalystatBlackHillsInformationSecurity• PreviousBlueTeam,nowmostlyRedTeam• CitySec Meetup Organizer– TidewaterSec (Hampton,VA)• AvidOWAenthusiast
Standard Disclaimer• Enterprisedeploymentsofmonitoringandloggingsolutionshavetobesizedappropriatelyfortheamountoftraffic,logs,andanalysis
• Thisistrueforcommercialandopensourcetools• Theopensourceandfreetoolsdiscussedinthispresentationwillscaletotheenterprise
• Itstilltakesplanningandresourcesbeyondwhatcanbecoveredinanhour
• Onesizedoesnotfitall• Yourmileagemayvary
Detection vs. Prevention
• Preventionisidealbutdetectionisamust• Preventivemeasurescanbebypassed• Preventivesolutionspotentiallycostasubstantialamountofmoney• Manydetectivesolutionscanbedonefor“free”• Detectivesolutionsareessentialin identifyingthe“fullpicture”onanincident
Value of Time
• Opensourceandfreesoftwareisnotcostfreeifyouvalueyourtime• Tradeoffsforfiguringoutvs.abilitytocallthevendor
• Ifyougowithcompletelyfreeandopensourcesolutions,youmaybeonyourowntofigureitoutandmakeitwork
• ButyoursecurityKungFuwillgetbetterbecauseofthis
Core Monitoring Components
• NetworkMonitoring• HostBasedMonitoring(monitoringedgedevices)• ForensicsatScale(oneanalysttomanysystems)• CentralizedLogging• LogCorrelationandalerting(SIEM)
Threat Intelligence?CyberKillChain®(lockheedmartin.com/cyber) 1)Reconnaissance
2)Weaponization
3)Delivery
4)Exploitation
5)Installation
6)CommandandControl
7)ActionsonObjectives
Where are you now?
Network Monitoring
• Brovs.Snort- Applesandoranges• Broisnetworkprotocoldecodingatscale
• Forensicgroundtruthofwhathappensonthenetwork
• Snortmatchespacketstosignaturestodetectpotentiallybadtraffic• Theyhavedifferentusecases– usetherighttoolforthejob
Host Based Monitoring
• Withcloudandmobile,increasinglymoreimportanttogainedgedevicevisibility
• Sysmon isaneasywintodeploytoWindowsEndpoints• Processcreationwithfullcommandline• Hashofprocess(SHA1)• NetworkConnections• Filecreationtimechanges
SysmonProcessCreate:UtcTime:2017-06-0900:57:42.516ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00}ProcessId:3232Image:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCommandLine:powershell /HeLloCurrentDirectory:C:\Users\BruceL.Roy\User:WIN-OK4HSK4QBPH\BruceL.RoyLogonGuid: {3f6cf078-30ec-5938-0000-002031df1000}LogonId:0x10df31TerminalSessionId: 1IntegrityLevel:MediumHashes:SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48DParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00}ParentProcessId:3364ParentImage:C:\Windows\System32\cmd.exeParentCommandLine: "C:\Windows\system32\cmd.exe"
Log Consolidation
• Centralizelogcollectionfromalledgedevicesandboundarydevices• SyslogclientonLinuxsystems• NXLog supportssyslogshippingofWindowsEventLogs
• MicrosoftWindowsEventCollector• Boundarydevicesyslog(Firewall,proxies,etc.)
SIEM For Free
• AnyDIYSIEMsolutioncouldbetimeandlaborintensive• ElasticLogstash Kibana (ELK)/ElasticStack• Graylog• Ifyouhavebudgetandhavetochoosewheretospend,thismaybethebestplace
• Ifyouarenotcentralizinglogsnowstartsimple• Consolidatedeviceandendpointlogsintosyslogwithnxlog
Forensics at Scale
• AbilityforIRandforensicsstafftoquicklyandremotelyacquirenecessaryevidencetoanalyzeanattack
• CanbedifficultandtimeconsumingtoimageRAManddiskevidenceforeveryinvestigation
• F-Response(notfree)• PossiblewithPowerShell• GoogleGRR
• IncidentResponseFramework
Tool ConfigurationEnd Point Monitoring
nxlog
• Endpointagenttoshiplogstoasyslogcollector• SupportforWindowsEventlogshippingtoremotecollector– we’regoingtobesendingJSON
• Textbasedconf file• ApplicationlogselectingEVTIDs1102,4103,4104• SecuritylogselectingEVTIDs 1102,4624,4625• SystemlogselectingEVTIDs1102,7009,7045• AllofSysmon log(filteringdoneinSysmon config)
https://gist.github.com/deruke/20e77eaa14ad193fd6ab85a76c64cb21
Additional EVT Logs
• WindowsLoggingCheatSheetatwww.malwarearchaeology.com• NSASpottheAdversaryList
PowerShell Logging
• ModuleLogging• Recordspipelineexecutiondetails
• ScriptBlockLogging• Recordsblocksofcodeastheyareexecuted• Alsorecordsde-obfuscatedcodeexecution• PowerShell5.0automaticallylogsscriptblocksconsideredas“suspicious”
• Transcription• UniquerecordofeveryPowerShellsession• Allinputandoutput
PowerShell Logging
• AdministrativeTemplates>WindowsComponents>WindowsPowerShell
GPO Caveats
• IfrunningWindows7ObtainAdministrativeTemplatesforWindows10
• Copyboththerequisitefilesinto%systemroot%\PolicyDefinitions• PowerShellExecutionPolicy.admx• PowerShellExecutionPolicy.adml
• Copyto\\sysvol\Policies\PolicyDefinititions ifperformingthisasdomainGPO
Sysmon Config File
• InstallwithXMLbasedconfigurationto• Startwith@SwiftOnSecurity’s fileasabasethencustomizetofityourenvironment
• https://github.com/SwiftOnSecurity/sysmon-config
• FilterseventsbasedonSysmon eventtype• Foreverytype,sensibleexclusionsandinclusionstoreducenoiseorlookforspecificallysuspiciousactivity
Sysmon Config File
Collector • Ubuntu16.04LTSsystemrunningElasticStack(ELK)• Logstash ingestsincomingsyslogfromendpointsandoutputstoElasticsearch
• Kibana webfrontendtosearchandvisualizethedata
• ScalestoEnterprise,butyouwillneedtoplanaccordingly
Logstash config:https://gist.github.com/deruke/093e9fa9b666aa211cfdce81921cb3ce
Deployment via GPO
• ScriptBlockLogging• Nxlog installationand/orservicestartonstartup• Sysmon installationand/orservicestartonstartup
https://gist.github.com/deruke/743a80c89740fdedcb7f8871cdf02536
Demo Time
What about Prevention?
• Configurationchangescanbeeffectiveprevention• Strongpasswordpolicy
• 15charactersminforusers• 28charactersforserviceandadministratoraccounts
• 2FAonallexternalfacingportals• Restrictadministrativeaccess
• LAPS• MicrosoftTieredArchitectureApproach
• Restrictclient-to-clientcommunication• PrivateVLANs orWindowsFirewall
What about Prevention?
• ApplicationWhitelisting• Windows10Enterprisefeatures
• DeviceGuard– attemptstopreventmaliciouscodefromeverrunning,onlyknowngoodcodecanrun
• CredentialGuard– hardeningofkeyuserandsystemsecrets,attemptedmitigationofcredentialbasedattacks
• BothuseVirtualSecureMode(VMS)• Bothrequireplanninganddeployment
Resources• NetworkMonitoring
• www.bro.org• snort.org• molo.ch
• HostBasedMonitoring• Sysmon - technet.microsoft.com/en-
us/sysinternals/bb545021.aspx• Sysmon Config:
https://github.com/SwiftOnSecurity/sysmon-config• Nxlog:nxlog.co
• Blogonsetup:• https://www.blackhillsinfosec.com/endpoint-
monitoring-shoestring-budget-webcast-write/
• Liveresponseatscale• GoogleGRR:https://github.com/google/grr
• LogCorrelation• Elastic:https://www.elastic.co/• Graylog:https://www.graylog.org/
• MicrosoftEnvironmentConfiguration• LAPS:https://www.microsoft.com/en-
us/download/details.aspx?id=46899• ADTieredModel:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
Conclusions
• FreeandOpenSourcesolutionscaneffectivelybeusedformonitoring,detection,andliveresponse
• Edgebasedhostmonitoringwithcentralizedloggingisapowerfulcombination
• Configurationchangesareanimportantaspectofpreventingcompromise
Conclusions
• DerekBanks- @0xderuke• @BHInfoSecurity – http://www.blackhillsinfosec.com
0x3F