SIEM Based Intrusion Detection Slides and Notes v2bl
Transcript of SIEM Based Intrusion Detection Slides and Notes v2bl
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
1/15
1SANS Technology Institute - Candidate for Master of Science Degree 1
SIEM Based Intrusion Detection
Jim BeecheyMarch 2010
GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
2/15
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
Attackers are more sophisticated andtargeted in their attacks.
Defenders need systems which helpprovide visibility and altering acrossnumerous security systems.
SIEM adoption driven by compliance
Gartner says more than 80% Put Security back into SIEM using
real world examples.
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
3/15
SANS Technology Institute - Candidate for Master of Science Degree 3
SIEM System Setup
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
4/15
SANS Technology Institute - Candidate for Master of Science Degree 4
Basics Outbound Traffic
Outbound SMTP, DNS and IRC
Unexpected outbound connections
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
5/15
SANS Technology Institute - Candidate for Master of Science Degree 5
New Hosts and Services
Scanner integration for new host
and service discovery
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
6/15
SANS Technology Institute - Candidate for Master of Science Degree 6
Darknets
Network segments without any live
systems, but are monitored Any traffic considered suspicious
Qradar defines Darknets at setup
Qradar Rule: Suspicious Activity:Communication with KnownWatched Networks
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
7/15
SANS Technology Institute - Candidate for Master of Science Degree 7
Brute-force Attacks
Create reports to generate statisticaldata on failed logins by device, sourceIP and locked accounts per day.
Qradar provides several alerts for bruteforce attacks. Login Failures Followed
by Success and Repeated Login FailuresSingle Hostbeing the most helpful
Customize alerts for maximum impact
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
8/15
SANS Technology Institute - Candidate for Master of Science Degree 8
Brute-force Attacks
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
9/15
SANS Technology Institute - Candidate for Master of Science Degree 9
Windows Accounts
Report of accounts created by whom
Alerts for:
accounts not using std naming convention
outside of creation script timeframe
workstation account created
group membership adds to key groups Understand the account management
process and alert accordingly
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
10/15
SANS Technology Institute - Candidate for Master of Science Degree 10
IDS Context/Correlation
Reduce noise by reporting based uponhigh value systems or asset weights
Add context of target operating systemAdd knowledge of vulnerabilities
Rules
Target Vulnerable to Detected Exploit Vulnerable to Detected Exploit on Different Port
Vulnerable to Different Exploit than Detected onAttacked Port
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
11/15
SANS Technology Institute - Candidate for Master of Science Degree 11
Web Application Attacks
Analyze WAF logs if possible as headerdata (POST) not available in server logs
Create regular expressions to look forsigns of attack, for example
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix Detects or --
Create and alert on web honeytokens Fake admin page in robots.txt
Fake credentials in html code
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
12/15
SANS Technology Institute - Candidate for Master of Science Degree 12
Data Exfiltration
Collection of flows or session data isextremely helpful
Reports/Alerts based upon
Size/destination of outbound flows LargeOutbound Data Transfer
Application data inside specific protocols Frequency of requests/application usage
Session Duration Long Duration Flow
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
13/15
SANS Technology Institute - Candidate for Master of Science Degree 13
Client Side Attacks
Information in Windows event logs:
Process Information Start (592/4688) Ends (593/4689)
New Service Installed (601/4697)
Scheduled Tasks Created (602/4689)
Audit Policy Changed and Cleared (612/4719) and (517/1102)
Integration with third-party tools
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
14/15
SANS Technology Institute - Candidate for Master of Science Degree 14
Sample Attack
-
8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl
15/15
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
Defenders need to look for indicators ofcompromise across many sources
SIEM solution centralize data
Start small with basic methods, test,and move to more advanced techniques
Goal is to detect compromise andprovide as much information as possiblebefore starting incident response