issa siem fraud
DESCRIPTION
How to detect fraud or suspicious events using open source tools (OSSEC). This talk was given during the ISSA Belgium chapter meeting in January 2011.TRANSCRIPT
Your Logs or ...Back to the Gold Rush
ISSA-BE EventJanuary 2011
Your Logs or ...Back to the Gold Rush
$ whoami
� Xavier Mertens (@xme)
� Senior Security Consultant @ C
� CISSP, CISA, CEH
http://blog.rootshell.be� http://blog.rootshell.be
� I’m also on Maltego & Google!
� Some friends:
Xavier Mertens (@xme)
Senior Security Consultant @ C-CURE
http://blog.rootshell.behttp://blog.rootshell.be
I’m also on Maltego & Google!
$ cat disclaimer.txt
The opinions expressed in this presentation are
those of the speaker and do not reflect those of
past, present or future employers, partners or
customers...customers...
$ cat disclaimer.txt
The opinions expressed in this presentation are
those of the speaker and do not reflect those of
past, present or future employers, partners or
- 1 The situation todayThe situation today
1 -The situation todayThe situation today
acme.org
acme.org’s CSO
Did you already get this feeling?
acme.org’s CSO
Did you already get this feeling?
Today's Issues
� Technical
� Networks are complex
� Based on non-heterogeneous components (firewalls, IDS, proxies, etc)components (firewalls, IDS, proxies, etc)
� Millions of daily events
� Lot of consoles/tools
� Protocols & applications
Networks are complex
heterogeneous components (firewalls, IDS, proxies, etc)components (firewalls, IDS, proxies, etc)
Millions of daily events
Lot of consoles/tools
Protocols & applications
Today's Issues
� Economical
� ”Time is Money”
� Investigations must be performed in real-timereal-time
� Downtime may have a huge business impact
� Reduced staff & budgets
� Happy Shareholders
”Time is Money”
Investigations must be performed in
Downtime may have a huge business impact
Reduced staff & budgets
Happy Shareholders
Today's Issues
� Legal
� Compliance requirements
� PCI-DSS, SOX, HIPAA, etcInitiated by the group or business� Initiated by the group or business
� Local laws
� Due diligence & due care
� Security policies mustbe enforced!
Compliance requirements
DSS, SOX, HIPAA, etcInitiated by the group or businessInitiated by the group or business
Due diligence & due care
Security policies mustbe enforced!
Need for More Visibility
� More integration, more sources� More chances to detect a problem
� Integration of external source of information could help the detection of incidentscould help the detection of incidents
� Automatic vulnerability scans
� Import of vulnerabilitiesdatabase
� FIM
� Awareness
Need for More Visibility
More integration, more sourcesMore chances to detect a problem
Integration of external source of information could help the detection of incidentscould help the detection of incidents
Automatic vulnerability scans
Import of vulnerabilities
Need for More Visibility
[**] [1:2050:14] SQL version overflow attempt [**][Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404Len: 376[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002/www.securityfocus.com/bid/5310]
[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 1475031583 2358505469
[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 2086630937 3122214979
[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 2530339421 2353821688
[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 3995062809 1050363790
Need for More Visibility
039.mspx][Xref => http://cgi.nessus.org/pbin/cvename.cgi?name=2002-0649][Xref => http:/
- 2 Fraud?Fraud?
2 -Fraud?Fraud?
What’s ”Fraud”?
”Deliberate deception, trickery, or cheatingintended to gain an advantage”
� Fraud represents 39% of crimes in the CERT.us databaseCERT.us database
� Occurs “below the radar”
Deliberate deception, trickery, or cheatingintended to gain an advantage”
Fraud represents 39% of crimes in the
Occurs “below the radar”
Fraud Types
� Unauthorized addition or changes in databases
� Data theft or disclosure
� Rogue devices� Rogue devices
� Identifity theft
Unauthorized addition or changes in
Data theft or disclosure
Find the Intruder
� Keep an eye on the «
� Who is he?
� Current or past employee (m/f)
Contractors / Business partners� Contractors / Business partners
� Non-technical as well as technical position
� He/she has authorized access tosensitive assets
Keep an eye on the « malicious insider »
Current or past employee (m/f)
Contractors / Business partnersContractors / Business partners
technical as well as technical position
He/she has authorized access to
Fraud == Suspicious
� The term “fraud” is closely linked to money
� Let’s use “suspicious“inclined to suspect, to have doubts about; distrust”distrust”
� Detected outside the scope of regular operations
� Need for baselines, thresholds and watchdogs
� And... Procedures!
Fraud == Suspicious
The term “fraud” is closely linked to money
suspicious ” which means “inclined to suspect, to have doubts about;
Detected outside the scope of regular
Baselines
� Interval of values
Trigger an alert of above a thresholdor outside an intervalTrigger an alert of above a thresholdor outside an interval
Baselines
� Recurrence in time
Baselines
� Correlation between multiple sourcesCorrelation between multiple sources
Impacts of Fraud?
� Quantitative
� $$$
� Qualitative
Brand� Brand
� Reputation
� Customers / Stakeholders
Impacts of Fraud?
Customers / Stakeholders
Some Examples
� CC used in country ”A” and used 4 hours later in country ”B”.
� A Belgian CC used to buy a 40” flat TV in BrazilBrazil
� A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand
� Stolen or shared credentials / access badges.
� SSL VPN access from a foreign country.
CC used in country ”A” and used 4 hours
A Belgian CC used to buy a 40” flat TV in
A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand
Stolen or shared credentials / access badges.
SSL VPN access from a foreign country.
More Examples
� ”root” session opened on a Sunday 02AM.
� Data copied on removable devices
� Installation of keyloggers
Rogue FTP servers� Rogue FTP servers
”root” session opened on a Sunday 02AM.
Data copied on removable devices
Installation of keyloggers
Security Convergence!
� Logical Security
� Credentials
� IP access lists
� Physical Security� Physical Security
� Access badges
� GeoIP
� Mobile devices
� Time references
� Let’s mix them!
Security Convergence!
Resources!
� Adding plus-value to your logs is resources consuming!
� Temporary tables might be required
� Beware of time lines!� Beware of time lines!
value to your logs is resources
Temporary tables might be required
Beware of time lines!Beware of time lines!
How to fight?
� Need for raw material
� Know the process flows!
� Talk to the ”business”
Increase the logs value� Increase the logs value
� Add visibility
� Correlate with other information sources
+ Processes and communication!
Need for raw material �Your logs
Know the process flows!
Talk to the ”business”
Increase the logs valueIncrease the logs value
Correlate with other information sources
+ Processes and communication!
When?
� Real-time
� Immediate investigationSource: Real
� Before
Proactivity (reporting � Proactivity (reporting
� After
� Forensic searches
Immediate investigationSource: Real-time alerts
Proactivity (reporting - trending)Proactivity (reporting - trending)
- 3 The toolsThe tools
3 -The toolsThe tools
It’s not a product...
”... It’s a process!” (c) Bruce
Incident Handling
Log Collection
It’s not a product...
”... It’s a process!” (c) Bruce
Incident Handling
Correlation
Reporting
Search
Log Collection
The Good, The Bad, The Ugly!
� Big Play€r$ (no names!)
� All of them prone to be the best
� But often when you look inside:
The Good, The Bad, The Ugly!
r$ (no names!)
All of them prone to be the best
often when you look inside:
Straight to the Point
� SIEM environments are exp
� Best choice?
� Must address the business requirements(not yours)(not yours)
� You must be able to handle them
Straight to the Point
SIEM environments are exp€n$ive!
Must address the business requirements
You must be able to handle them
The Ingredients...
� Free software to the rescue!
� Some tools...
� OSSEC
MySQL� MySQL
� Iptables / Ulogd
� Google Maps API
� Perl
� The ”Cloud” (don’t be scared!)
The Ingredients...
Free software to the rescue!
The ”Cloud” (don’t be scared!)
You said ”OSS.. What?”
� OSSEC is ”an Open Source HostIntrusion Detection System. analysis , file integrity checking, policy monitoring, rootkit detection, realalerting and active responsealerting and active response
� More info � @wimremes
You said ”OSS.. What?”
an Open Source Host-based Intrusion Detection System. It performs log
, file integrity checking, policy detection, real-time
active response ”.active response ”.
wimremes (ISSA 01/2010)
The Recipes
� Good news, you already have the main ingredient: your logs!
Logs
Ext
erna
lR
esou
rces
Logs
Ext
erna
lR
esou
rces
Security Incidents
news, you already have the main ingredient: your logs!
Res
ourc
es
Pol
icie
s
Res
ourc
es
Pol
icie
s
Security Incidents
- 4 MySQL AuditMySQL Audit
4 -MySQL AuditMySQL Audit
Problem
� Authorized users added or modified data in a database.
� Lack of control and separation of duties
� Examples of fraud� Examples of fraud
� Rogue acces created
� Price changed
� Stock modified
� Data integrity not consistent anymore
Authorized users added or modified data in a
Lack of control and separation of duties
Rogue acces created
Data integrity not consistent anymore
Solution
� Database changes can be audited
� High performance impact
� All transactions are logged
Not convenient to process� Not convenient to process
� Monitor changes on critical data
� Users credentials
� Financial data
� Audit INSERT, UPDATE & DELETEqueries
Database changes can be audited
High performance impact
All transactions are logged
Not convenient to processNot convenient to process
Monitor changes on critical data
Audit INSERT, UPDATE & DELETE
Howto
� Use the MySQL UDF ”lib_mysqludf_log.so”mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so';mysql> create function log_error returns string soname 'lib_mysqludf_log.so';
Use MySQL triggers� Use MySQL triggersmysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”));
� Triggers will write message in theMySQL errors.log
Use the MySQL UDF ”lib_mysqludf_log.so”mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so';mysql> create function log_error returns string soname 'lib_mysqludf_log.so';
mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”));
Triggers will write message in the
Howto
� Process the MySQL log via OSSEC<!-- MySQL Integrity check <rule id="100025" level="7"><regex>^\d\d\d\d-\d\d-\
\.</regex><description>MySQL users table
updated</description>updated</description></rule>
Process the MySQL log via OSSECMySQL Integrity check -->
<rule id="100025" level="7">\d\d \d\d:\d\d:\d\d Table:
<description>MySQL users table
Howto
� Results:
Received From: (xxxxx) xx.xxx.xxx.xxx>/var/lib/mysql/errors.logRule: 100025 fired (level 7) updated”Portion of the log(s):Portion of the log(s):2011-01-08 00:31:24 Table: acme.users: insert(8,brian,qavXvxlEVykwm) by admin@localhost
--END OF NOTIFICATION
Received From: (xxxxx) xx.xxx.xxx.xxx->/var/lib/mysql/errors.logRule: 100025 fired (level 7) -> "MySQL users table
08 00:31:24 Table: acme.users: insert(8,brian,qavXvxlEVykwm) by admin@localhost
- 5 USB Stick DetectionUSB Stick Detection
5 -USB Stick DetectionUSB Stick Detection
Problem
� Risks of data leak
� Risks of malware infectionsRisks of malware infections
Solution
� The Windows registry is a goldmine to audit a system!
� The OSSEC Windows agent can monitor the Windows registry.Windows registry.
The Windows registry is a goldmine to audit a
The OSSEC Windows agent can monitor the
Howto
� Interesting registry keys:
HKLM\SYSTEM\CurrentControlSet
OrOr
HKLM\SYSTEM\CurrentControlSet
Interesting registry keys:
CurrentControlSet\Services\USBSTOR\Enum\Count
CurrentControlSet\Enum\USBSTOR
Howto
� Create a new OSSEC rule:
[USB Storage Inserted] [any] [] r:HKLM\SYSTEM\CurrentControlSet-> Count -> !0;
� If “Count” > 0 => USB Storage inserted
� Problem: will be reported by the detector and not in real time
Create a new OSSEC rule:
[USB Storage Inserted] [any] [] CurrentControlSet\Services\USBSTOR\Enum
If “Count” > 0 => USB Storage inserted
Problem: will be reported by the rootkitdetector and not in real time
Howto
� The second registry key changes when a USB stick is inserted:
HKLM\SYSTEM\CurrentControlSetSB&Prod_Flash_Disk&Rev_0.00
� New rule:
[USB Storage Detected] [any] []
r:HKLM\SYSTEM\CurrentControlSet
The second registry key changes when a USB stick is inserted:
CurrentControlSet\Enum\USBSTOR\Disk&Ven_USB&Prod_Flash_Disk&Rev_0.00
[USB Storage Detected] [any] []
CurrentControlSet\Services\USBSTOR;
Howto
� Results
** Alert 1268681344.26683: 2010 Mar 15 20:29:04 (WinXP>rootcheckRule: 512 (level 3) -> 'Windows Audit event.‘Rule: 512 (level 3) -> 'Windows Audit event.‘Src IP: (none)User: (none)Windows Audit: USB Storage Inserted.
** Alert 1268681344.26683: - ossec,rootcheck,WinXP) 192.168.38.100-
> 'Windows Audit event.‘> 'Windows Audit event.‘
Windows Audit: USB Storage Inserted.
- 6 Detecting Rogue Detecting Rogue
Access
6 -Detecting Rogue Detecting Rogue
Access
Problem
� Stolen or shared credentials can be used from ”unknown” locations
� If your team members are local, is it normal to have sessions opened on your SSL VPN to have sessions opened on your SSL VPN from Thailand or Brazil?
� An admin session started from the administration VLAN?
Stolen or shared credentials can be used from ”unknown” locations
If your team members are local, is it normal to have sessions opened on your SSL VPN to have sessions opened on your SSL VPN from Thailand or Brazil?
An admin session started from the administration VLAN?
Solution
� Public IP addresses? They can be mapped to coordonatess using open GeoIP databases
� Private IP addresses? Hey, they’re yours, you should know them you should know them
� For public services, Google Maps offers a nice API
Public IP addresses? They can be mapped to coordonatess using open GeoIP databases
Private IP addresses? Hey, they’re yours, you should know them you should know them
For public services, Google Maps offers a
Howto
� Configure OSSEC for your application log file (write a parser if required)
� Create an “Active-Response” action triggered when a specific action is detectedwhen a specific action is detected
� The “Active-Response” script will perform a geoIP lookup using the source IP address
Configure OSSEC for your application log file (write a parser if required)
Response” action triggered when a specific action is detectedwhen a specific action is detected
Response” script will perform a lookup using the source IP address
Howto
� If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC
� OSSEC generates an alert based on� OSSEC generates an alert based onthis event.
If the IP address belongs to suspicious country or network zone, inject a new event
OSSEC generates an alert based onOSSEC generates an alert based on
Howto
� Results:
** Alert 1270065106.2956457: mail 2010 Mar 31 21:51:46 satanasRule: 50001 (level 10) -> 'Fraud Detection‘Src IP: (none)Src IP: (none)User: (none)[31-03-2010 21:51:45] Suspicious activity detected for user johndoe via IP x.x.x.x
** Alert 1270065106.2956457: mail - local,syslog,satanas->/var/log/fraud.log
> 'Fraud Detection‘
2010 21:51:45] Suspicious activity detected x.x.x.x in DE, Germany
- 7 Mapping on GoogleMapping on Google
Maps
7 -Mapping on GoogleMapping on Google
Maps
Problem
� What the difference between:
� 195.75.200.200 (Netherlands)
� 195.76.200.200 (Spain)
� IP’s are extracted from firewall logs, botnet � IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
What the difference between:
195.75.200.200 (Netherlands)
195.76.200.200 (Spain)
IP’s are extracted from firewall logs, botnet IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
Howto
� Geo-localization is performedMaxMind DB (free version) + Perl API
use Geo::IP;my $gi = Geo::IP->open("GeoLiteCity.dat",
GEOIP_STANDARD);my $record = $gi->record_by_nameprint $record->latitude . "," . $record
� Store results to a XML file.
performed using the DB (free version) + Perl API
>open("GeoLiteCity.dat", GEOIP_STANDARD);
record_by_name(“1.2.3.4");>latitude . "," . $record->longitude;
Store results to a XML file.
Howto
� Submit the file to the Google map API from HTML code.Submit the file to the Google map API from
- 8 Searching the Searching the
Cloud
8 -Searching the Searching the
Cloud
”LaaS” ?
� ”Logging as a Service” seems to be an emerging thread in 2011.
� Loggly offers beta accounts
� 200MB/day - 90 days of retention� 200MB/day - 90 days of retention
� No SSL support
� Supported ”inputs”
� Syslog (UDP or TCP)
� HTTP(S)
”Logging as a Service” seems to be an emerging thread in 2011.
Loggly offers beta accounts
90 days of retention90 days of retention
Syslog (UDP or TCP)
”OSSEC phone Loggly”
� OSSEC can export to Syslog
� Events can be sent to Loggly using HTTP POST requests:
https://logs.loggly.com/inputs/420fecf5a0cb-21b421d4cc46
”OSSEC phone Loggly”
OSSEC can export to Syslog
Events can be sent to Loggly using HTTP
https://logs.loggly.com/inputs/420fecf5-c332-4578-
”OSSEC phone Loggly”
� Perl to the rescue:
# ./syslog2loggly.pl –hsyslog2loggly.pl [-f keyfile] [port]-D : Run as a daemon-h : This help-f keyfile : Configuration file
(default: /etc/syslog2loggly.conf)-p port : Bind to port (default 5140)
-v : Increase verbosity
”OSSEC phone Loggly”
f keyfile] [-D] [-h] [-v] [-p
D : Run as a daemon
f keyfile : Configuration file (default: /etc/syslog2loggly.conf)
p port : Bind to port (default 5140)
v : Increase verbosity
Results
Conclusions
� The raw material is already yours.
� The amount of data to process makes it impossible to process it without appropriate tools.tools.
� Suspicious activity occurs below the radar.
� Make your logs more valuable by crosslinking them with other sources.
� Be ”imaginative”!
The raw material is already yours.
The amount of data to process makes it to process it without appropriate
Suspicious activity occurs below the radar.
Make your logs more valuable by cross-linking them with other sources.
References
� The scripts and references are available on my blog: http://blog.rootshell.be/
� Keyword: ”OSSEC”
The scripts and references are available on my blog: http://blog.rootshell.be/
Thank You!Questions?Questions?Thank You!Questions?Questions?