loggin alerting and hunting technology hub 2016
TRANSCRIPT
![Page 1: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/1.jpg)
Logging Alerting and Hunting
Getting on the right track to find evil
![Page 2: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/2.jpg)
whoami
2
•SynerComm Information Assurance Consultant
•Penetration Tester
•Former Blue Team / SOC / Incident Responder
![Page 3: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/3.jpg)
Logging vs Alerting vs Hunting
• What is logging
• What is alerting
• What is hunting
![Page 4: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/4.jpg)
What questions can you ask of your logs?Let use cases drive your data collection
![Page 5: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/5.jpg)
Types of Logging
•Windows
•Non-Windows
•Network
![Page 6: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/6.jpg)
Uses for Logging - Benefits
•Diagnostics - Uptime
•Security
•eDiscovery Potential
![Page 7: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/7.jpg)
Windows
•Events
•Endpoint controls
•DHCP/DNS
•Other - Sharepoint / MSSQL / Fileshares
![Page 8: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/8.jpg)
Windows - Events of Interest
Source: NSA Detecting the Adversary
![Page 9: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/9.jpg)
Windows - Events of Interest – EndpointGeneral Event Description Group of IDs
Network Connection 5156, 5157
Process Creation 4688, 4689
File Auditing 4663, 4660
Share Access 5140
Registry 4657
Services 7045
Scheduled Tasks 4698, 602
PowerShell 501, 4104, 4103
![Page 10: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/10.jpg)
Windows - Endpoint Controls
•You have a root kit on every box, use it
•HIPS is critical
•Coverage is critical
•Deeper information than Windows events can provide
![Page 11: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/11.jpg)
Windows - DNS/DHCP
•Many environments use Windows DNS/DHCP
• Logging on these systems is high priority
• These systems are critical to malicious activity as well
![Page 12: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/12.jpg)
Windows - Other
• Sharepoint
•MSSQL - C2 Audit
• Fileshares
• IIS or other Windows systems
![Page 13: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/13.jpg)
Non-Windows Logging
•Mac OS X
• Linux/Unix
•Network Appliances / Other
![Page 14: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/14.jpg)
Non-Windows - Mac OS X
• Similar to Linux/Unix but different (BSDish)
•Open source can help - OSSEC - Syslog
• Use cases are similar to Windows
![Page 15: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/15.jpg)
Non-Windows - Linux/Unix
• Easiest systems to get logs from
• Possible to over collect
• Protect from critical data outwards
![Page 16: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/16.jpg)
Network Appliances / Other
• SAAS / Cloud (Other people’s computers with your data)
• Netflow / Full Packet Capture / Network Security Monitoring (NSM)
• Security controls - Web proxy logs / Firewall / Intrusion Prevention
![Page 17: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/17.jpg)
Alerting
• Alerts are annoying
• Useful alerts need to be high-fidelity
• Get creative - start from a known problem and work backwards
![Page 18: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/18.jpg)
Alerting
• Alerts should only fire when action is required (otherwise they are just logs)
• Building new alerts without remediating root cause will increase your work indefinitely
• Build defensible positions
• Know your own network
• If staff can’t be dedicated the organization is probably not ready for many alerts
![Page 19: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/19.jpg)
Hunting (Hurting)
• Proactive defense
• Requires expertise
• Is not a technology driven solution (its about your people)
• Requires minimum maturity in order to be valuable
![Page 20: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/20.jpg)
Getting started / Building Maturity
Lost Reactive Preventative Proactive
![Page 21: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/21.jpg)
Stage I - LOST
• Has logs with no staff
• Incidents take unreasonable amount of time to resolve
• Evil can happen unnoticed and unrecorded and probably is
![Page 22: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/22.jpg)
Stage II - Reactive
• Has logs maybe not enough staff
• Logs data may be limited
• Most organizations are partially in this stage
• Creates feeling of constant “fire fighting” (Burns out security people)
![Page 23: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/23.jpg)
Stage III - Preventative
• Data collection starts to create remediation of root cause
• Some malicious activity is prevented simply by configuration
• Staff start to feel a modicum of control / Less stress
• Not 100% preventative of malicious activity
![Page 24: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/24.jpg)
Stage IV - Proactive
• Prevention capability is near maximum
• Hunting is routine
• Incidents are found in earlier stages and root causes identified
• Everybody sings Kumbaya
![Page 25: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/25.jpg)
Getting Started (Bare minimum)
• Egress network traffic 5-tuple (source, destination, port, protocol)
• Web Proxy Logs
• Active Directory Logs
• Avoid overlap
• Use tools you already have
![Page 26: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/26.jpg)
Sample Solutions - Logging
• OpenSource (Logging only)
• Graylog, ELSA, ELK, nxlog, snare, syslog-ng, fluentd, Bro IDS
![Page 27: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/27.jpg)
Sample Solutions - Alerting
• Builds on Logging solutions
• Opensource
• Sagan, OSSEC, Snort, Security Onion
![Page 28: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/28.jpg)
Sample Solutions - Hunting
• Building again on logging/alerting
• Opensource
• Security Onion, Squil, Moloch, Redline, Volatility, OSquery, PacketPig
![Page 29: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/29.jpg)
Sample Use Cases• Find processes running that are outliers
• Egress encrypted non-US traffic
• VPN logs from outside the US
• All outbound user agents that don’t match organization default
• All downloaded executables
• Privileged account added/changed/used/abused
![Page 30: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/30.jpg)
Sample Use Cases• Machines using non-standard services (DNS, NTP)
• Protocol mismatched traffic (ie encrypted over port 80)
• Non-Admins running administrator tools (ie net user, powershell)
• External network connections from machines that shouldn’t (ie DC to internet)
• Registry modifications that effect processes running on boot
• Movement of macro enabled Office documents
![Page 31: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/31.jpg)
Sample Use Case Template
Source: Anton Chuvakin - Gartner
![Page 32: Loggin alerting and hunting technology hub 2016](https://reader031.vdocuments.us/reader031/viewer/2022030308/58ece1b71a28abd8268b461f/html5/thumbnails/32.jpg)
External Resources & ?s