what you need to know about ngsoc. presented at #csxasia #scavengerhunt about next generation...
TRANSCRIPT
!"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'2%3"'$("%4!&,035%67)$%8+.%!""9%:+%;'+<=
ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF CCSK ITIL!"#$#%&#'#("!#%%$)*+!,!$#+!-.%#./%0*-,)"!-.#'%/)1)'-0&).+%/!*)$+-*%2345647%!"#$#%&#'#("!#%%"0)$!#'%!.+)*)"+%8*-90%4%: $;#!*0)*"-.!"#$#%&#'#("!#%%$(<)*")$9*!+(%.)=9"%'!#!"-.%-,,!$)*$;!),%+)$;.!$#'%-,,!$)*%#+%"("#*&(%
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
! 3/L"(2"-.(*$/%:7(")$%MH+<! 3/L"(2"-.(*$/%%3+.'$"(%N")2.("! !"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'%3"'$"(! O2"%3)2"%P Q.*H9*'>%!&,03! ,.FF)(/" RSG
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
:DTU%V%WU0:T3:D0!
XNY
U)'2+F<)("%MH+<%%
D!:TU!GZT[:TU!GZ
XNY
D!:TU!GZT[:TU!GZ
BJ%T\NGDZ@J%6TQVJ%]W!
^J 3ZDT!:%,TU]TU%GWW
BJ%MDUT6GZZ@J%WU0[8 &G:T6G8VJ%NGDZ &G:T6G8
^J%G!:D]DUO, &G:T6G8_J%DW,%`%DX,
BJ%!T:60U;%XT]D3T@J%,T3OUD:8 XT]D3T
VJ ,TU]TU^J%T!XW0D!:
BJ%MDUT6GZZ@J DW,%`%DX,VJ%T!XW0D!:
BJ%D!Q0[@J%QU06,TUVJ Z03GZ%MDZT
^J%UTN0]GQZT%MDZT_J%!T:60U;%MDZT
XG:GQG,T
X*2)LH"% N)-(+%D'N*-(+2+E$%0EE*-"
3(")$"%S%U.'%Q)$-7%M*H"%a%,-(*1$
:*"(%B%:*"(%@:*"(%V%
W(+$"-$*+'
X+<'H+)9%%S%T#"-.$"%N)H<)("
:*"(%B%:*"(%@:*"(%V%
W(+$"-$*+'
X)$) Q(")-7!"$<+(b%0.$)>"X"E)-"F"'$cJJ
U.'%U)'2+F<)("J"#"
U)'2+F)<)("%!">+$*)$"
T'-(/1$*+'%;"/
:*"(%B%:*"(%@:*"(%V%
W(+$"-$*+'
U)'2+F<)("%T'-(/1$%X)$)
U)'2+F<)("%MH+<%%
U)'2+F<)("%X"H"$"%Q)-b.1%
M*H"2
CJ%6GMdJ%GW:eJ%XX0,
BJ ,*>')$.("%O19)$"@J%W+H*-/%M*'"%:.'*'>VJ%Z+>%N+'*$+(*'>
0EEH*'"%Q)-b.1
:DTU%B%WU0:T3:D0!
CJ%!G3dJ%XQ%MDUT6GZZeJ%WUD]DZG&T%DXT!:D:8
fJ%GX]G!3T%T!XW0D!:
W(*K*H">"%S%G11%Z+-b9+<'%
BJ O2"(%G<)("'"22BJ ,*>')$.("%O19)$"@J%W+H*-/%M*'"%:.'*'>VJ%Z+>%N+'*$+(*'>
:DTU%V%WU0:T3:D0!
:DTU%@%WU0:T3:D0!
N)H*-*+.2%OUZ W7*2*'> a%N*27*'> 3'3%Q+$!"$ G.$+(.' 0'%U"F+K)LH"
W(*K*H">"%S%G11%Z+-b9+<'% W(*K*H">"%S%G11%Z+-b9+<'%
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
0)$1%+*%2(!.%)!$"',*!!",$"3%3"4),"+%1*0%0)55%.*-%&*)!&%$*%/'*$",$%.*-'%"!$"'/')+"66
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
,$"1%Bg M.'9)F"'$)H%,"-.(*$/%N")2.("2
,$"1%@,$"1%@ g G9K)'-"9%,"-.(*$/%N")2.("2
,$"1%V,$"1%Vg ,1"-*E*-%G9K)'-"%:7(")$%3+.'$"(F")2.("2
,$"1%^,$"1%^ g Q"2$%GK)*H)LH"%,"-.(*$/%W()-$*-"2
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
789:;%+<;=>:?@%2<89=><9! G'$*K*(.2%,/2$"F2
! D'$(.2*+'%X"$"-$*+'%,/2$"F2
! M*("<)HH2
! G--"22%3+'$(+H
(AB8C;<A%+<;=>:?@%2<89=><9! D'$(.2*+'%W("K"'$*+'%,/2$"F2
! X)$)%Z")b%W("K"'$*+'
! ].H'"()L*H*$/%,-)''*'>
! W"'"$()$*+'%:"2$*'>
! X)$)L)2"%G-$*K*$/%N+'*$+(*'>%4XGN5
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
+D<;:E:;%(AB8C;<%$F><8?%,G=C?<>H<89=><9! G9K)'-"%T'91+*'$%W(+$"-$*+'
! !"$<+(b%W)-b"$%D'21"-$*+'
! G9K)'-"%:7(")$%X"$"-$*+'
! XX0,
! M*H"%D'$">(*$/%N+'*$+(*'>
! ,"-.(*$/%D'E+(F)$*+'%)'9%TK"'$%N)')>"F"'$
7<9?%(B8:I8JI<%+<;=>:?@%/>8;?:;<9! ,"-.(*$/%X"K"H+1F"'$%Z*E"-/-H"
! X*2)2$"(%U"-+K"(/
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
:7" $7(")$ H)'92-)1" 7)2 "K+HK"9J 3/L"(2"-.(*$/ *2 +EF)h+( -+'-"(' '+< $+ L+$7 $7" 1.LH*- )'9 1(*K)$" 2"-$+(I)'9 >+K"('F"'$ 2"-$+( )(" <+(b*'> $*("H"22H/ $(/*'> $+9"E"'9 $7"*( "'$*(" "'$"(1(*2" E(+F ) L(")-7J
:7*2 2"22*+' <*HH -+K"( $7" ("i.*("F"'$ E+( L.*H9*'> +(+.$2+.(-" /+.( !&,03 I )'9 9*2-.22 7+< *$ -)' 7"H1+(>)'*j)$*+'2 1("1)(" E+( F*$*>)$*'> )>)*'2$ E.$.(" -/L"()$$)-b2J
G2 $7" 38QTU,T3OUD:8 -+K"( ) L(+)9 2-+1" +E )("))'9 E+( $7*2 2"22*+' <" <*HH L" E+-.2*'> F+(" +' !"#$&"'"()$*+' ,"-.(*$/ D'-*9"'$ )'9 TK"'$ N+'*$+(*'>4,DTN5 )2 +.( )(") +E 9*2-.22*+'J
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
'<;GB<>U"-+K"(/%WH)''*'> 3+FF.'*-)$*+'2 3+'$*'.+.2%DF1(+K"F"'$2
'<9DGCAN*$*>)$*+'
'<9DGCA'<9DGCA'<9DGCAG')H/2*2 3+FF.'*-)$*+'2
3<?<;?G'+F)H*"2%)'9%TK"'$2 ,"-.(*$/%3+'$*'.+.2%N+'*$+(*'> X"$"-$*+'%W(+-"22"2
/>G?<;?G--"22%3+'$(+H G<)("'"22%)'9%
:()*'*'> X)$)%,"-.(*$/ D'E+(F)$*+'%W(+$"-$*+'%W(+-"22"2%)'9%W(+-"9.("2
)A<C?:E@G22"$%
N)')>"F"'$Q.2*'"22%
T'K*(+'F"'$
)A<C?:E@)A<C?:E@)A<C?:E@&+K"(')'-" U*2b%G22"22F"'$ U*2b
N)')>"F"'$
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
g !+(2"%]*9"+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
:7"%37)HH"'>"%M+(%Z+>%G')H/2*2Z+>%N)')>"F"'$%K2%%,DTN%K2%!"#$&"' ,DTN
,"-.(*$/%G')H/$*-%a%,$+()>"%a%G-$*+')LH"%D'$"HH*>"'-"Q.*H9*'>%!"#&"' ,"-.(*$/%01"()$*+'%3"'$"(
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
$>N+'$7klA_l%$>m+.(klBel%$>X)/klBVl%$>N*'.$"klAdl%T3kl_^Al%3kl@l%3,klZ+>+'n`Z+>+EEl%Zkl,"-.(*$/l%D,klZNOUWm8%I:[X0:B%I4A#B_IA#TeeGA^ee5%IVI;"(L"(+2%I;"(L"(+2%I%Io-9dL^CV)\d@C"\B)"-\^E9_\9)L"d9-A@VB"p%I\I\ I\ I\ I\ IB^^J^_JBVeJCf%IBAffl%,!kl,"-.(*$/l%U!kl^^CBAel%[Nkl,.--"22E.H !"$<+(b%Z+>+'q%%%%%O2"(%!)F"q%ZNOUWm8%%%%%X+F)*'q%%:[X0:B%%%%%Z+>+'%DXq%%4A#B_IA#TeeGA^ee5%%%%%Z+>+'%:/1"q%V%%%%%Z+>+'%W(+-"22q%;"(L"(+2%%%%%G.$7"'$*-)$*+' W)-b)>"q%;"(L"(+2%%%%%6+(b2$)$*+'%!)F"q%%%%%%Z+>+'%&ODXq%o-9dL^CV)\d@C"\B)"-\^E9_\9)L"d9-A@VB"p%%%%%3)HH"(%O2"(%!)F"q%\ 3)HH"(%X+F)*'q%\ 3)HH"(%Z+>+'%DXq%\ 3)HH"(%W(+-"22%DXq%\ :()'2*$"9%,"(K*-"2q%\ ,+.(-"%!"$<+(b%G99("22q%B^^J^_JBVeJCf%%%%%,+.(-"%W+($q%BAff%%%%l%$>,"-+'9klB@l%Okl:[X0:BnnZNOUWm8l%:klG.9*$%,.--"22l%T:kl^l%$7*2kl"K"'$l%3!klm0O\X3l%TDkl_^Al%$>8")(kl@ABArBB@A%%%AAAAAAAAAAAAAAAAAAA@:,]@ABA\AC\A@\B@J^eJ^VJV^VddCRWGXT]AAA3R,T30MU%%%CAAAfB%%R3NX%%%%%%R,8,%%%%%%s,8,QG,%%%B%%%%%%%%%%%%%AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR,T30MU%%%0N!DG,@%tutututututututututuAAAAAABA_dAB@fB_AAdAee@VA^GOXU3]AAAeR,8,%%%%%%s,8,QG,%%%B%%%%%%B%%%%%%tutututututututQAAAAAAAAAAAAAAA@^VCfA%%VCBVCVVCA;VCBVC@VCd;VC_;VCCVCduuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuD!AfA@BAIT,T3XQGIGWWZGQ,nnXZMX:GWWAeAVIXZMX:GWWAeAVI@ABAn`A^n`@d%BeqAdqV^I@ABAn`A^n`@d%BeqAeq_@I@ABAn`A^n`@d%BeqAeq_@IBABIZ0&0MMIIG.$7"'$*-)$"9%L/q%XG:GQG,Tv%3H*"'$%)99("22q%4GXXUT,,k4WU0:030Zk$-154m0,:kBf@JBCeJBdAJBB54W0U:k@dee55IBABedIBIBIAIIIIVA__VIIIII9HE9$)11@BCAI0()-H"%X)$)L)2"%BA>%T'$"(1(*2"%T9*$*+'%U"H")2"%BAJ@JAJVJA%P W(+9olGZTU:lqolNG!X:lqlAABlIlN,&lqlZ+>+'%,.--"22E.H%4:/1"kO5lIlUTW0U:TXQ8lql,"-.(*$/G.9*$lIlN:N3!GNTlql2)12"(K"(wXNAwABlIlGU&:8WT@lql3lIlT[:D!XT[lqlAAAAAAAAB@lIl0QxT3:!GNTlql,"-.(*$/lIlN,&GU&@lqlOSAlIlN:3ZG,,lqlBABlIlN,&GU&BlqlGOBlIlO,TUDXlql,GWx,MlIl,:G:O,lql^AlIlGU&:8WT^lql3lIl,:G:3m&XG:lql:."%N)(%@^%AAqAAqAA%WX:%@AAflIlN:D!XT[lqlAAAAAAABdClIl]GZOTlql@lIlN,&:T[:lql,"-.(*$/%G.9*$q%Z+>+'%TK"'$lIl,T]TUD:8lql@__lIl,:G:3m&Q8lql,"-.(*$/G.9*$lIlGZ,8,DXlqlXNAlIlGU&:8WTVlql3lIlN,T&!GNTlql,GWw33N,w2)12"(K"(wXNAwABlIlN,3&ZDXlqlGOBlIlN:!ONUG!&TlqlAVVlIlGZTU:XG:Tlql:."%N)(%@^%AAqAAqAA%WX:%@AAflIlMDTZX!GNTlqlZ+>+'lIlGZO!DR!ONlqlAAAACf^V_@lIlN:,8,DXlqlXNAlIlGZTU::DNTlql:7.%x)'%AB%AeqBfq@^%W,:%BfdAlIl,:G:3m&:DNlql:7.%x)'%AB%AeqBfq@^%W,:%BfdAlIlU3lqlAlIlN,&DXlqlGOBlIlGZD!XT[lqlAAAAAAdV^AlIlGU&:8WTBlql3lIlN,&3ZG,,lql,GW\8,Z0&lIlN:ODXlqlAAAABAAABAlpIl,8,!UlqlABlIlm0,:lqlBf@JBCeJVJdlp
:7"%37)HH"'>"%M+(%Z+>%G')H/2*2
X+%/+.%F)')>"%$+%)')H/j"%"K"(/%2*'>H"%H*'"%E(+F%$7"2"%$7+.2)'9%H*'"2%+E%H+>%E+(%"K"(/%F*'.$"2=
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
67)$%*2%*'2*9"%$7"%H+>===
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
,=9?GH<>%$@D< 5GK%4GI=H<%L&79%M38@N
"B<C?9%M%38@ "B<C?9%M%+<;
3H+.9 W(+K*9"( _AIAAA BCCICCCICCCICCd
BIf@fIAB@
,+-*)H%N"9*)%0(>)'*j)$*+'
@_IAAA eVIVVVIVVVIVVV fC^I_AC
:"H-+y2 BIAAA VIVVVIVVVIVVV VeI_eAT'$"(1(*2"%z%BAAA%"F1H+/""2
VAA BIAAAIAAAIAAA BBI_d^
,NT BA VVIVVVIVVV VeC
m+<%Q*>%D2%:7"%Z+>%,*j"%===
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!
!
!
67+%&"$%Q(")-7===67+%m)K"%Z+>%G')H/2*2===
!
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
g 67+%*2%9+*'>%<7)$=
g 67)$%)--"22%9+%$7"/%7)K"=
g D2%$7)$%)--"22%)11(+1(*)$"=
g 67"("%)("%$7"/%)--"22*'>%E(+F=
g D2%$7*2%'+(F)H%L"7)K*+(=
g G("%$7"("%+$7"(%D'9*-)$+(2%+E%3+F1(+F*2"%E+(%$7"%2)F"%)--+.'$`7+2$`2"(K*-"=
67+%*2%9+*'>%<7)$=
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Log collectionCentralized aggregationLong-term log retentionLog rotationLog search and reporting.Log analysis after storage
!"#$%&'&#(%(')$*!%+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Same functionality as “LM”Standard CorrelationAlertingDashboardsRetention (Correlated Event)Forensic Analysis
,(-./0)1$0'-02(')$&'2$(3(')$%&'&#(%(')$*,0(%+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Same functionality as “SIEM” Advanced correlationIntelligence FeedAnomalies DetectionSupport CustomizationSupport Cloud DeploymentIntegration with Security Solution
'(4)$#('(/&)0"'$,0(%$*'#,0(%+
The Challengeg Huge log-volumes g Log-format diversityg Proprietary log-formats g False positive log records
The Challengeg Lack of Intelligence Feedg Intensive Human Analyticsg Lack of Incident Work Flowg Rigid Deployment Scale
The Challengeg Security Analytic Frameworkg Storage Architectureg Actionable Intelligenceg Implementer Skillsetg ID Management Integration
52%%%%%%B9 +)"2%%%%%B9 !&+)"252%%%%%%B9 +)"2%%%%%B9 !&+)"2
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&'&#(%(')$*!%+
52%%%%%%B9 +)"2%%%%%B9 !&+)"2
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
,(-./0)1$0'-02(')$&'2$(3(')$%&'&#(%(')$*,0(%+
52%%%%%%B9 +)"2%%%%%B9 !&+)"2
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
52%%%%%%B9 +)"2%%%%%B9 !&+)"2
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
'(4)$#('(/&)0"'$,0(%$*'#,0(%+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
,"-.(*$/%X"K*-"2
!"$<+(b%X"K*-"2
,"(K"(2%S%T'91+*'$%
]*($.)H*j)$*+'%
G11H*-)$*+'
3+'E*>.()$*+'%S%M*H"%D'$">(*$/
].H'"()L*H*$/%D'E+(F)$*+'
D9"'$*$*"2
3H+.9
N+L*H"
D0:
+",-')$.%(!(5.$),%O'(2"0*'P
D'-*9"'$%U"21+'2"
U"F"9*)$*+'
3+F1H*)'-"
&0]TU!G!3T
]*2.)H*j)$*+'
G')H/2*2
GH"($
U"1+($
]*2.)H*j)$*+']*2.)H*j)$*+'
G')H/2*2
GH"($
U"1+($
G!GZ8:D3
(;?:GC8JI<%)C?<II:K<C;<%
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&' ()*&' +&,-%.*#./0'102.0&'3#/%"4&'
!"#$%"&'()*"%+,5'6/%7&%2)'80/90'",'-*.%-',#/%"4&:'
1*#.7.;&<'6/%'=$.-8'9%.#&,'"0<'6",#'%&#%.&>"2:'3#/%&,'#?&'7/,#'",.,/)-&'.*--,.),0',1,/)'0%)%'%/0')2,'$*()'3",45,/)-&'(,%".2,0',1,/)'0%)%6'
7,.*/0%"&'()*"%+,5'6/%7&%2)'80/90'",'/,)8*"9',#/%"4&'6/%'&@"7*2&'3A!:'
1*#.7.;&<'#/'%&<$-&',*"-&'$,"4&'/0'/*#./0"22)'-,((',:;,/(#1,'()*"%+,'82#-,'()#--'(5;;*")#/+'3%()'",)"#,1%-6'!B3CDE'"$#/7"#.-"22)'7.4%"#&,'<"#"'*"%#.#./0,'#/'#?&',&-/0<"%)',#/%"4&:'
!1(DF'+"#"'%&#&0#./0'*/2.-.&,5',&"%-?&,5'"0<'%&*/%#,'/*&%"#&'/0'&>&0#'<"#"'*"%#.#./0,'%&4"%<2&,,'/6'9?&#?&%'#?&)'"%&'%&,.<.04'/0'*%.7"%)'/%',&-/0<"%)',#/%"4&5'/%'G/#?:'
1662.0&'3#/%"4&'
<".2#1%-'()*"%+,' H",&'/0'%&#&0#./0'*/2.-.&,'"%-?.&>&<'2/4'9.22'G&'G"-8'$*'#/'*33-#/,'()*"%+,'(5.2'%(')%;,'6/%',"6&'8&&*.04:'I?&0'.,'0&&<&<'.#''-"0'G&'",#$;*")'3*"'5(,'#/'-*/+=),"$'3*",/(#.'%/%-&(#(:'
!&,DTN 2$+()>" 27+.H9 L" 9"2*>' .2*'> $7" $F><< $:<> (>;F:?<;?=>< +?G>8K< $+ ("2+HK"9 $7"2$+()>" -7)HH"'>"J Q/ 9"E).H$I !&,DTN ("-"*K"2 $<+ 2"1)()$" L.$ ("H)$"9 9)$) 2$(")F2 E(+F$7" 3+HH"-$+( N)')>"(2q $7" 1)(2"9 <B<C? A8?8 )'9 $7" >8Q A8?8J :7" ()< 9)$) *2 :HH<A:8?<I@9?G><A :C D>G?<;?<A D8>?:?:GC9 $+ 1(+K*9" ) 9<;=>< <B:A<C;< ;F8:CJ
+$*'(&" (',1)$",$-'"
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$ &"'"()$*+' ,"-.(*$/ D'E+(F)$*+' )'9 TK"'$ N)')>"F"'$ 4!&,DTN5 2+H.$*+' 2*F1H*E*"2 $7"9"1H+/F"'$I F)')>"F"'$ )'9 9)/\$+\9)/ .2" +E ,DTNI (")9*H/ )9)1$2 $+ 9/')F*- "'$"(1(*2""'K*(+'F"'$2 )'9 9"H*K"(2 $7" $(." r(;?:GC8JI< )C?<II:K<C;<l 2"-.(*$/ 1(+E"22*+')H2 '""9 $+ i.*-bH/.'9"(2$)'9 $7"*( $7(")$ 1+2$.(" )'9 D>:G>:?:R< ><9DGC9<J
(,$)*!(75" )!$"55)&"!,"
!"#$%&'&#()
Threats
>
*+,-./0$12/-3345-26-
,GII<;? !G>H8I:R< />G;<99 ,G>><I8?< '<DG>?Logging Triggered
*+,-./0$12/-3345-26-$GGI9%M%$8;?:;9%M%$<;FC:S=<9 (C8I@?:;9
71(%71(%
!"#$%&"!%+*,%/"*/5" /'*,"++ $",1!*5*&.
g!&,03%N+'*$+(*'>g].H'"()L*H*$/%G22"22F"'$gW"'"$()$*+'%:"2$g!03%3+F1+'"'$%N+'*$+(*'>%4W"(E+(F)'-"%)'9%GK)*H)L*H*$/5g3/L"(%:7(")$%GH"($%G')H/2*2gM+("'2*-%G')H/2*2gD'-*9"'$%m)'9H*'>%G'9%U"21+'2"2g&H+L)H%:7(")$%!+$*E*-)$*+'g0'2*$"I%W7+'"%S%TF)*H%,.11+($%
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!&+*,%/"*/5" /'*,"++ $",1!*5*&.
Team Leader
Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)
Threat Analyst
OperationSOC Manager
Threat Analyst
Threat Analyst
Security Engineer
Threat AnalystThreat Analyst Threat Analyst
Security Engineer
30!,OZ:G!:%
Threat Analyst Threat AnalystThreat Analyst
Threat Analyst
Threat Analyst
Security Engineer
Security Analyst Security AnalystSecurity Analyst
:mUTG:%G!GZ8,:
Security Engineer
Security Analyst
Security Analyst Security Analyst Security Analyst Security Analyst
Security Analyst Security Analyst Security Analyst Security Analyst
T!&D!TTU
Incident Respond
Threat Analyst
/>:C;:D8I%,GC9=I?8C?
/>:C;:D8I%,GC9=I?8C?
Team Leader Team Leader Team Leader
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!&+*,%/"*/5" /'*,"++ $",1!*5*&.
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
:++H%B g !"#$ &"'%,DTN
:++H%@:++H%@ g G9K)'-"%T'91+*'$ X"$"-$*+'%S%%U"21+'2"
:++H%V:++H%V g !"$<+(b%W)-b"$%G')H/$*-
:++H%^:++H%^g G9K)'-"%W"(2*2$"'$%:7(")$%X"$"-$*+'%S U"21+'9
:++H%_:++H%_ g :7(")$%D'$"HH*>"'-"%D'$">()$*+'3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!&+*,%/"*/5" /'*,"++ $",1!*5*&.
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
V@
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
B g :()9*$*+')H%,03%K2%!&,03
@ g N"$7+9+H+>/
V g ,-"')(*+ B%,RZ%D'h"-$*+'
^ g ,-"')(*+ @%U)1*9%,-)''*'>%
_ g rNDUGD{%X"$"-$*+'
-+"%,(+"
!"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'%3"'$"(
4!&,035)$$)-b*'>
WU0:T3:D!&
3/L"(2"-.(*$/%N+'*$+(*'>
!&M6%M*("<)HH
G--"22%`%DX!"$<+(b%W(+#/
6"L%G11H*-)$*+'%M*("<)HH
6"L%,"(K"( T'9%O2"( 4!&,035
NEXT GENERATION SOC
T'9%W+*'$
GW:
H">*$*F)$"
!"$<+(b
D'$"HH*>"'-"
TRADITIONAL SOC
6GM
,-"')(*+%B%P ,RZ%D'h"-$*+'%G$$)-b
|%0U%BkB%\\)L-9B@V^_C@Cf
4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J
18$9$:;<;=;>?:@$8-,AB,C$7D!$42E-6/4B2$/B$/+-$F-G$0-,H-,
M*("<)HH
6"L%,"(K"(
4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J
• Condition 1SQL Injection Attack detected at WAF
• Condition 2There are abnormal traffic occur on
Firewall activity
Result: Correlate both Condition 1 & 2
Indicator of Compromise
,-"')(*+%@%P U)1*9%,-)''*'>%G$$)-b
4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J
18$9$:;<;=;>?:@$8-,AB,C$).I4J$76.22425$/B$/+-$F-G$0-,H-,
M*("<)HH
6"L%,"(K"(
4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J
• Condition 1High inbound traffic from one source IP
towards multiple port
• Condition 2High GET 200,GET 403, GET 404 request
from Web Server
Result: Correlate both Condition 1 & 2
Indicator of Compromise
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
G--"H"(+F"$"(
&/(+2-+1"&/(+2-+1"&/(+2-+1"
N)>'"$+F"$"(
Q)(+F"$"(
W(+#*F*$/
Z*>7$%,"'2+(
:+.-7%,-(""',-(""',-(""' &W,
6DMD
QH."$++$7
&,N`3XNG`Z:T
!M3
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
3)F"()%`%N*-
!&+*,%T%)*$
DDoS attacks are not a new phenomenon and we often hear companies getting hit by these attacks. We need tounderstand that before DVN DNS attack. There is 2 major DDOS attack which is Brian Kerbs 665Gbps andOVH 1TTbps.
Apparently, the attack was a response to his blog postin which he exposed a DDoS service vDOS operators.
This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send>1.5Tbps DDoS.Type: tcp/ack, tcp/ack+psh, tcp/syn.
IOT BOTNET ATTACK 33:]3)F"()I DW3)F"()I,F)($ :]IW(*'$"(I N"9*)WH)/"(
MIRAI BONET DETECTION USING NGSOC
Most SOC have actually detected the Indicator of compromise upongathering intelligence from news feed and forum ahead of the attack date.The IOC hunting reveal that MIRAI had been scanning for available IOT orDNS Server within this region between July to October 2016. However thoseattempt were mainly drop by firewall.
Here is the chronology of detection at our SOC:
21 Oct 2016 7:00 PM DDOS Started using Mirai AT US…..21 Oct 2016 6:24PM Threat Intelligence about Nyadrop IOT DDOS Related21 Oct 2016 5:00PM All client have been notify on IOC result21 Oct 2016 IOC hunting revealed that 191.96.249.29 and 93.158.200.66 had beenpreforming scan (Port UDP 53, 123, 19, 53413) in very small volume between 28 July2016 to 11 October 201620 Oct 2016 1:19AM Threat Intelligence about MIrai IOT DDOS Related
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
+-22('.
g O'9"(2$)'9%3/L"(,"-.(*$/ :7(")$%MH+<g T'7)'-"9%8+.(%3/L"(2"-.(*$/%X"E"'2"%g X"K"H+1%8+.(%!&,03%U+)9%N)1g Q.*H9%8+.(%!&,03
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
ROT,:D0!%S%G!,6TU
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'