Logs and SIEMs Incident Response

Logs and SIEMs Incident Response

Logs Logs are key to knowing what’s happening on your network Even attackers will leave tracks Reveal critical errors/misconfigurations in systems Show usage of resources Track security related information on computers Most every system (software, operating systems, etc.) have some sort of log capability Windows event logs DNS application logs Web server logs Proxy logs Email mailbox access logs Incident Response Audit logs Track an attacker’s activities 2

Configure logging Default logging levels are not always sufficient Be sure to check with your vendor Probably don’t need debug logging Pay attention to storage space! Lots of heavy logs will fill drives fast Lots of logs might not actually be useful Analyze the usefulness of the log Incident Response Sometimes no logging is default 3

Analyzing Logs Manual log review Easy, no special tools required Impossible to do at scale Filtering logs Show a list of bad, ignore the good Easy to interpret the results Doesn’t catch everything Summary analysis Top 10 users, most connections by IP address Reduces the data, useful for reporting Loss of information to summarization Incident Response 4

Analyzing Logs Visualization Easy to spot patterns Great to show off Not super useful for getting the details of an event Search analysis Easy to understand But what exactly should you search for? Correlation Rule-based algorithms Automated Fine tuning and writing by experts required Log mining Extract meaning from raw data Automated But still early in research Incident Response 5

How logs help an IR Preparation Verify controls, collect a normal baseline, etc. Identification Detect and confirm an incident Containment Scope the incident, find what else was lost Eradication Recovery Confirm restoration Lessons Learned Logs available for training, as well as preventing a future attack Incident Response Preserve logs for the future, confirm backups are safe 6

These can best show when suspicious activity is occurring Authentication and Authorization Reports Change Reports Network Activity Reports Resource Access Reports Malware Activity Reports Critical Errors and Failures Reports Incident Response SANS top 6 log categories 7

Authentication and Authorization Reports What is it? Successful and failed attempts to access a system Specific privileged user activities Why is this important? Main barrier for access Attackers often will try to just log in, rather than bypassing the control Example searches (What might these be indicative of?) Logins after hours Remote access failures (VPN) Privileged account access Multiple login failures Followed by success of that same account Incident Response 8

Example What’s wrong with this? System Account Name Venus administrator Pluto alex Mercury root Source IP Status 10.1.1.2 Failure 10.11.12.13 Success 10.1.2.3 Failure Method Count Local Local SSH 1 1 893765 Incident Response 9

Change Reports What is it? Changes to configuration files Changes to accounts Changes to sensitive components of the system Why is this important? Unauthorized changes may indicate an incident Attackers may modify systems to expand or enable their access Example searches (What might these be indicative of?) New users or groups created New services installed Change in file permissions Incident Response 10

Example What’s wrong with this? Date System 1/10/11 11:11AM PST 1/10/11 11:12AM PST 1/10/11 11:15AM PST Venus Account Name root Jupiter anton Venus root Operation Object Status Account Added Group Added Account Added anton Success sudoers Success root1 Failure Incident Response 11

Network Activity Reports What is it? Network activities that need to be tracked for regulatory compliance Potentially dangerous network activities Who is talking to who, how much bandwidth, what port/protocol, etc. Why is this important? The network is the main avenue into a computer Almost all attacks will traverse the network Example searches (What might these be indicative of?) Outbound connections from DMZ systems Largest file transfers, inbound or outbound File uploads to external sites VPN activity and usage Incident Response 12

Example What’s wrong with this? VPN Access and usage Date 1/11/11 1/12/11 1/13/11 VPN VPN1 VPN1 VPN2 User Name anton anton root System antonlaptop antonlaptop Lapt19847 Action Login Login Login Status Success Failure Failure Count 2 1 77 Incident Response 13

Resource Access Reports What is it? Access of system, application, and database resources Activity audit, incident detection Why is this important? Resource use can be used to track abuse Determine which resources the attacker accessed Example searches (What might these be indicative of?) Access to critical resources during off hours Privileged database user accesses DELETE queries executed on a database Systems sending mail, excluding known mail servers Incident Response 14

What’s wrong with this? File Access Date Server User Name 1/11/11 1/12/11 1/13/11 Win1 Win2 NFS anton anton anton File Name Access Type Expenses.xlsx Read Roadmap.ppt Read Blank.docx Write Status Count Success Success Failure 1 1 37 Incident Response Example 15

Malware Activity Reports What is it? Summarize various activities and events likely related to malicious software Why is this important? Malware is a key threat vector in all sizes of organizations Logs can be leveraged in addition to anti-virus products Example searches (What might these be indicative of?) Malware detection trends Internal connections to known malware IP addresses Anti-virus protection failures Incident Response 16

Example What’s wrong with this? Malware type Status VirusX VirusY Botz Detected Detected Quarantined Infected System Count 1 1 2 Incident Response 17

Critical Errors and Failures What is it? Significant system errors and failure indicators Often are security related events Why is this important? Can provide early indication of security threats Unusual errors could be indicative of a new threat to the network Example searches (What might these be indicative of?) Backup failures Capacity events for system resources like memory, CPU, disk, etc System crashes, shutdowns, restarts Incident Response 18

Example Event Type Disk Full Disk Full CPU Load 100% Date 10/1/11 1/1/11 1/2/11 Incident Response Server Serv1 Sirius VenusX 19

So those are some examples on how logs can be useful. Two major techniques Incident Response How do we go about determining if something in the logs is malicious? 20

Signature Detection Detect known threats Uses prior knowledge of what an attack looks like Signature Examples Malicious File with a specific hash Alerts are high confidence Attacker can change one character in the file, results in a different hash Easy to bypass Hashes Ports IP Addresses Other Artifacts Port 4444 being connected to Commonly used in meterpreter Attacker can use a different port Incident Response 21

Anomaly Detection Detect threats based on nonstandard activities Uses prior knowledge of what normal looks like, and generates alerts based off abnormal Alerts are not always high confidence Slightly more difficult to bypass, but still possible Behaviors Ports Protocol Analysis Other Artifacts Anomaly Examples A login to an Admin account at 2am Typically that user only logs in from 8-5, maybe that is a malicious use of the account? SSL/TLS encrypted traffic on a port other than 443 We expect to see encrypted traffic on ports 443, 22, etc. Seeing that traffic on, for example, port 80, would be anomalous. Malicious? Maybe. Incident Response 22

Logs are extremely useful – essential to a good security monitoring program Need a way to efficiently collect, store, and analyze logs Log aggregation utility, SIEM Needs to be able to handle LOTS of logs quickly and efficiently Keep in mind the quantity of logs you may be dealing with! Tens or hundreds of thousands of events per machine (or more) Imagine a company with 100-1000 computers (not actually that big) Easily in the millions of events each day (or more) Incident Response So many logs 23

SIM, SEM, SIEM All are tools that collect information used to analyze the security of the network SIM – Security Information Management Typically collecting logs The raw information SEM – Security Event Management Holds a collection of events Suspicious authentications, logon to admin account after hours, etc. SIEM – Security Information Event Management Combination of the above two Raw information from logs Security events Incident Response Summarized “event” information from the raw security information 24

They are quite similar All really started with SIM tools Start collecting logs from various systems Often helps meet compliance requirements So you have a bunch of logs, now what? SEM systems help provide analysis and visualization capabilities SIEM combines this – most products today should have the combined capabilities Very few folks draw a distinction between these anymore – basically the same Incident Response Real-time Analyze alerts 25

Capabilities Data Aggregation Produce reports from log data for compliance requirements Consolidates logs from many sources Correlation Uses common attributes to link events together Turns raw data into more useful information Alerting Automated analysis of raw data produces actionable alerts Dashboards Turns data into useful charts Easier to see patterns or anomalies in data Compliance Retention Long-term storage for forensic investigations and possible compliance requirements Forensic Analysis Ability to search across different nodes and time periods. Incident Response 26

Plenty of options Lots of vendors in the market Orgs should evaluate products and make selections based on their needs Which features from the previous slide are 100% necessary? Price Learning curve Quantity of data and server requirements As an incident responder, you may use any number of these – whatever is available to you Some vendors in the market IBM, Splunk, HPE, AlertLogic, Intel, LogRhythm, ManageEngine, MicroFocus, Solar Winds, Trustwave Even some open source options OSSIM, Elastic Stack, Apache Metron, SIEMonster, Prelude, Graylog Incident Response 27

Graylog Open source log management Scalability Alerting capabilities Report generation capabilities Pre-configured appliance for testing Production, more scalable setups on Ubuntu, Debian, CentOS Incident Response Can bring in logs from multiple tools from multiple systems Terabytes of data 28

Lab Graylog VM – just the pre-configured appliance for testing NXLog Open source log forwarder Used for forwarding to various aggregation solutions Windows machine Let’s jump in to get familiar Incident Response Security log Sysmon 29