SEC555 Presentation based on SEC555: SIEM with Tactical Analytics

SEC555 Presentation based on SEC555: SIEM with Tactical Analytics Stuck in the Box: A SIEM’s Tale Justin Henderson (GSE # 108) @SecurityMapper

About Me Author of SEC555: SIEM with Tactical Analytics GIAC GSE # 108, Cyber Guardian Blue and Red 58 industry certifications (need to get a new hobby) Two time NetWars Core tournament winner (offense) And security hobbyist and community supporter Collecting interns/contributors in bulk (research teams) SEC555 SIEM with Tactical Analytics 2

Welcome! A copy of this talk is available at https://www.securitymapper.com Virtual machine used during presentation is available for download at above link More free stuff: https://github.com/SMAPPER Disclaimer: This talk is not about bashing SIEM solutions or promoting one vendor/solution above the others SEC555 SIEM with Tactical Analytics 3

SIEM Detection Gap Working with multiple organizations there are clearly gaps in SIEM deployments Example: One organization spent 14 months in deployment SIEM was/is within top 5 of magic quadrant 2014 - 2017 Two employees during roll out ( 1 FTE of labor for 14 months) Within less than 1 month open source solution exceeded what they SEC555 had SIEM with Tactical Analytics 4

SIEM Deployment Well they must have lacked training and planning, right? Both employees attended week long vendor training POC lasted well over three months Implementation had 30 days of professional services One employee hired as dedicated FTE to SIEM One PTE and other employee(s) available to help SEC555 SIEM with Tactical Analytics 5

What Happened? Ultimately the company discarded commercial solution Open source solution still in place People and processes are more important than the tool! Focus should not be solely on SIEM care and feeding Detection techniques are required and must scale SEC555 SIEM with Tactical Analytics Automation is a must! 6

NXLog AutoConfig Overcomes log agent deficiencies and is a functional proof of concept https://github.com/SMAPPER/NXLog-AutoConfig Checks systems each day looking for components (IIS, etc) If found, automatically configures for consistency Or initial configuration Then sets up agent to start shipping logs Largest deployment maintained 12 K systems SEC555 SIEM with Tactical Analytics 7

Traditional vs Network Extraction Traditional Network Extraction Multiple collection points Single collection point DNS logs SMTP logs HTTP logs DNS logs Log Aggregator agent DNS Server agent SMTP Server SMTP logs HTTP logs Log Aggregator agent or syslog Web Proxy agent or syslog Network Extraction Sensor SEC555 SIEM with Tactical Analytics 8

Service Profiling with SIEM Infrastructure Service Logs DNS HTTP HTTPS SMTP Almost every network uses them Lots of noise lots of logs Yet can be high value Enrichment Techniques Low value logs can morph into highly actionable detects Baby Domains Entropy Test (PH Imbalance) Invalid Fields (wrong state) Fuzzy Phishing SEC555 SIEM with Tactical Analytics 9

freq server.py freq server.py is for large scale entropy tests Created by Mark Baggett, author of SEC573 Manual testing Logstash query SEC555 SIEM with Tactical Analytics 10

domain stats.py Mark Baggett developed domain stats.py Designed for speed and log analysis Provides on mass domain analysis Result Result Provides whois information like creation date And top 1 million lookups (works with Alexa and Cisco) SEC555 SIEM with Tactical Analytics 11

Top1M Filtering Before After - approx 90% logs SEC555 SIEM with Tactical Analytics 12

Ordinary to Extraordinary query: www.google.com En ric hes to t hi s query: www.google.com subdomain: www parent domain: google registered domain: google.com creation date: 1997-09-15 tags: top-1m geo.asn: Google Inc. frequency score: 18.2778256342 parent domain length: 6 SEC555 SIEM with Tactical Analytics 13

Fuzzy Phishing Many SIEM techniques use insider information Such as fuzzy phishing searches Take legitimate company domains and look for variants Extremely effective against phishing domains Best used in combination with email alerts or scripts Great for targeted attacks SEC555 SIEM with Tactical Analytics 14

Endpoint Analytics Endpoint logs are incredibly powerful yet underutilized Too much emphasis on “insert security product here” Not enough visibility on desktops/laptops Endpoint logs can readily be operationalized Internal Pivoting Strategies such as below can be used to detect Brute force logins attacks using Whitelist evasion Long command lines SEC555 SIEM with Tactical Analytics 15

Service Creation Gone Bad (Event ID: 7045) Common attack techniques create services Top example is of Meterpreter compromise through PSExec Bottom event is of privilege escalation SEC555 SIEM with Tactical Analytics 16

PowerShell Attacks (Event ID: 4104 or 4688) PowerShell is now commonly used for modern attacks SEC555 SIEM with Tactical Analytics 17

NirSoft USBDeview1 Simplification is acceptable/preferred Possible to run 3rd party tool once a day and log to file Better late than never SEC555 SIEM with Tactical Analytics 18

File Auditing (Event ID 4663) Automated scripts/malware often used to find patterns Social security #, credit card #, or drivers license Operate by enumerating and reading through files Often ignores hidden folders SEC555 SIEM with Tactical Analytics 19

Group Querying (Event ID 4662 and 4663) By default all users can list group members Attackers enumerate members to find users to target Many alternative methods to list group members Mickey Perre has a blog on detecting this behavior Windows auditing can capture read member requests SEC555 SIEM with Tactical Analytics 20

HALO (Honeytokens Against Leveraging OSINT) Fake users can be created publicly to combat recon Could be just in hidden metadata and/or key public sites Example: Peter Parker([email protected]) On LinkedIn, Facebook, Adobe, PGP, Github, etc. Likely to be picked up during OSINT Eventually may make compromised account lists Takes minimal time to setup can get fairly elaborate SEC555 SIEM with Tactical Analytics 21

Flare Austin Taylor wrote a beacon discovery script called Flare Uses Elasticsearch to crawl historical connections Identifies connections with consistent beaconing Supports analysis of custom time periods SEC555 SIEM with Tactical Analytics 22

ELK Hunter Designed for analysis, research, and proof of concept ELK Hunter is a test bed for configs and concepts Contains Security Onion, ELK, and analysis scripts Designed to plug into network or deploy to hypervisor Verifies legitimacy of techniques and configurations Discover new techniques or abnormal behaviors SEC555 SIEM with Tactical Analytics 23