Slajd 1 - CONFidence 2016

Download Report

Transcript Slajd 1 - CONFidence 2016

From the life of a SOC Analyst...
Case studies
Jacek Grymuza [CISSP, CEH, CIHE, OSCP]
5/19/2016
[email protected]
Agenda
What is SOC?
Log correlation
IOC
Splunk threat detection examples
Incident examples
(ISC)2 Poland Chapter
Quiz
Q&A
What is SOC?
A security operation center (SOC) is a centralized unit that deals
with security issues on an organizational and technical level.
Source: http://solutionsreservoir.com/resources/introduction-to-cybersecurity/part-1-cybersecurity-overview/
Log correlation
Log analysis allows
Detection of anomalies
Tracking of network communications in many systems based on log
information, such as IP address, host name, account name and user ID
Using SIEM in log analysis
Correlates between multiple systems (e.g. AD & VPN, AV & IPS,
AD & Application)
Helps to specify context of security incident
Answers questions: Who, What, When, Where, Why and How…
Regex, pattern functions (e.g. like, startswith, endswith, include,
contains, whitelist/blacklist) are very useful during event
correlations.
IOC (Indicator of compromise)
System
Network
[ACS, FW, Router, Proxy]
OS
DB
Application
AV
IDS/IPS
WAF
File Integrity Monitoring
DLP
SIEM
Security threat
The kill chain
Defensible Actions Matrix
Source: https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/
Splunk threat detection examples (1/3)
Incident name: Identification of temporary permission added to highly
privileged group
Description: Scenario identifies actions of adding and removing account
from Domain Admins group within 8 hours
Splunk SIEM incident detection method:
sourcetype="WinEventLog:Security" GroupName="Domain Admins" |
transaction Member_Security_ID eventcode startswith="4728" endswith="4729|
where duration <=28800
Splunk threat detection examples (2/3)
Incident name: Identification of brute force attacks
Description: Scenario identifies brute force attacks based on multiple failed login
events for the same account
Splunk SIEM incident detection method:
sourcetype="WinEventLog:Security" EventCode="4625" Keywords="Audit Failure"
NOT (Account_Name="*$") | transaction Acount_Name maxspan=5s |
stats count by Account_Name | where count > 4
Splunk threat detection examples (3/3)
Incident name: Identification of suspicious processes in Windows
Description: Identification of suspicious processes in short time based on activities
in OS
Splunk SIEM incident detection method:
Komputer=„PC-1" | transaction Uzytkownik, Nazwa_pliku_obrazu,
Identyfikator_procesu startswith="(Zdarzenie=592)" endswith="(Zdarzenie=593)"| where duration <=1 |
stats values(U_xBFytkownik) AS "User", values(Nazwa_pliku_obrazu)
AS "Image File Name", values(Identyfikator_procesu) AS "Process Id"
If you want to play with Splunk…
Software can be tested for free, e.g.
https://www.splunk.com/page/sign_up/cloudtrial?redirecturl=/
getsplunk/onlinesandbox
Many free documents, e.g.
https://docs.splunk.com/Documentation
Incidents - Security systems
Connections to malware domains (C&C)
Identification of tunnel traffic (method CONNECT)
Downloading potentially dangerous files (.exe, .gz, .zip)
Data leakage through suspicious data storage websites
(e.g. https://gist.github.com/, http://codepad.org/)
Malware outbreak
Identification of hosts without enabled/installed AV system
Identification of out-of-date AV signatures
Repeated re-infections
Multiple attacks against same host
Usage of non-standard ports or protocol/port mismatches
Incidents - Network
Monitoring unauthorized scans of network infrastructure
IP spoofing attacks
Reboot of FW
Deviations from standards; abnormal activities
Abuse on remote access
Identification of unauthorized configuration changes
Identification of policy changes (e.g. suddenly unblocked
services)
Transfer DNS zones (normal DNS queries and responses
use UDP port 53; zone transfers use TCP port 53)
Incidents - OS, DB, App
Sharing accounts
Multiple passwords changing to bypass password policy
Access to OS/DB/APP using high-privileged accounts
(superuser, root, admin, SYSTEM)
Anonymous activity
Unscheduled Initial Program Loads (aka rebooting)
Large number of error codes 4xx
Using hacker tools (e.g. netcat, wireshark)
Repeated authentication failures
Multiple login attempts from/to different regions within few
minutes
Additional materials
Incident handling
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80061r2.pdf
Blue Team Handbook: Incident Response Edition
GCIH - GIAC Certified Incident Handler
C)IHE - Certified Incident Handling Engineer [Mile2]
Digital forensics
https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
http://digital-forensics.sans.org/media/poster-windows-forensics2016.pdf
Log correlation/analysis
http://www.sans.org/reading-room/whitepapers/logging/detectingsecurity-incidents-windows-workstation-event-logs-34262
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
Useful links
Name
URL address
Description
Potentially Malicious
Websites
https://zeltser.com/lookup-malicious-websites/
Internet Storm Center
https://isc.sans.edu/ipinfo.html?ip=<Suspicious_IP> Tool to check threat level: IP, Domain, etc.
urlquery
http://urlquery.net/
malwr
https://malwr.com/
Malware Tracker
IP Void
YARA
Metascan
Robtex
Free online tools for looking up potentially malicious
websites
urlQuery.net is a service for detecting and analyzing webbased malware. It provides detailed information about the
activities a browser does while visiting a site and presents
the information for further analysis.
Malwr is a free malware analysis service and community
launched in January 2011. You can submit files to it and
receive the results of a complete dynamic analysis back.
https://www.malwaretracker.com/
Home of the free online PDF Examiner - the only web based
PDF malware analysis suite.
http://www.ipvoid.com/
IPVoid is a free service used to scan an IP address through
multiple DNS-based blacklists and IP reputation services
https://plusvic.github.io/yara/
The pattern matching swiss knife for malware researchers
https://www.metascan-online.com/#!/scan-file
Metascan Online is a free online file scanning service
powered by OPSWAT’s Metascan technology, a multiple
engine malware scanning solution
https://www.robtex.com/en/advisory/ip/
One of the most comprehensive DNS lookup tool
(ISC)2 = International Information
System Security
Certification Consortium
About (ISC)2
Leader in educating and certifying cyber, information, software and
infrastructure security professionals
Vendor-neutral
Added value of certification (for employers)
Years of experience and valuable knowledge
Engage in continuing professional education
Appropriate skill sets
To remain in good standing, members must
Abide by the (ISC)² Code of Ethics
Submit annual maintenance fees
Obtain required Continuing Professional Education (CPE) credits
CISSP member counts
Europe
Czech Rep 118
Denmark
339
Poland
401
Belgium
430
Spain
547
Switzerland 774
France
804
Germany 1516
Netherland 1852
UK
5402
Source: https://www.isc2.org/member-counts.aspx
Rest of the world
China
1183
Australia
1857
Canada
4577
United States 69127
Member counts in Poland
401
1
20
10
3
16
Source: https://www.isc2.org/member-counts.aspx
(ISC)2 Poland Chapter
(ISC)2 Poland Chapter
Founded in 2013
Regular monthly meetings
Active community (40+ members)
In progress
Establishing the association in accordance with Polish law
Future plans
Safe and Secure Online program
Contact info
www:
isc2chapter-poland.com
linkedin: https://www.linkedin.com/groups/4865474
e-mail: [email protected]
Quiz
1. How many CISSP certifications are there in Poland?
a) < 200
b) > 400
c) > 600
[506]
[579]
[728]
2. What does the abbreviation (ISC)2 mean?
a) International Independent System Security Certification Consortium [125]
b) International Information System Security Certification Consortium [260]
c) International Information System Security Cyber Consortium
[669]
3. How often are (ISC)2 Poland Chapter meetings?
a)
b)
c)
Weekly
Monthly
Quarterly
[875]
[547]
[590]
Q&A
???
Source: https://i.ytimg.com/vi/wXJjM9ppHtA/maxresdefault.jpg