A Day in the Life of a Security Analyst

Your GuidesJer Kong

Tony TownsendUVa Information Security

Many Differing Perceptions of Our Role

What Our Mothers Think We Do

What Our Wives and Kids Think We Do

What UVa Faculty, Staff & Students Think We Do

What UVa Administration Thinks We Do

What We Really Do

How Security Alerts Are Supposed to Work

• Preparation

• Identification

• Containment

• Remediate

• Eradicate

• Lessons learned

Preparation - Where Do We Get the Alerts?• Multiple sources, monitoring points• Flowtraq, FireEye, Splunk, Secureworks• Inbound vs. outbound

• User reports• And then there’s the Batphone

How Is That Data Displayed?

• Log files• Verbose, very eye-straining

• Dashboards• And lots of them, all different

Splunk Dashboard - Example

FireEye Alerts - Example

SecureWorks Incidents - Example

FlowTraq - Example

Splunk Log - VPN Sessions - Example

10/22/2017 VirusTotal

https://www.virustotal.com/#/file/246a1ad83bd25a3f581049a45a5056b27d7a3dd37d3904f83d1683b70e232a91/detection 1/2

49 / 67

49 engines detected this file

SHA-256 246a1ad83bd25a3f581049a45a5056b27d7a3dd37d3904f83…

File name flash8.0adobeflash8.0@153_6400.exe

File size 1.22 MB

Last analysis 2017-10-22 17:19:07 UTC

Community score -49

Details Relations Behavior Community

Ad-Aware Gen:Variant.Razy.219992

AhnLab-V3 PUP/Win32.Generic.C2150870

ALYac Gen:Variant.Razy.219992

Antiy-AVL RiskWare[Downloader]/Win32.AGeneric

Avast Win32:Adware-gen [Adw]

AVG Win32:Adware-gen [Adw]

Avira ADWARE/Qjwmonkey.uirrj

AVware Trojan.Win32.Generic!BT

BitDefender Gen:Variant.Razy.219992

CAT-QuickHeal Downloader.Generic

Comodo ApplicUnwnt.UnclassifiedMalware

CrowdStrike Falcon malicious_confidence_60% (D)

Cyren W32/S-24f27ace!Eldorado

DrWeb Adware.Qjwmonkey.122

eGambit malicious_confidence_91%

Emsisoft Gen:Variant.Razy.219992 (B)

Endgame malicious (high confidence)

eScan Gen:Variant.Razy.219992

ESET-NOD32 a variant of Win32/Adware.Qjwmonkey.H

F-Prot W32/S-24f27ace!Eldorado

F-Secure Gen:Variant.Razy.219992

Fortinet W32/Generic_PUA_JK.VE

Detection

Sign in

VirusTotal File Analysis

Identification - Step One

• Three items usually needed• Need an IP address or MAC address• Date/Time stamp• Port Number

Identification - Step Two

• Take the info you got in #1, corroborate it• Single IOC usually means FP

• If it’s on the usual suspects list, ignore it• Watch out for “red alerts”

Follow the Trail

• Look in Splunk and FireEye for similar• external IP address• IOCs• similar date and time

• Check Flowtraq for traffic anomalies

How Do We Figure Out What’s Important?

• Is asset being targeted high-value?• Workstation or server?• SO MANY alerts

And Then…

• The Batphone goes off• OR

• SIS starts giving errors• OR

• Spam flood starts• Juggling skills required

More Often Than Not…

• The dreaded FALSE POSITIVE• Port scans• Vulnerability scans• Downloaded but not detonated malware• Slightly-suspicious files

• Kept on file in case problem recurs

Let’s Imagine It’s A Real Security Problem• Ascertain Department/LSP/User• Contact via email, phone• Remove from network• Is HSD involved?• Run Identity Finder scan

• Call a P# incident in ServiceNow

Old Style Example: W-2 Fraud Scenario

• Starts with a phish• Found employee with high-level access• Gives bad guys high-level access

• Bad guys log in, change DD info• Refunds, etc. go to bogus account

Old Style Example: W-2 Fraud Investigation• User checks DD info online• Finds bogus bank info• Reports same to Abuse

• We pull logs (access, change)• Look for bad guys’ IP address as common

datapoint

Old Style Example: W-2 Fraud Investigation• Time-consuming manual log review• Manual check with other sources• Notification of affected users

And Then…

• The Batphone goes off• OR

• SIS starts giving errors• OR

• Spam flood starts• Juggling skills required

New Style Example: W-2 Fraud Scenario

• Starts with a phish• Individual users give up credentials • Bad guys use that individually to alter bank

info

New Style Example: W-2 Fraud Scenario

• User notifies Help Desk of erroneous deposit• IT security looks at Splunk• Searching for user records

• Then look at Fortimail logs (thru Splunk)• Match subject lines• Suss out bad IP address

New Style Example: W-2 Fraud Scenario

• Generate list of users that have contact with bad IP address

• Inform user of possible breach• Reset user access if necessary

• Repeat. Again.

Lessons Learned

• Phishing still works DESPITE awareness training

• Implement:• Notification to user of ANY info change• Two-factor authentication• Annual password resets

New Resources

• Security liaison program• Data loss prevention• ITAC security committee• APN

Questions?