SIEM Based Intrusion Detection Slides and Notes v2bl

8/9/2019 SIEM Based Intrusion Detection Slides and Notes v2bl

1/15

1SANS Technology Institute - Candidate for Master of Science Degree 1

SIEM Based Intrusion Detection

Jim BeecheyMarch 2010

GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN


2/15

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

Attackers are more sophisticated andtargeted in their attacks.

Defenders need systems which helpprovide visibility and altering acrossnumerous security systems.

SIEM adoption driven by compliance

Gartner says more than 80% Put Security back into SIEM using

real world examples.


3/15


SIEM System Setup


4/15


Basics Outbound Traffic

Outbound SMTP, DNS and IRC

Unexpected outbound connections


5/15


New Hosts and Services

Scanner integration for new host

and service discovery


6/15


Darknets

Network segments without any live

systems, but are monitored Any traffic considered suspicious

Qradar defines Darknets at setup

Qradar Rule: Suspicious Activity:Communication with KnownWatched Networks


7/15


Brute-force Attacks

Create reports to generate statisticaldata on failed logins by device, sourceIP and locked accounts per day.

Qradar provides several alerts for bruteforce attacks. Login Failures Followed

by Success and Repeated Login FailuresSingle Hostbeing the most helpful

Customize alerts for maximum impact


8/15


Brute-force Attacks


9/15


Windows Accounts

Report of accounts created by whom

Alerts for:

accounts not using std naming convention

outside of creation script timeframe

workstation account created

group membership adds to key groups Understand the account management

process and alert accordingly


10/15


IDS Context/Correlation

Reduce noise by reporting based uponhigh value systems or asset weights

Add context of target operating systemAdd knowledge of vulnerabilities

Rules

Target Vulnerable to Detected Exploit Vulnerable to Detected Exploit on Different Port

Vulnerable to Different Exploit than Detected onAttacked Port


11/15


Web Application Attacks

Analyze WAF logs if possible as headerdata (POST) not available in server logs

Create regular expressions to look forsigns of attack, for example

/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix Detects or --

Create and alert on web honeytokens Fake admin page in robots.txt

Fake credentials in html code


12/15


Data Exfiltration

Collection of flows or session data isextremely helpful

Reports/Alerts based upon

Size/destination of outbound flows LargeOutbound Data Transfer

Application data inside specific protocols Frequency of requests/application usage

Session Duration Long Duration Flow


13/15


Client Side Attacks

Information in Windows event logs:

Process Information Start (592/4688) Ends (593/4689)

New Service Installed (601/4697)

Scheduled Tasks Created (602/4689)

Audit Policy Changed and Cleared (612/4719) and (517/1102)

Integration with third-party tools


14/15


Sample Attack


15/15


Summary

Defenders need to look for indicators ofcompromise across many sources

SIEM solution centralize data

Start small with basic methods, test,and move to more advanced techniques

Goal is to detect compromise andprovide as much information as possiblebefore starting incident response

Documents

SIEM Based Intrusion Detection Slides and Notes v2bl