How Security Alerts Are Supposed to Work
• Preparation
• Identification
• Containment
• Remediate
• Eradicate
• Lessons learned
Preparation - Where Do We Get the Alerts?• Multiple sources, monitoring points• Flowtraq, FireEye, Splunk, Secureworks• Inbound vs. outbound
• User reports• And then there’s the Batphone
How Is That Data Displayed?
• Log files• Verbose, very eye-straining
• Dashboards• And lots of them, all different
10/22/2017 VirusTotal
https://www.virustotal.com/#/file/246a1ad83bd25a3f581049a45a5056b27d7a3dd37d3904f83d1683b70e232a91/detection 1/2
49 / 67
49 engines detected this file
SHA-256 246a1ad83bd25a3f581049a45a5056b27d7a3dd37d3904f83…
File name flash8.0adobeflash8.0@153_6400.exe
File size 1.22 MB
Last analysis 2017-10-22 17:19:07 UTC
Community score -49
Details Relations Behavior Community
Ad-Aware Gen:Variant.Razy.219992
AhnLab-V3 PUP/Win32.Generic.C2150870
ALYac Gen:Variant.Razy.219992
Antiy-AVL RiskWare[Downloader]/Win32.AGeneric
Avast Win32:Adware-gen [Adw]
AVG Win32:Adware-gen [Adw]
Avira ADWARE/Qjwmonkey.uirrj
AVware Trojan.Win32.Generic!BT
BitDefender Gen:Variant.Razy.219992
CAT-QuickHeal Downloader.Generic
Comodo ApplicUnwnt.UnclassifiedMalware
CrowdStrike Falcon malicious_confidence_60% (D)
Cyren W32/S-24f27ace!Eldorado
DrWeb Adware.Qjwmonkey.122
eGambit malicious_confidence_91%
Emsisoft Gen:Variant.Razy.219992 (B)
Endgame malicious (high confidence)
eScan Gen:Variant.Razy.219992
ESET-NOD32 a variant of Win32/Adware.Qjwmonkey.H
F-Prot W32/S-24f27ace!Eldorado
F-Secure Gen:Variant.Razy.219992
Fortinet W32/Generic_PUA_JK.VE
Detection
Sign in
VirusTotal File Analysis
Identification - Step One
• Three items usually needed• Need an IP address or MAC address• Date/Time stamp• Port Number
Identification - Step Two
• Take the info you got in #1, corroborate it• Single IOC usually means FP
• If it’s on the usual suspects list, ignore it• Watch out for “red alerts”
Follow the Trail
• Look in Splunk and FireEye for similar• external IP address• IOCs• similar date and time
• Check Flowtraq for traffic anomalies
How Do We Figure Out What’s Important?
• Is asset being targeted high-value?• Workstation or server?• SO MANY alerts
And Then…
• The Batphone goes off• OR
• SIS starts giving errors• OR
• Spam flood starts• Juggling skills required
More Often Than Not…
• The dreaded FALSE POSITIVE• Port scans• Vulnerability scans• Downloaded but not detonated malware• Slightly-suspicious files
• Kept on file in case problem recurs
Let’s Imagine It’s A Real Security Problem• Ascertain Department/LSP/User• Contact via email, phone• Remove from network• Is HSD involved?• Run Identity Finder scan
• Call a P# incident in ServiceNow
Old Style Example: W-2 Fraud Scenario
• Starts with a phish• Found employee with high-level access• Gives bad guys high-level access
• Bad guys log in, change DD info• Refunds, etc. go to bogus account
Old Style Example: W-2 Fraud Investigation• User checks DD info online• Finds bogus bank info• Reports same to Abuse
• We pull logs (access, change)• Look for bad guys’ IP address as common
datapoint
Old Style Example: W-2 Fraud Investigation• Time-consuming manual log review• Manual check with other sources• Notification of affected users
And Then…
• The Batphone goes off• OR
• SIS starts giving errors• OR
• Spam flood starts• Juggling skills required
New Style Example: W-2 Fraud Scenario
• Starts with a phish• Individual users give up credentials • Bad guys use that individually to alter bank
info
New Style Example: W-2 Fraud Scenario
• User notifies Help Desk of erroneous deposit• IT security looks at Splunk• Searching for user records
• Then look at Fortimail logs (thru Splunk)• Match subject lines• Suss out bad IP address
New Style Example: W-2 Fraud Scenario
• Generate list of users that have contact with bad IP address
• Inform user of possible breach• Reset user access if necessary
• Repeat. Again.
Lessons Learned
• Phishing still works DESPITE awareness training
• Implement:• Notification to user of ANY info change• Two-factor authentication• Annual password resets