Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
From the life of a SOC Analyst... Case studies Jacek Grymuza [CISSP, CEH, CIHE, OSCP] 5/19/2016 [email protected] Agenda What is SOC? Log correlation IOC Splunk threat detection examples Incident examples (ISC)2 Poland Chapter Quiz Q&A What is SOC? A security operation center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. Source: http://solutionsreservoir.com/resources/introduction-to-cybersecurity/part-1-cybersecurity-overview/ Log correlation Log analysis allows Detection of anomalies Tracking of network communications in many systems based on log information, such as IP address, host name, account name and user ID Using SIEM in log analysis Correlates between multiple systems (e.g. AD & VPN, AV & IPS, AD & Application) Helps to specify context of security incident Answers questions: Who, What, When, Where, Why and How… Regex, pattern functions (e.g. like, startswith, endswith, include, contains, whitelist/blacklist) are very useful during event correlations. IOC (Indicator of compromise) System Network [ACS, FW, Router, Proxy] OS DB Application AV IDS/IPS WAF File Integrity Monitoring DLP SIEM Security threat The kill chain Defensible Actions Matrix Source: https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/ Splunk threat detection examples (1/3) Incident name: Identification of temporary permission added to highly privileged group Description: Scenario identifies actions of adding and removing account from Domain Admins group within 8 hours Splunk SIEM incident detection method: sourcetype="WinEventLog:Security" GroupName="Domain Admins" | transaction Member_Security_ID eventcode startswith="4728" endswith="4729| where duration <=28800 Splunk threat detection examples (2/3) Incident name: Identification of brute force attacks Description: Scenario identifies brute force attacks based on multiple failed login events for the same account Splunk SIEM incident detection method: sourcetype="WinEventLog:Security" EventCode="4625" Keywords="Audit Failure" NOT (Account_Name="*$") | transaction Acount_Name maxspan=5s | stats count by Account_Name | where count > 4 Splunk threat detection examples (3/3) Incident name: Identification of suspicious processes in Windows Description: Identification of suspicious processes in short time based on activities in OS Splunk SIEM incident detection method: Komputer=„PC-1" | transaction Uzytkownik, Nazwa_pliku_obrazu, Identyfikator_procesu startswith="(Zdarzenie=592)" endswith="(Zdarzenie=593)"| where duration <=1 | stats values(U_xBFytkownik) AS "User", values(Nazwa_pliku_obrazu) AS "Image File Name", values(Identyfikator_procesu) AS "Process Id" If you want to play with Splunk… Software can be tested for free, e.g. https://www.splunk.com/page/sign_up/cloudtrial?redirecturl=/ getsplunk/onlinesandbox Many free documents, e.g. https://docs.splunk.com/Documentation Incidents - Security systems Connections to malware domains (C&C) Identification of tunnel traffic (method CONNECT) Downloading potentially dangerous files (.exe, .gz, .zip) Data leakage through suspicious data storage websites (e.g. https://gist.github.com/, http://codepad.org/) Malware outbreak Identification of hosts without enabled/installed AV system Identification of out-of-date AV signatures Repeated re-infections Multiple attacks against same host Usage of non-standard ports or protocol/port mismatches Incidents - Network Monitoring unauthorized scans of network infrastructure IP spoofing attacks Reboot of FW Deviations from standards; abnormal activities Abuse on remote access Identification of unauthorized configuration changes Identification of policy changes (e.g. suddenly unblocked services) Transfer DNS zones (normal DNS queries and responses use UDP port 53; zone transfers use TCP port 53) Incidents - OS, DB, App Sharing accounts Multiple passwords changing to bypass password policy Access to OS/DB/APP using high-privileged accounts (superuser, root, admin, SYSTEM) Anonymous activity Unscheduled Initial Program Loads (aka rebooting) Large number of error codes 4xx Using hacker tools (e.g. netcat, wireshark) Repeated authentication failures Multiple login attempts from/to different regions within few minutes Additional materials Incident handling http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80061r2.pdf Blue Team Handbook: Incident Response Edition GCIH - GIAC Certified Incident Handler C)IHE - Certified Incident Handling Engineer [Mile2] Digital forensics https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf http://digital-forensics.sans.org/media/poster-windows-forensics2016.pdf Log correlation/analysis http://www.sans.org/reading-room/whitepapers/logging/detectingsecurity-incidents-windows-workstation-event-logs-34262 http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ Useful links Name URL address Description Potentially Malicious Websites https://zeltser.com/lookup-malicious-websites/ Internet Storm Center https://isc.sans.edu/ipinfo.html?ip=<Suspicious_IP> Tool to check threat level: IP, Domain, etc. urlquery http://urlquery.net/ malwr https://malwr.com/ Malware Tracker IP Void YARA Metascan Robtex Free online tools for looking up potentially malicious websites urlQuery.net is a service for detecting and analyzing webbased malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis. Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. https://www.malwaretracker.com/ Home of the free online PDF Examiner - the only web based PDF malware analysis suite. http://www.ipvoid.com/ IPVoid is a free service used to scan an IP address through multiple DNS-based blacklists and IP reputation services https://plusvic.github.io/yara/ The pattern matching swiss knife for malware researchers https://www.metascan-online.com/#!/scan-file Metascan Online is a free online file scanning service powered by OPSWAT’s Metascan technology, a multiple engine malware scanning solution https://www.robtex.com/en/advisory/ip/ One of the most comprehensive DNS lookup tool (ISC)2 = International Information System Security Certification Consortium About (ISC)2 Leader in educating and certifying cyber, information, software and infrastructure security professionals Vendor-neutral Added value of certification (for employers) Years of experience and valuable knowledge Engage in continuing professional education Appropriate skill sets To remain in good standing, members must Abide by the (ISC)² Code of Ethics Submit annual maintenance fees Obtain required Continuing Professional Education (CPE) credits CISSP member counts Europe Czech Rep 118 Denmark 339 Poland 401 Belgium 430 Spain 547 Switzerland 774 France 804 Germany 1516 Netherland 1852 UK 5402 Source: https://www.isc2.org/member-counts.aspx Rest of the world China 1183 Australia 1857 Canada 4577 United States 69127 Member counts in Poland 401 1 20 10 3 16 Source: https://www.isc2.org/member-counts.aspx (ISC)2 Poland Chapter (ISC)2 Poland Chapter Founded in 2013 Regular monthly meetings Active community (40+ members) In progress Establishing the association in accordance with Polish law Future plans Safe and Secure Online program Contact info www: isc2chapter-poland.com linkedin: https://www.linkedin.com/groups/4865474 e-mail: [email protected] Quiz 1. How many CISSP certifications are there in Poland? a) < 200 b) > 400 c) > 600 [506] [579] [728] 2. What does the abbreviation (ISC)2 mean? a) International Independent System Security Certification Consortium [125] b) International Information System Security Certification Consortium [260] c) International Information System Security Cyber Consortium [669] 3. How often are (ISC)2 Poland Chapter meetings? a) b) c) Weekly Monthly Quarterly [875] [547] [590] Q&A ??? Source: https://i.ytimg.com/vi/wXJjM9ppHtA/maxresdefault.jpg