Internet had lots of examples and tutorials for specific or advanced dashboards Top 10 lists of other things were easy to find But no dashboard Top

Transcription

1

2

3 Internet had lots of examples and tutorials for specific or advanced dashboards Top 0 lists of other things were easy to find But no dashboard Top 0 list Which led to...

4 Quick Win, Industry Agnostic, SIEM Dashboards Craig Bowser

5 Introduction + years in InfoSec Worked mainly in DoD with some DOJ and now DOE experience GSEC GCED CISSP, yeah! Christian, Father, Husband, Geek, Scout Leader who also does some woodworking To Do List > To Do Open Slots

6 Criteria for Dashboards 00. Must use data types that are easy to ingest. Must use data from types of 00 devices typically first 'connected' to SIEM 00. Must be simple to create 00. Must be relevant in any SOC. Must be able to visually convey information in 00 a way that directs further investigation Garion CeNedra Belgarath Polgera Durkin

7 Dashboard What does this dashboard tell you? : What are the important things you should know when you view this dashboard?

8 Dashboard What you can cross reference the data with to determine more about the events? What other events can you use to make a better decision regarding events seen? :

9 Column A Column B Username IP Hostname Filename/Hash

10 Dashboard : What issues are there that make this dashboard hard to use? What problems cause the important events in this dashboard to be missed?

11 Dashboard : What are examples, from real life if possible, of how this dashboard was used to resolve actual issues?

12 Cyber Kill Chain Determine who, what and how of attack Reconnaissance Initiate the attack Delivery Solidify presence, create recurrence Installation Spread laterally, search for additional targets, go after goals Action on Objectives Weaponization Craft methodology and capability to attack using what you learned during recon phase Exploitation Execute the attack, establish a foothold Command & Control Establish communication links, ensure open channels

13 Traffic World Map 0

14 Traffic World Map : Management Eye Candy. Alert when node is down : : : 0

15 Traffic World Map : Nagios/OpenView. Traffic Spikes. High bandwidth : usage. : : 0

16 Traffic World Map : Getting GPS coordinates of sites properly into : SIEM : : 0

17 Traffic World Map : DDOS attacks, Detect new devices/connections : : : 0

18 Alerts for New Devices/Software 0

19 : Discover and investigate unapproved software and devices Alerts for New Devices/Software : : : 0 Exploitation Installation

20 Alerts for New Devices/Software : Suspicious connections, large data transfers, CM approvals 0 Exploitation Installation

21 : Alerts for New Devices/Software Controlling large and decentralized networks. Keeping approved list updated : : : 0 Exploitation Installation

22 : Alerts for New Devices/Software Discovered contractor PCs, unauthorized web servers : : : 0 Exploitation Installation

23 Vulnerability Statistics Microsoft Windows Journal Remote Code Execution Vulnerability (MS-0) Microsoft Windows Shell Remote Code Execution Vulnerabilities (MS-00) Adobe Flash Player Multiple Remote Code Execution Vulnerabilities (APSB-0) EOL/Obsolete Software: Oracle Java SE/JRE/JDK /. Detected Microsoft Graphics Component Remote Code Execution Vulnerability (MS-0) Microsoft Windows HTTP.sys Remote Code Execution Vulnerability (MS-0) Microsoft Internet Explorer Cumulative Security Update (MS-0) EOL/Obsolete Software SNMP Version Detected EOL/Obsolete Software: Microsoft XML Parser and Microsoft XML Core Services (MSXML).0 Detected Oracle Java SE Critical Patch Update - January

24 Vulnerability Statistics : See the areas of most risk by class of vulnerability : : : 0

25 Vulnerability Statistics : IDS and AV to see what machines are most vulnerable to attack 0

26 Vulnerability Statistics : Eliminating false positives, determining vulnerability mitigations : : : 0

27 Vulnerability Statistics : Using trends, determined effectiveness of patching tool : : 0 : :

28 Top AV/HIPS Alerts Today week 0

29 : ID Compromises, Outbreaks Top AV/HIPS Alerts : : : 0 Exploitation

30 Top AV/HIPS Alerts : Netflow, proxy, IDS and logs to determine infection vectors 0 Exploitation

31 : False positives, updating signatures, ineffectiveness of AV Exploitation Top AV/HIPS Alerts : : : 0

32 : Detect unauthorized tools, unauthorized users researching Top AV/HIPS Alerts : : : 0 Exploitation

33 Top Firewall Denies Ext Int

34 Top Firewall Denies Ext Int : ID top scanners, Recognize changes in automated attacks, Brute force attacks : : : 0 Reconnaissance

35 Top Firewall Denies Ext Int : IDS, Newly announced app vulns, Threat Intel 0 Reconnaissance

36 Top Firewall Denies Ext Int : Sorting through noise, Verifying legit exceptions : : : 0 Reconnaissance

37 Top Firewall Denies Ext Int : Detect port scans, port knockers, C&C bot : controllers : 0 Reconnaissance :

38 Top Firewall Denies Int Ext : Detect policy evaders, Suspicious traffic : : : 0 C AOO

39 Top Firewall Denies Int Ext : AV, IDS, DLP, CM approvals 0 C AOO

40 Top Firewall Denies Int Ext : Verifying legit exceptions, ID'ing crazy stuff : : : 0 C AOO

41 Top Firewall Denies Int Ext : Vendors who don t allow their call home to be disabled : : 0 : C AOO

42 Top IDS Alerts Ext Int 0

43 Top IDS Alerts Ext Int : See suspicious traffic entering network, determine efficiency of F/W : : : 0 Reconnaissance

44 Top IDS Alerts Ext Int : AV, Firewall, Threat Intel, Vulnerability Scan Results 0 Reconnaissance

45 Top IDS Alerts Ext Int : Tuning IDS, filtering false positives : : : 0 Reconnaissance

46 Top IDS Alerts Ext Int : Discovered vuln vendor had not stopped scan after contract ended : : : 0 Reconnaissance

47 Top IDS Alerts Int Ext : See suspicious traffic leaving network : : : 0 C AOO

48 Top IDS Alerts Int Ext : AV, DLP, Sensitive Data 0 C AOO

49 Top IDS Alerts Int Ext : Tuning IDS, filtering false positives : : : 0 C AOO

50 Top IDS Alerts Int Ext : Unauthorized protocols (ie IRC, PP), Infected systems : : : 0 C AOO

51 Mouse Apoc Tank Cypher Switch Trinity Morpheus Neo Logon Successes

52 Logon Successes : ID hard coded passwords, misused accounts : : : 0 Installation

53 Logon Successes : Logon failures, New accounts created, New devices/ apps 0 Installation

54 Logon Successes : IDing service account ownership, how to handle machine accounts : : : 0 Installation

55 Logon Successes : ID'd misued admin accounts and those coded in scripts : : : 0 Installation

56 Mouse Apoc Tank Cypher Switch Trinity Morpheus Neo Logon Failures

57 Logon Failures : Identify suspicious account activity, misconfigurations : : : 0 Delivery

58 Logon Failures : Account/Device type Timeline/locations of failures 0 Delivery

59 : Clearing out false positives, getting OPS to fix 'unimportant' accounts Logon Failures : : : 0 Delivery

60 Logon Failures : Batch script with username/password unauthorized machines : : : 0 Delivery

61 Dashboards left off list IDS Alerts Int Int Netflow by Total MB Unique or Rare Ports used Unique or Rare IDS hits Firewall accepts Ext Int Perform passive asset detection

62 Summary Dashboards designed for quick setup, ease of use, but may be replaced long term. Must use these dashboards in correlation with other information to obtain actionable data Will discover many configuration and operational issues at first - need to clear out or ignore this noise to see important events Able to provide simple initial overview of security posture of Enterprise

63 Next Steps Tie FISMA into each dashboard? 0 Critical Controls Solicit more input, discussions FEEDBACK Welcome reswob0@gmail.com is for twitter

64

65 BACKUP SLIDES

66 Top IDS Alerts Int Int : See suspicious lateral movement inside network, Insider Threat : : : Correlation s Installation Challen ge Example s

67 Top IDS Alerts Int Int : Logon successes/failure, machines types traffic types Correlation s Installation Challen ge Example s

68 Top IDS Alerts Int Int : Investigating misconfigurations & allowed protocols/ports : Installation : Correlation s Challeng e: Challen ge Example s

69 Top IDS Alerts Int Int : Unauthorized protocols and connections, PP, suspicious lateral movement : Installation : Correlation s : Challen ge Example s

70 URL hits against blacklist BONUS # : See suspicious connections Correlate with: firewall, IDS, netflow activity to determine full extent of activity : Keeping blacklist current (remove outdated entries, update new ones) : Discovering hijacked web sites with redirects CKC C

71 Activity against inactive accounts BONUS # : See suspicious user activity Correlate with: authentication failures, access to sensitive network locations, suspicious traffic : Keeping list current, coordinating with HD when accounts are reactivated Example: Found several accounts that were used to configure a service that runs rarely. CKC Exploitation