Embed Size (px)
Citation preview
8/11/2016
OperationalizingacyberSecurityOperationsCenter (SOC) using a Security InformationandEventManagement(SIEM)solution.Final Project T411 Wireless networking: George Brown College, Toronto, ON,
Canada.August,2016
RanganGrama-Yoga 101017090
AnkitDivyeshPandya 100984504
LakshayChamoli 101026076
ZhouLu 101015405
1
TABLEOFCONTENTS
Agenda..........................................................................................................................................................................3
Introduction..................................................................................................................................................................3
Intheproject........................................................................................................................................................3
Itinerary................................................................................................................................................................3
Splunk...........................................................................................................................................................................4
IntroductiontoSplunk..........................................................................................................................................5
Problem/OpportunityAssessment..............................................................................................................................6
OurProject....................................................................................................................................................................7
ImplementationPhase..........................................................................................................................................8
SearchingData......................................................................................................................................................9
CreatingTraps.....................................................................................................................................................11
DataAnalysis......................................................................................................................................................11
LogdataFile........................................................................................................................................................13
UseCase1...............................................................................................................................................................14
DetectionofPossibleBruteForceAttack..........................................................................................................14
UseCase2...............................................................................................................................................................15
DetectionofInsiderThreat................................................................................................................................15
AcceptableUseMonitoring(AUP).....................................................................................................................15
UseCase3...............................................................................................................................................................18
ApplicationDefenseCheck.................................................................................................................................18
UseCase4...........................................................................................................................................................19
SuspiciousBehaviorofLogSource...............................................................................................................19
ExpectedHost/LogSourceNotReporting.........................................................................................................19
UseCase5...........................................................................................................................................................20
UseCase6...............................................................................................................................................................20
DetectionofAnomalousPorts,ServicesandUnpatchedHosts/NetworkDevices..........................................20
2
Conclusion...........................................................................................................................................................21
Credits.........................................................................................................................................................................22
3
AGENDA
This particular project report Embracing the Practice ofNetwork Security: An analysis of the
mergingcontextwasborneoutofaseriesofprocessesundergonebythesecuringofmultiple
systemsinaccordancewithtomaintainasecurenetworkenvironmentinthefieldofnetworking.
INTRODUCTION
Securityinformationandeventmanagement(SIEM)isanapproachtosecuritymanagementthat
seeks to provide a holistic view of an organization's information technology (IT) security.
ImplementationofSIEMsoftwareinanynetwork,todetect,controlandresolvevariousattacks
and threats faced inCyber security. In this simulationwewill be showinghowvarious cyber
activitiesaremonitoredandeventsregardingtheactivitiesofvariousobjectsinthenetworkare
monitored, accounted and flagged with various flagging events that occur in an enterprise
environment.
INTHEPROJECT
• SimpleSNMPexperimentwithADDCserver
• Multiplemachinesaddedinthesamedomain
• EventsRaised
• Communicationstopped
• Eventsaddressed
• Communicationstoppeduntilresolved
• Splunkcanbecompletelyunattended
• Eventraisedandemailsent
ITINERARY
• CiscoASA(AdaptiveSecurityAppliance)Firewall5520withoutVLANsupport
• WindowsServer2008R2|OperatingSystem
4
• Ubuntu12.3|OperatingSystem• Splunk|SIEM(SecurityInformationandEventManagementSoftware)• Passware|BrutforceAttackSoftware• ActiveDirectoryService|MicrosoftWindowsServer2008R2• OracleVMBOX|Virtualization
SPLUNK
• DataManagementEngine
• Datatimedoesnotmatter
• Multiplesourcesupport
• Doesn‘trequireaswitchingcomponentfordatatranslation
• Multipleplatformintegration
5
FIGURE1:SOURCEDFROMSPLUNKWEBSITE
INTRODUCTIONTOSPLUNK
Toachieveoperationalintelligence,thefirstthingCIOsandCTOsmustdoisfindtechnologiesto
helpthem.Splunkisaplatformformachinedata.Itcollects,indexesandharnessesmachinedata
generatedbyany IT systemand infrastructure—whether it’sphysical, virtualor in the cloud.
Splunk laid its foundation helping IT find and fix problems faster, but its applications are far
broader,aswewillsee.Splunkmakessenseofmachinedatatosupportbusinessgoals.
Ithandlesboththeformandthesemanticsofmachinedata.
Itaccomplishesthisthroughauniqueapproachofuniversallyindexinganymachinedataacross
6
theinfrastructure.Itconsumesnetworktrafficandappserverlogsandtrackshypervisorsand
GPS,aswellassocialmediaactivity.ItevenabsorbsPBXandIPtelephonydata.Splunkdoesthis
withoutrequiringcostlyconnectorsoragents.Itdoesnotneedtofilterorparsethedatatoload
itintoadatabase.Byprovidingusersanindexofallthemachinedatageneratedbyallsystems
andinfrastructure,Splunkenablesuserstoaskanyquestionandfindanswersquicklytothemost
simpleorstrategicpropositions.
Splunkwas born to help ITmanage andmonitor the datacenter. System
administratorswere sniffing out security threats, server inefficiencies, network outages, and
bandwidthbottlenecks,notlookingforbusinessinsights.Butalongtheway,that’sexactlywhat
theydiscoveredinthewealthofmachine-generateddatathatisdrivingoperationalintelligence.
Analysts can have a conversation with the data and gradually uncover the structure and
relationshipsbetweenelements.Theycancreatecustomapplications,dashboards,andreports
that don’t just present information, but allow for deep drill-downs into the data to answer
questions.Splunkalsooffersprebuiltintegrationstocommondatastores,suchasHadoopand
traditionalrelationaldatabases.
PROBLEM/OPPORTUNITYASSESSMENT
Variousattacks(BruteForce,DDOS,Multipleaccess,etc..):wewouldshowvariousattacksthat
canoccurandhowtheseattackswouldbespottedandraisedasevents
Abrute-forceattackisacryptanalyticattackthatcan,intheory,beusedtoattempttodecrypt
anyencrypteddata(exceptfordataencryptedinaninformation-theoreticallysecuremanner).
Suchanattackmightbeusedwhenitisnotpossibletotakeadvantageofotherweaknessesin
anencryptionsystem(ifanyexist)thatwouldmakethetaskeasier
FalseAlarm:Userinteractionwithserveragainstanexternalthreat,thiswouldraisealotoffalse
alarmsandsegregationofevents.
DDOS-Adistributeddenial-of-service(DDoS)iswheretheattacksourceismorethanone,often
thousandsofuniqueIPaddresses.Itisanalogoustoagroupofpeoplecrowdingtheentrydoor
orgatetoashoporbusiness,andnotlettinglegitimatepartiesenterintotheshoporbusiness,
disruptingnormaloperations.ThescaleofDDoSattackshascontinuedtoriseoverrecentyears,
evenreachingover400Gbit/s.
EventLogging:Alleventsthatoccuronaserverisloggedandthedataflowispresented.
Authenticationtrackingandaccountcompromisedetection;adminandusertracking.
7
Compromised- and infected-system tracking:malware detection by using outbound firewall
logs,NIPSalertsandWebproxylogs,aswellasinternalconnectivitylogs,networkflows,etc.
Validating intrusiondetectionsystem/intrusionpreventionsystem(IDS/IPS):AlertsbyusingvulnerabilitydataandothercontextdataabouttheassetscollectedintheSIEM
Monitoringforsuspiciousoutboundconnectivityanddatatransfers:Byusingfirewalllogs,Web
proxylogsandnetworkflows;detectingexfiltrationandothersuspiciousexternalconnectivity
Tracking system changes and other administrative actions: Across internal systems and
matchingthemtoallowedpolicy;detectingviolationsofvariousinternalpolicies,etc.
TrackingofWebapplicationattacksandtheirconsequencesbyusingWebserver:WAFand
application server logs; detecting attempts to compromise and abuse web applications by
combininglogsfromdifferentcomponents.
KeyDeliverablestobeproducedbystudents:
Logmanagement:VariouseventsflaggedbySIEMsoftwaretomemappedandlogged.
WindowsEvents:Windowsapplication,securityandsystemeventlogs,Detectproblemswith
businesscriticalapplications,securityinformationandusagepatterns.
WireData:DNSlookupsandrecords,protocollevelinformationincludingheaders,contentand
flow records. Proactively monitor the performance and availability of applications, end-user
experiences,incidentinvestigations,networks,threatdetection,monitoringandcompliance.
OURPROJECT
We created a test environment and implemented Splunk on DMZ where the Servers were
located.ThefollowingSchematicsisthenetworkdesignofourimplementation.
8
FIGURE2:NETWORKDESIGN
AstheabovescchematicsshowwededicatedaserverontheDMZ(De-MiletarisedZone)where
theother serverswouldbeplacedaswell.Making the splunk serveras secureasyourother
servers.Butforthetestpurposes,weimplemeteddesignonVirtualMachines.
WealsomadesurethatallthedataflowwasmonitoredontheperticularportthatSplunkhad
accessto,givingsplunkthepowertoaccessallmachinedataremotelyandlocally.
IMPLEMENTATIONPHASE
After implementingSplunkonasimplenetworkwegatheredthefollowingdata.Weinstalled
SplunkandaddedvariousdataSourcesformonitoring.Andasshowninthepicture,wehave
addedActiveDirectoryasonethesourcesfordata,alongwithvariousotherservicesthatwere
monitored.
Thevarioussourcesofdatawereaddedwithease.Allwehadtodowas:
Settings>DataInputs>EventLogCollections>‘selectthelocaldatasourcethatyouwouldliketoadd’
9
FIGURE3:ADDINGDATASOURCES
SEARCHINGDATA
As soon a the sources were added to monitor, events from every source was gathered
immidietly. This data that we gathered was collected and analysed for event management
purposes. For the sakeof testingpurposes,weonly implementedMultiple loginusingActive
directoryservices.Andfindingthedatawasextremelyeasywiththesearchservice.-
10
FIGURE4:LOCALEVENTSOURCE
Andoncewegotontothesourcesthatwerebeinggatheredbythelocalhost,wenoticedthat
all3sourcesofdatawererecognisedandindexed.
FIGURE5:REMOTEDATASOURCES
11
CREATINGTRAPS
Wecreatedatrapwithjustasimplesearchandhighlightingtheserachresulttobethesourceof
thetrap,andsettherefreshrateat30seconds.Thiscouldalsobechangedtolivemonitoring
whichwouldallowyoutolookatlivetrapmonitoring.
FIGURE6:DATASEARCH
DATAANALYSIS
Insteadofjustcollectionofdata,thefalseLogininformationwascollectedandSearchedwiththe
nativemachinelanguage.Thisalsoholdstrueforanyscriptorcodingerrorsthatmightoccur.
12
FIGURE7:MACHINEDATA
Thecreatedserachquerrtcanbefurthersavedasadashboardwhereineveryrelatedquerryis
monitoredandactivityissavedasadashboard.
13
FIGURE8:ALERTDASHBOARD
We saved the dash board as ‘Brute force’, as we used Passware to break into network
authentication on the Active Directory server using brute force attack. These events were
monitoredandaccountedfor.Theaboveimageshowsvariousvlanscreatedonthenetworkand
loginattemptsusingthesamelogincredentials.ThefailedloginshowhowmanytimestheActive
Directoryservicewasblocked.
LOGDATAFILE
ThelogDataFilehasbeenattachedinthisforyourreference:
Event_Log _for_multile_Access.csv
14
USECASE1
DETECTIONOFPOSSIBLEBRUTEFORCEATTACKWiththeevolutionoffasterandmoreefficientpasswordcrackingtools,bruteforceattacksare
onahighagainsttheservicesofanorganization.Asabestpractice,everyorganizationshould
configure logging practices for security events such as invalid number of login attempts, any
modification to system files, etc., so that any possible attack underwaywill get noticed and
treatedbeforetheattacksucceeds.Organizationsgenerallyapplythesesecuritypoliciesviaa
GroupPolicyObject(GPO)toallthehostsintheirnetwork.
Tocheckforbruteforcepattern,wehaveenabledauditingonlogoneventsintheLocalSecurity
PolicyandwewillbefeedingmySystemWin:SecuritylogstoSplunktocheckforabruteforce
patternagainstlocalloginattempts.
15
Belowisthecorrelationsearch(SPL)thatiscreatedinSplunkagainstWin:Securitylogstomonitor
real time login attempts. In this search, brute force criteria get matched with two failure
attempts.
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT
(User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by
Account_Name|wherecount>2
Note: EventCode: 4625 is used in new versions of theWindows family likeWin 7. In older
versions,theeventcodeforinvalidloginattemptsis675,529.
Afterthis,Ilogoffmymachine,andenteredthepasswordincorrectlythreetimesinattemptto
impersonateabruteforceattack.
SincetheseactivitiesgetsloggedinWin:Security,whichinturnisfeedingSplunkinrealtime,an
alertwill be created in Splunk, giving analysts an incident to investigate and take responsive
actions,likechangingthefirewallpolicytoblacklistthatIP.
USECASE2
DETECTIONOFINSIDERTHREATReportedly,more than30percentof attacks are frommalicious insiders in anyorganization.
Therefore,everyorganizationmustkeepthesamelevelofsecuritypoliciesforinsidersalso.
ACCEPTABLEUSEMONITORING(AUP)AcceptableUseMonitoring covers a basic questions, i.e.what resource is being accessed by
whomandwhen.Organizationsgenerallypublishpoliciesforuserstounderstandhowtheycan
use the organization’s resources in the best way. Organizations should develop a baseline
documenttosetupthresholdlimits,criticalresourcesinformation,userroles,andpolicies,and
usethatbaselinedocumenttomonitoruseractivity,evenafterbusinesshours,withthehelpof
theSIEMsolution.
16
Forexample,thebelowillustrationisofloggingauseractivityonanobject.Fordemonstrative
purposes,wehavecreatedafilenamed“Test_Access”onmysystem.Auditingonobjectaccess
isenabledinmysystem,likebelowintheLocalSecurityPolicy.
Enablingauditingonsecuritypoliciesisnotenough,andnowwehavetoenabletheauditingon
therespectivefile,alsonamed“Test_Access”inthiscase.WehaveenabledauditingforGroup
Name –”Everyone” on this file. Organizations should fingerprint all the sensitive files and
correspondingprivilegesandusergroupaccessonthem.
17
Fordemonstrativepurposes,wehaveselectedalltheobjectpropertiestobeaudited.
After this,weaccessedthe“Test_Access” file,whichgeneratesanevent inSecurity logswith
Event ID 4663, giving user name, action performed, time it was accessed, etc. This useful
informationcanbefedintotheSIEMsolutionthroughsecuritylogstodetectanyunauthorized
orsuspiciousobjectaccess.
Organizationsshoulddevelopfingerprintsonallthesensitivedocuments,filesandfolders,and
feed all this information to respective security solutions such as data leakage prevention
18
solutions,applicationlogs,WAF,etc.intotheSIEMsolutiontodetectapotentialinsiderthreat.
OrganizationscandevelopthebelowusecasesintheSIEMsolutionunderAUP
• TopmaliciousDNSrequestsfromuser
• IncidentsfromusersreportedatDLP,spamfiltering,webproxy,etc
• Transmissionofsensitivedatainplaintext
• 3rdpartyusersnetworkresourceaccess
• Resourceaccessoutsidebusinesshours
• Sensitiveresourceaccessfailurebyuser
• Privilegeduseraccessbyresourcecriticality,accessfailure,etc
USECASE3
APPLICATIONDEFENSECHECK
Besides network, perimeter, and end point security, organizations must develop security
measurestoprotectapplications.WithattackslikeSQLinjection,Crosssitescripting(XSS),Buffer
overflow,andinsecuredirectobjectreferences,organizationshaveadoptedsecuritymeasures
likesecurecodingpractices,useofWebApplicationFirewall(WAF)whichcaninspecttrafficat
layer7 (Application layer)againsta signature,patternbased rules,etc.Alongwith the logof
applications,organizationsmustalsofeedSIEMwithlogsoftechnologiessuchasWAF,whichcan
correlateamongvarioussecurityincidentstodetectapotentialwebapplicationattack.Oneof
thevery importantpointstocheckfor inasensitiveapplication isthattheapplicationshould
encryptthesensitiveinformationlikePIIinthelogsaswell,astheselogswillbefedintoSIEM,
andifunencrypted,sensitiveinformationcouldbeexposedinSIEM.
Organizationsmustalsodevelopastrategytosecuretheoperatingsystem(OS)platformonto
whichtheapplicationishosted.OSaswellasapplicationperformanceloggingfeaturesmustalso
be enabled. Below are some of the use cases that can be implemented in SIEM to check
Applicationdefense.
• TopWebapplicationAttacksperserver
• MaliciousSQLcommandsissuedbyadministrator
• Applicationssuspiciousperformanceindicator,resourceutilizationvector
19
• ApplicationPlatform(OS)patch-relatedstatus
• Webattackspostconfigurationchangedonapplications
USECASE4
SUSPICIOUSBEHAVIOROFLOGSOURCEEXPECTEDHOST/LOGSOURCENOTREPORTING
LogsourcesarethefeedsforanySIEMsolution.MostoftheSIEMsolutionthesedayscomeswith
anagent-managerdeploymentmodel,whichmeansthatonallthelogsources,lightweightSIEM
agentsoftwareisinstalledtocollectlogsandpassthemtoamanagerforanalysis.Anattacker,
aftergainingcontroloveracompromisedmachine/account,tendstostopallsuchagentservices,
sothattheirunauthorizedandillegitimatebehaviorgoesunnoticed.
Tocountersuchmalformedactions,SIEMshouldbeconfiguredtoraiseanalertifahoststops
forwardinglogsafterathresholdlimit.Forexample,thebelowsearchquery(SPL)inSplunkwill
raiseanalertifahosthasnotforwardedthelogsformorethanonehour.
|metadatatype=hosts|whererecentTime<now()-3600|convertcTime(recentTime)as"Lasttimethelogsourcereported"|renamehostas"LogSources"|table"LogSources""Lasttimethelogsourcereported"
Assoonasanalert is receivedwith the IPaddressof themachineunderattack, the Incident
ResponseTeam(IRT)canstartmitigatingthisissue.
UnexpectedEventsPerSecond(EPS)fromLogSources
Another common pattern found among compromised log sources is that attackers tends to
changetheconfigurationfilesofendpointagentsinstalledandforwardalotofirrelevantfilesto
theSIEMmanager,causingabandwidthchokebetweentheendpointagentandmanager.This
affectstheperformanceofrealtimesearchesconfigured,storagecapacityofunderlyingindex
forstoringlogs,etc.Organizationsmustdevelopausecasetohandlethissuspiciousbehaviorof
logsources.Forexample,belowisthesearch(SPL)createdinSplunkwhichcandetectunusual
forwardingofeventsfromlogsourcesinoneday.
index=_internalearliest="-1d@d"latest="-0d@d"source=*license_usage.logtype=Usageh!="*ip*"|evalMb=b/1024/1024|bucketspan=1h_time|searchMb>5|statssum(Mb)asMBby_time,h|sort-MB,h|deduph|renamehas"Workload"MBas"Totalevents"
AnalertwillbeconfiguredwithittogettriggeredwhenevertheamountofEPSfromalogsource
exceedsathresholdvaluefortheIRTteamtoinvestigate.
20
USECASE5
MALWARECHECKThesedays,organizationsbelieve inprotectingtheirnetworkendtoend, i.e. right fromtheir
networkperimeterwithdeviceslikefirewall,NetworkIntrusionPreventionSystem(NIPS),tillthe
endpointshostswithsecurityfeatureslikeantivirusandHostIntrusionPreventionSystem(HIPS),
butmostorganizations collect reportsof security incidents from these securityproducts ina
standalonemode,whichbringsproblemlikefalsepositives,etc.
CorrelationlogicisthebackboneofeverySIEMsolution,andcorrelationismoreeffectivewhen
itisbuiltovertheoutputfromdisparatelogsources.Forexample,anorganizationcancorrelate
varioussecurityeventslikeunusualportactivitiesinfirewall,suspiciousDNSrequests,warnings
fromWebApplicationfirewallandIDS/IPS,threatsrecognizedfromantivirus,HIPS,etc.todetect
apotentialthreat.Organizationscanmakefollowingsub-usecaseunderthiscategory.
• Unusualnetworktrafficspikestoandfromsources
• Endpointswithmaximumnumberofmalwarethreats
• Toptrendsofmalwareobserved;detected,prevented,mitigated
• BruteforcepatterncheckonBastionhost
USECASE6
DETECTIONOFANOMALOUSPORTS,SERVICESANDUNPATCHEDHOSTS/NETWORKDEVICESHostsornetworkdevicesusuallygetexploitedbecausetheyoftenleftunhardened,Unpatched.
Organizations first must develop a baseline hardening guideline that includes rules for all
requiredportsandservicesrulesasperbusinessneeds,inadditiontobestpracticeslike“default
deny-all”.
Forexample,tocheckfortheservicesbeingstarted,systemslogsfromevent-viewermustbefed
into the SIEM solution, and a corresponding correlation searchmust be created against the
sourcenameof “ServiceControlManager” todetectwhatanomalous servicesgot startedor
stopped.
21
Organizationscanalsocheckoutforvulnerableports.Servicescanbeexposedbydeployinga
vulnerabilitymanagerandrunningaregularscanonthenetwork.Thereportcanbefedintothe
SIEMsolutiontogetamorecomprehensivereportencompassingriskrateofthemachinesinthe
network.Someusecasesthatanorganizationcanbuildfromreportsare:
• Topvulnerabilitiesdetectedinnetwork
• Mostvulnerablehostsinthenetworkwithhighestvulnerabilities
Another importantaspectthatanorganizationshouldconstantlymonitoraspartoftheSIEM
processisthatallclientsorendpointsareproperlypatchedwithsoftwareupdatesandfeedthe
clientpatchstatusinformationintotheSIEMsolution.Therearevariouswaysanorganization
canplanoutforthischeck.
• Organizationscanplanouttocheckthepatch–relatedstatusbydeployingaVulnerability
ManagerandrunningaregularscantocheckoutforUnpatchedendpoints
• Organizationscandeploya“centralizedupdatemanager”likeWSUSandfeedtheresults
of theupdatedstatusofendpoints into theSIEMsolutionor can feed the logsof the
manager endpoint deployed on endpoints directly into SIEM to detect all unpatched
endpointsinthenetwork
CONCLUSION
Aboveuse-casesarenotacomprehensiveSIEMsecuritychecklist,butinordertohavesuccess
with SIEM, the above listed use cases must be implemented at the minimum on every
organization’schecklist.
AnSOC(Cyber-SecurityOperationsCentre)canfunctionmucheasilywiththehelpofSIEMsuch
asSplunkwhichdoesn’trequirealotofmonitoringandcanhandlemachinedatawithoutaltering
itssourceformat.
WiththehelpofSIEMsolution,wewereabletoanalyse,detectandalsopreventmultipleattacks
on the network. We also saw how SIEM can be used as an IDS on an enterprise network.
DetectionofvariousthreatsismucheasierwiththehelpofSplunkonalargescalenetwork.
22
CREDITS
Role Individual Profile LinkedIn
CourseInstructor ShaukatMullaCourseInstructor,
GeorgeBrownCollege
https://ca.linkedin.com/in/smulla
ProjectDesigner WayneWard
NetworkSecurity
Implementation
Lecturer,George
BrownCollege
https://ca.linkedin.com/in/wayneward1
Mentorandprojectexecutionvision
AliKhan
SeniorManager,Cyber
RiskAdvisory,Deloitte
LLP.
https://ca.linkedin.com/in/khanuali
ProjectLead RanganGrama-
Yoga
Student,George
BrownCollegehttps://ca.linkedin.com/in/ranganiyengar
ProjectTeamMember AnkitPandya
Student,George
BrownCollege
https://ca.linkedin.com/in/ankit-pandya-
98316a4b
ProjectTeamMember LakshayChamoli
Student,George
BrownCollege
https://ca.linkedin.com/in/lakshay-
chamoli-48b319118
ProjectTeamMember ZhouLu
Student,George
BrownCollege
https://ca.linkedin.com/in/zhou-lu-
28512a122
Atotalof300manhourswasputintotheexecutionofthisproject.
All theUsecasesand thedataweresourced fromvarioussourcesusing theinternet.
