SIEM Malware Detection

Transcript

1. Monitoring Malicious Activity with the Elastic SIEM Alessandro Brofferio Education

   Engineer, EMEA July 10th, 2020

2. 2 Elastic Stack overview

3. SaaS Orchestration / Automation Elastic Cloud on Kubernetes Elastic Cloud

   Elastic Cloud Enterprise Elastic Enterprise Search Elastic Security Elastic Observability Kibana Elasticsearch Beats Logstash Elastic Technology Powered by the Elastic Stack 3 solutions Deployed anywhere

4. 4 Beats Lightweight data shippers Ship data from the source

   Ship and centralize in Elasticsearch Ship to Logstash for transformation and parsing Ship to Elastic Cloud Libbeat: API framework to build custom beats 70+ community Beats

5. 5 Logstash ETL for Elasticsearch Ingest data of all shapes,

   sizes, and sources Parse and dynamically transform data Transport data to any output Secure and encrypt data inputs Build your own pipelines Lots of plugins

6. 6 Elastic Stack as Central Platform https://www.elastic.co/blog/understanding-and-unlocking-security-data-sources-with-the-elastic-stack

7. 7 Elastic Security

8. Prevention, Detection, and Response for unified Protection Elastic Security Security

   content from Elastic and community Visualize your Elasticsearch data and navigate the Elastic Stack A distributed, RESTful search and analytics engine Kibana Elasticsearch Security Out-of-the-box solution for security analysts everywhere Logstash Beats Endpoint

9. Why Elastic Security? Eliminate blind spots Stop Threat at Scale

   Arm every analyst

10. Unified protection from the creators of the Elastic Stack Elastic

    Security integrates SIEM and endpoint security to prevent, collect, detect, and respond across your infrastructure. Elastic Security

11. Stop threats at scale Eliminate blind spots Arm every analyst

    Elastic Security ➔ New Filebeat modules for Office 365 and Okta ➔ Filebeat CEF module supports Check Point ➔ Elastic Endpoint Security streams to Logstash ➔ ECS “Mapper” tool made public ➔ SIEM queries support ECS fields ➔ Notifications - Email, Slack, PagerDuty, Webhook ➔ Direct ML integration in detection engine ➔ Expanded prebuilt rules ➔ Prebuilt MITRE Based Protections ➔ Import and export timelines ➔ SIEM rule execution monitoring ➔ New case management workflows ➔ New simple case management workflow integration with ServiceNow® ➔ New Investigation Guide playbooks

12. 12 SIEM

13. None

14. Elastic Common Schema (ECS) Normalize data to streamline analysis Defines

    a common set of fields and objects to ingest data into Elasticsearch Enables cross-source analysis of diverse data Designed to be extensible ECS is in GA and is being adopted throughout the Elastic Stack Contributions & feedback welcome at https://github.com/elastic/ecs

15. 15 Curated Host and Network Data Sources Host data sources

    Network data sources Auditbeat • System module — Linux, macOS, Win ◦ Packages ◦ Processes ◦ Logins ◦ Sockets ◦ Users and groups • Auditd module (Linux Kernel Audit info) • File integrity monitoring (FIM) — Linux, macOS, Win Filebeat • System logs (auth logs) — Linux • Santa - macOS • OSquery Winlogbeat • Windows event logs • Sysmon Packetbeat • Flows • DNS • Other protocols Filebeat • IDS/IPS/NMS ◦ Zeek NMS ◦ Suricata IDS • Firewall ◦ Iptables/Ubiquiti ◦ Palo Alto PAN-OS ◦ Cisco ASA ,Firepower,ios • Kubernetes ◦ CoreDNS module ◦ Envoy proxy module • Cloud ◦ GCP VPC logs* ◦ AWS ◦ Azure • Threat Intel - MISP

16. 16 UI Overview Curated workflows for the SOC team Manage

    security events • Visualize and analyze security events Perform initial triage • Investigate security events, alerts, and alarms • Annotate investigations and create incidents • Handoff incidents to third-party case/incident/orchestration (SOAR) system View SOC security posture • Visualize overall event, alarm, investigation, incident status and history

17. 17 Elastic SIEM Timeline Event Explorer Analyst-friendly qualification and investigation

    workflows • Time ordered events • Drag and drop filtering • Multi-index search • Annotations, comments • Formatted event views • Persistent storage

18. 18 Integrated ML Detection Trigger jobs and view results in

    the SIEM app • Enable and control pre-built and custom ML jobs • View results in Hosts and Network views • Links to ML app within Kibana

19. 19 Detection Engine Create and Manage Rules and Signals •

    OOTB and custom rules aligned with MITRE ATT&CK • Scheduled rules run periodically and generate signals • Signals investigated in SIEM app Timeline • Signals can also be used as detection building blocks for more complex detections

20. Integrating SIEM Signals with Other Systems Robotic Process Automation Security

    Applications SDN Switches Messaging Services Issue Tracking Services Elastic SIEM

21. 21 DEMO

22. Demo Environment APT34

23. Sysmon Enrichments Sysmon provides greater visibility of system activity on

    a Windows host than standard Windows logging, allowing for easier detection of threats: • File modification events • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names • Records the hash of process image files • Logs process creation with full command line for both current and parent processes • And many more… Enriched configuration file mapped to MITRE ATTACK Matrix : https://github.com/olafhartong/sysmon-modular

24. MITRE ATT&CK Framework • Stands for “Adversarial Tactics, Techniques, and

    Common Knowledge” • A globally-accessible knowledge base of adversary tactics and techniques, categorized into an easily-consumable model • Based on real-world in-the-wild observations of actual adversary behavior • Focus on the adversary and behaviors they exhibit, tools they use, and actions they perform • Community driven, updated by MITRE quarterly based on new things being seen and reported in the wild The common language and de facto standard

25. MITRE ATT&CK for Enterprise Tactics Techniques

26. Tactics, Techniques, Procedures (TTPs) Core of ATT&CK

27. The Malware Sample • Sample malware from know APT34 or

    Helix Group (https://attack.mitre.org/groups/G0049/) • In the real campaign, the payload was delivered to victims via a phishing e-mail with a word document attached. The document contained several macros that performed a number of adversarial behaviours. • In our Lab a Powershell script replicate the Document Macro exexution

28. DNS is a great Covert Channel, data is obfuscated, encoded

    and attached to the DNS Queries to the catch domain. DNS Tunnel HERE GOES THE SCHEMA FOR THE DNS EXFILTRATION!!!! 0468d000b7d1679ED1C50T.baddomain.com baddomain.com Compromised machine

29. Thank You