Threat Hunting - How to Use Your Logs for Good

Transcript

1. Threat Hunting How to use your logs for good RMISC

   2017

2. me: Mike Benjamin @mikebdotorg Security guy at Level 3 Colorado

   resident I love data This is my personal work

3. What is Threat Hunting? Proactively searching for threats Looking at

   your logs for malice Understanding root cause of anomalies NOT your SIEM or security controls A buzzword

4. Why Hunt for Threats? Minimize impacts to active attacks Informs

   priority of security control work Drives factual monitoring requirements Gain a better understanding of the environment It's fun

5. Where Do You Start? Build a list of goals for

   what you will hunt Look at your environment for risk Current vulnerabilities and exploits Past attacks against you, including pen tests Each step of attack scenarios Build a system for collection and indexing Get the data required for your goals But you really want everything

6. Platforms for Hunting ELK Stack Splunk Graylog Sumo Logic Loggly

   logentries Sqrrl

7. An Effective Hunting System Must support flexible ingestion of data

   Must allow easy and quick extraction of data Must provide an API for more complex work Should scale to reasonably large data sets Should provide a UI for searching and reporting Doesn't need to be highly available or complex This may already exist in your environment!

8. The Demo Platform

9. How the Stack Works Bro generates individual TSV files by

   event type that occurred on the network The local Filesystem stores the logs and all rotated historical versions Logstash tails the log files, adds field names, adds GeoIP data for IPs, and exports it in GELF to a local UDP port Graylog listens on the port, processes the GELF payload, and sends it to Elasticsearch using its transport protocol Elasticsearch dynamically maps the unmapped field types and stores the data

10. Graylog

11. Example Use

12. Example Detail

13. What to Look For Rare things Odd protocol uses Anomalous

    things Packets sent to a wide range of ports Loud things Massive file transfers in or out IOC related things Domains and IPs known to be malicious

14. Demo Dashboard

15. Demo Dashboard

16. Demo Dashboard

17. Demo Dashboard

18. Demo Dashboard

19. Demo Dashboard

20. Example Use

21. OPTIONS Method Sites

22. Finding the Root Cause

23. Understanding the Referrers

24. Confirming Cross-Origin Resource Sharing

25. Programmatic Access to Data Scrolling is needed to retrieve >10,000

    documents

26. Executing Malware with Malboxes

27. Locky DGA Callbacks Found in NXDOMAIN Generated from Locky sample

    b06d9dd17c69ed2ae75d9e40b2631b42

28. Large Volume Queries from GameOver ZeuS Generated from GOZ sample

    7fe11cfcd7c66f7727cfc4613e755389

29. More Advanced Analytics Statistics and machine learning can help advance

    your work

30. Just Get Started

31. Tools Used graylog - https://www.graylog.org/ bro - https://www.bro.org/ logstash -

    https://github.com/elastic/logstash malboxes - https://github.com/GoSecure/malboxes NumPy - http://www.numpy.org/ reveal.js - http://lab.hakim.se/reveal-js/#/ Questions? Comments? @mikebdotorg