SIEM Based Intrusion Detection
Jim Beechey
March 2010
GSEC Gold, GCIA Gold, GCIH, GCFA, GCWN
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
• Attackers are more sophisticated and
targeted in their attacks.
• Defenders need systems which help
provide visibility and altering across
numerous security systems.
• SIEM adoption driven by compliance
• Gartner says “more than 80%”
• Put “Security” back into SIEM using
real world examples.
SANS Technology Institute - Candidate for Master of Science Degree
2
SIEM System Setup
SANS Technology Institute - Candidate for Master of Science Degree
3
Basics – Outbound Traffic
• Outbound SMTP, DNS and IRC
• Unexpected outbound connections
SANS Technology Institute - Candidate for Master of Science Degree
4
New Hosts and Services
• Scanner integration for new host
and service discovery
SANS Technology Institute - Candidate for Master of Science Degree
5
Darknets
• Network segments without any live
systems, but are monitored
• Any traffic considered suspicious
• Qradar defines Darknets at setup
• Qradar Rule: Suspicious Activity:
Communication with Known
Watched Networks
SANS Technology Institute - Candidate for Master of Science Degree
6
Brute-force Attacks
• Create reports to generate statistical
data on failed logins by device, source
IP and locked accounts per day.
• Qradar provides several alerts for brute
force attacks. Login Failures Followed
by Success and Repeated Login Failures
Single Host being the most helpful
• Customize alerts for maximum impact
SANS Technology Institute - Candidate for Master of Science Degree
7
Brute-force Attacks
SANS Technology Institute - Candidate for Master of Science Degree
8
Windows Accounts
• Report of accounts created by whom
• Alerts for:
– accounts not using std naming convention
– outside of creation script timeframe
– workstation account created
– group membership adds to key groups
• Understand the account management
process and alert accordingly
SANS Technology Institute - Candidate for Master of Science Degree
9
IDS Context/Correlation
• Reduce noise by reporting based upon
high value systems or asset weights
• Add context of target operating system
• Add knowledge of vulnerabilities
• Rules
• Target Vulnerable to Detected Exploit
• Vulnerable to Detected Exploit on Different Port
• Vulnerable to Different Exploit than Detected on
Attacked Port
SANS Technology Institute - Candidate for Master of Science Degree
10
Web Application Attacks
• Analyze WAF logs if possible as header
data (POST) not available in server logs
• Create regular expressions to look for
signs of attack, for example
• /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or --
• Create and alert on web honeytokens
• Fake admin page in robots.txt
• Fake credentials in html code
SANS Technology Institute - Candidate for Master of Science Degree
11
Data Exfiltration
• Collection of flows or session data is
extremely helpful
• Reports/Alerts based upon
– Size/destination of outbound flows “Large
Outbound Data Transfer”
– Application data inside specific protocols
– Frequency of requests/application usage
– Session Duration “Long Duration Flow”
SANS Technology Institute - Candidate for Master of Science Degree
12
Client Side Attacks
• Information in Windows event logs:
– Process Information
• Start (592/4688) Ends (593/4689)
– New Service Installed (601/4697)
– Scheduled Tasks Created (602/4689)
– Audit Policy Changed and Cleared
• (612/4719) and (517/1102)
• Integration with third-party tools
SANS Technology Institute - Candidate for Master of Science Degree
13
Sample Attack
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Defenders need to look for indicators of
compromise across many sources
• SIEM solution centralize data
• Start small with basic methods, test,
and move to more advanced techniques
• Goal is to detect compromise and
provide as much information as possible
before starting incident response
SANS Technology Institute - Candidate for Master of Science Degree
15