SIEM Based Intrusion Detection
Jim Beechey
May 2010
GSEC , GCIA, GCIH, GCFA, GCWN
beechey@northwood.edu
twitter: jim_beechey
Objective
• Attackers are more sophisticated and
targeted in their attacks.
• Defenders need systems which help
provide visibility and altering across
numerous security systems.
• SIEM adoption driven by compliance
• Gartner says “more than 80%”
• Put “Security” back into SIEM using
real world examples.
2
SIEM System Setup
3
Basics – Outbound Traffic
• Outbound SMTP, DNS and IRC
• Unexpected outbound connections
4
New Hosts and Services
• Scanner integration for new host and
service discovery
5
Darknets
• Network segments without any live
systems, but are monitored
• Any traffic considered suspicious
• Qradar defines Darknets at setup
• Qradar Rule: Suspicious Activity:
Communication with Known Watched
Networks
6
Brute-force Attacks
• Create reports to generate statistical
data on failed logins by device, source
IP and locked accounts per day.
• Qradar provides several alerts for brute
force attacks. Login Failures Followed
by Success and Repeated Login Failures
Single Host being the most helpful
• Customize alerts for maximum impact
7
Brute-force Attacks
8
Windows Accounts
• Report of accounts created by whom
• Alerts for:
– accounts not using std naming convention
– outside of creation script timeframe
– workstation account created
– group membership adds to key groups
• Understand the account management
process and alert accordingly
9
IDS Context/Correlation
• Reduce noise by reporting based upon high
value systems or asset weights
• Add context of target operating system
• Add knowledge of vulnerabilities
• Rules
• Target Vulnerable to Detected Exploit
• Vulnerable to Detected Exploit on Different Port
• Vulnerable to Different Exploit than Detected on
Attacked Port
10
Web Application Attacks
• Analyze WAF logs if possible as header
data (POST) not available in server logs
• Create regular expressions to look for
signs of attack, for example
• /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix – Detects ‘ or
--
• Create and alert on web honeytokens
• Fake admin page in robots.txt
• Fake credentials in html code
11
Data Exfiltration
• Collection of flows or session data is
extremely helpful
• Reports/Alerts based upon
– Size/destination of outbound flows “Large
Outbound Data Transfer”
– Application data inside specific protocols
– Frequency of requests/application usage
– Session Duration “Long Duration Flow”
12
Client Side Attacks
• Information in Windows event logs:
– Process Information
• Start (592/4688) Ends (593/4689)
– New Service Installed (601/4697)
– Scheduled Tasks Created (602/4689)
– Audit Policy Changed and Cleared
• (612/4719) and (517/1102)
• Integration with third-party tools
13
Sample Attack
14
Summary
• Defenders need to look for indicators
of compromise across many sources
• SIEM solution centralize data
• Start small with basic methods, test,
and move to more advanced
techniques
• Goal is to detect compromise and
provide as much information as
possible before starting incident
response
15
System Options
• Commercial SIEM Solutions
– ArcSight (www.arcsight.com)
– Q1Labs Qradar (www.q1labs.com)
– RSA Envision (www.rsa.com)
• Lower Cost/Free Log Search
–Q1Labs FE (www.q1labs.com)
–OSSEC (www.ossec.net)
–Splunk (www.splunk.com)