This document discusses establishing a maturity model for security disciplines including monitoring, assessments, and threat intelligence management. It highlights that security monitoring paradigms should assume compromise and focus on detection over prevention. Log sources like Windows, Sysmon, proxies, and DNS can provide valuable information for indicators of compromise matching and threat hunting if proper audit policies and Sigma rules are applied. Compromise assessments complement endpoint detection and response tools by allowing forensic analysis of past events. Threat intelligence from a variety of providers can be structured and curated for effective management.
2. Contents
§ Concept of Maturity Modell of Security Disciplines
§ Some highlights and low hanging fruits
§ Security Monitoring
§ Low hanging fruits
§ Compromise Assessments
§ Threat Intel Management
3. Maturity Model of Security Disciplines
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Em
ailFilter
Antivirus
Backup
/Restore
SecurityM
onitoring
VulnerabilityM
anagem
ent
M
FA
Advanced
M
alwareDetection
NIDS
EDR
Com
promiseAssessm
ent
Com
puterForensicsRed
Team
ing
ThreatIntelM
anagem
ent
Zero
Trust
SOAR
Implemented Planned Missed
Expensive
Setup Costs
Cheap
DegreeofImplementation
Black Hole
4. Security Monitoring: Wrong Paradigms
§ „Security devices hold the most important logs“
- Firewall,WAF,VPN logs are less important than you might think
§ „Antivirus events with status ‚successfully removed‘ don‘t matter“
- Better method: Antivirus Event Analysis Cheat Sheet
§ „Only the perimeter matters“
- SSL/TLS connections
- Stage1 is often MS Office Doc with low AV detection rate
§ „If you invest enough in protection you don‘t need a sound
detection“
5. Security Monitoring: New Paradigms
§ „Assume Compromise“
- Answer the question:
- „what if an attack gained domain admin privileges 6 months ago?“
- „do we detect someone running ‚whoami‘ on one of our servers?“
§ „Githubification of InfoSec“1
- New standards empower community sharing (YARA, Sigma,ATT&CK)
§ „Software is broken“ (not so new but often overlooked ;)
- Always expect vulnerabilities
- Detection is as important as protection and often cheaper to implement
1 https://medium.com/@johnlatwc/the-githubification-of-infosec-afbdbfaad1d1
7. Log Sources
Log Source Volume11 IOC Matching Threat Hunting Audit Trail9 APT Detection10
Antivirus Low - ++3 + +++
Windows & Sysmon Medium8 ++1 +++4 ++ ++
Proxy Medium ++2 +5 ++ +
NIDS/NSM7 Medium +2 + + +
DNS High ++2 +5 + +
Mail6 Medium + - + -
Firewall High +2 - ++ -
Linux (auditd) Medium - + + -
1 – File hash values (MD5, SHA1, SHA256)
2 – C2 IPs or domain names
3 – see „Antivirus Event Analysis Cheat Sheet“
4 – Sigma can help a lot
5 – Patterns (URL, hostname), suspicious TLDs
6 – No personal experience with this log source but highly recommended by others
7 – Suricata, Zeek or alike
8 – Depends mainly on audit policy (use Microsoft Baseline) and Sysmon config
Priority
High
Low
9 – Usefulness in reconstruction of events
10 – How useful are these logs in the detection of persistent threats
(reconnaissance, backdoors, lateral movement)
11 – Depends on audit policy and filters (rule of thumb)
8. Low Hanging Fruit 1: AntiVirus
§ Antivirus Event Analysis
Cheat Sheet
§ Threat Type
§ Location
§ Available as Sigma rules
https://github.com/Neo2
3x0/sigma/tree/master/r
ules/windows/malware
9. Low Hanging Fruit 2: Sigma
§ Answers the question:
„What should I look for in
my logs?“
§ Generic rules
§ No vendor lock
§ Sharing communities
§ Easy to write and read
§ Expression language covers
95% of use cases (use
explicit queries for the rest)
https://github.com/Neo23x0/sigma/tree/master/rules
11. Audit Policies 1/2
§ Antivirus > get everything
§ Windows
§ Microsoft Baseline
§ Sysmon
§ Olaf Hartong‘s „Sysmon Modular“: https://github.com/olafhartong/sysmon-modular
§ SwiftOnSecurity‘s “Sysmon Config“: https://github.com/SwiftOnSecurity/sysmon-config
§ Proxy > get everything
12. Audit Policies 2/2
§ NIDS > depends on product
§ DNS
§ Exclude AD / Windows service related queries
§ Mail > unknown
§ Firewall
§ High Volume
§ Filter on Priority (see table)
§ Storage: often collected in cheaper systems
Direction Action Priority
Out Blocked High
Out Allowed Medium
In Allowed Medium
In Blocked Low
13. Advantages of Sysmon/Sigma over EDR
§ Transparency
§ You know exactly what you‘re able to detect
§ No hidden signatures and Machine Learning magic
§ Customizability
§ Independent Response to Threats
§ Community provides detection rules/ideas fast
§ Don‘t have to ask a vendor if he has already pushed
corresponding rules
14. Security Monitoring: Quality Control
§ MITRE ATT&CK Coverage
§ Don‘t forget the depths:
Webshell Detection isn‘t Webshell Detection
§ Red Teaming
§ It‘s not rocket science - ask:
§ „Do we detect LOCAL_SYSTEM running
‚whoami‘ on one of our servers?“
§ „Do we detect RDP logins with service
accounts?“
§ „Do we detect local admin creations on
Sundays?“
15. Compromise Assessment
§ Addressing the „Assume Compromise“
paradigm
§ Typically: Consulting + Scripts / Tools1
§ EDR <> Compromise Assessment
§ EDR: Live view of processes, connections, activity
§ CA: Forensic analysis of past events - caches, logs,
error reports, dumps, etc.
§ see it as complementary and not competing
1 e.g. THOR by Nextron Systems
16. Threat Intel Management
§ Provider: OTX, MISP, Local
Authorities, EclecticIQ,
CrowdStrike, BEA,
Kaspersky, FireEye ...
§ Structures and curated
Threat Intelligence (TI) is a
thing
Source: EclecticIQ