2. Halo effects of a good incident response
process:
¡ Fight FUD with truth
¡ IT ops love truth, therefore ops loves security,
therefore security gets access to data/
resources
¡ When security=visibility and security!=NO,
good things happen
WHY ARE WE DOING IR?
4. ¡ IR isn’t done until you’ve answered “why”
¡ Why=hard
¡ Need to fully understand threat motives via
events and artifacts
¡ This requires quickly answering tough
questions, which means searching,
summarizing, and drilling down
CONTEXT IS THE GOAL
5. ¡ Search, summarize, drill-down on events and
artifacts
¡ Leverages both local and global data
¡ Parallax of heterogeneous data sources
describing the same action
ELSA PROVIDES CONTEXT
Parallax: derive
depth from
different points
of view
7. CONTEXT VIA TIMELINE
9/12 23:00 81.x.x.x GET company.com/directory.html
9/13 08:00 Email from admin@throwaway.com
9/13 09:05 Firewall connection 82.x.x.x
9/13 09:05 GET request to evil.com 82.x.x.x
9/13 09:05 Bro file MD5 from evil.com 82.x.x.x
9/13 09:05 IDS Packed Executable 82.x.x.x
9/14 07:00 IDS outbound RAR 83.x.x.x
Recon
Exploit
Exfil
Phish
8. ELSA searches to construct the timeline:
1. Find exploit:
sig_msg:packed groupby:dstip |
subsearch(!
class:url groupby:site,dstip) |
subsearch(!
category:uncategorized!
groupby:srcip,dstip)!
BUILDING THE TIMELINE
9. This gives us the attacker IP 82.x.x.x, victim IP
1.1.1.1. Continue with victim-centric searches.
2. Find exfil: 1.1.1.1 groupby:sig_msg!
3. Find bait: 1.1.1.1 groupby:email |
subsearch(class:bro_smtp
groupby:subject)!
4. Find recon: site:company.com
uri:directory.html!
BUILDING THE TIMELINE
15. ¡ Parsers are XML that go in /etc/elsa/
patterns.d/
¡ ELSA install.sh will merge all files there into
merged.xml, which is what syslog-ng uses
¡ Documentation online at ELSA’s Google Code
project page
WRITING PARSERS
18. Parser types:
¡ ESTRING: Slurp until given char or chars
¡ QSTRING: Slurp between chars
¡ NUMBER: Slurp digits
¡ The rest are not really needed
WRITING PARSERS
20. Always try to use ESTRING
http://example.com/!
What if scheme is “https” or “ftp?”
@ESTRING:://@@ESTRING:site_name:/@!
First ESTRING moves pointer to after the first
double slashes it finds, but does not extract a
field name.
PARSER STRATEGIES
21. If you don’t have a character to start the parsing
evaluation, you may get unexpected results,
e.g.:
my firewall log URL: http://example.com/!
This matches as well, which may not be desired
behavior.
You can work around this with
<pattern>program</pattern> in the
<ruleset> element.
ESTRING GOTCHAS
22. Field names are stored in an abstracted format:
Names map to field_order in SQL schema,
class_id dependent
INTEGRATING PARSERS WITH ELSA
Integer name i0 i1 i2 i3 i4 i5
Field_order 5 6 7 8 9 10
String name s0 s1 s2 s3 s4 s5
Field_order 11 12 13 14 15 16
27. Goal: Provide ELSA access to an HR database to
augment queries
Desired ELSA query:
datasource:hr department:finance
groupby:username!
Finds all users in finance!
EXAMPLE: HR DATABASE PLUGIN
28. Step 1: Define the SQL query on the HRIS:
SELECT user, department FROM users!
Step 2: Add to elsa_web.conf:
“datasources”: {!
“database”: {!
“hr”: {!
“dsn”: …!
“username”: …!
“password”: …!
EXAMPLE: HR DATABASE PLUGIN
30. The query template will be built based on the
ELSA query parameters, e.g.
ELSA query:
user:bob!
!
Becomes SQL:
WHERE user LIKE “%bob%”!
EXAMPLE: HR DATABASE PLUGIN
31. Let’s use it!
datasource:hr department:finance
groupby:user | !
subsearch(class:vpn
groupby:srcip,user) |!
whois | sum(description)!
EXAMPLE: HR DATABASE PLUGIN
Users in finance
department
Correlate with
VPN logins by user
Add srcip
description
Summarize by
description
32. Yields:
EXAMPLE: HR DATABASE PLUGIN
Description Count
Comcast Corporation 234
Starbucks, Inc. 10
University of Lagos 3What!?! à
33. Quantcast provides the top one million most visited
sites. It would be nice to know when downloads
occur from sites not on that list.
Step 1: Grab the data: Top 1 million at
https://www.quantcast.com/top-sites
Rank Site
1 google.com
2 youtube.com
3 facebook.com
4 msn.com
5 twitter.com
6 wordpress.com
7 amazon.com
8 ebay.com
9 yahoo.com
10 yelp.com
EXAMPLE: QUANTCAST TRANSFORM
34. Step 2: Load the data into MySQL
CREATE TABLE quantcast (count INT
UNSIGNED, site VARCHAR(255));!
LOAD DATA LOCAL INFILE
“Quantcast.txt”!
INTO TABLE quantcast IGNORE 6
LINES;!
EXAMPLE: QUANTCAST TRANSFORM
36. Step 4: Profit! Find downloads from uncommon
sites (rank greater than ten thousand):!
md5 class:bro_file groupby:site |!
quantcast | sum(count) | has(10000)!
EXAMPLE: QUANTCAST TRANSFORM
37. There are many places you can add
customization to ELSA. Some plugin ideas:
¡ Connector for ticketing system
¡ LDAP info
¡ Encrypted export
¡ Transform to check if user is logged in
¡ Transform to launch AR Drone attack
THIS IS JUST A START!