1. Night in DefenseHunting for a needle in haystack
by Nazar Tymoshyk, CEO, Ph.D., CEH

2. > Agenda
1. Know your Enemy: Anatomy of Hack
2. Know Yourself: Defense Arsenal.Layered Security
3. Practice Example: 30 minutes of Life of security analyst
4. WorkShop: Exercise Part

4. 3RD
L
E
V
E
L
2
ND
L
E
V
E
L
1
ST
L
E
V
E
L
SOC
Manager
SME/
Hunter
Threat Intel( )
SME/
Hunter
(Endpoint )
SME/
Hunter
)(Malware RE
SME/
Hunter
)Network(
Tier 2
Incident
Responder
Tier 2
Incident
Responder
Tier 1
Alert
Analyst
Tier 1
Alert
Analyst
Frontlines
Tier 1
Alert
Analyst
Frontlines
Tier 1
Alert
Analyst
UnderDefense SOC organization

5. KYE: Common attack tactics

6. KYE: The next stage

7. Know Yourself: Threat hunting

8. Know yourself: Your arsenal, toolset and processes.
Layered security

9. Nice dashboards, but what about needle in a haystack

10. Thousands of daily alerts are
misdirecting the
response-work of analysts.

13. TIME
is the most important thing
“Incident Response needs people, because successful
Incident Response requires thinking.” - Bruce
Schneier
Moving from days and month to minutes
Largest portion of time is in preparation
100’s of hours preparing for 30 minutes of CHAOS

14. Identifying
attack
Preparation
process
Isolation of
infected system
Incident Response Plan structure
Post Incident
(Lessons
Learned)
Reporting to
supervisory
authority
Eradication
attack
Recovery
Start
Finish
How to build IRP

15. PREPARE
Improve Organizational
Readiness
• Invite team members
• Fine-tune response policies
and procedures
• Run simulations (firedrills /
table tops)
REPORT
Document Results &
Improve Performance
• Generate reports for
management, auditors, and
authorities
• Document results
• Conduct post-mortem
• Update policies and procedures
• Track evidence
• Evaluate historical performance
ASSESS
Identify and Evaluate Incidents
• Engage appropriate team members
• Evaluate precursors and indicators
• Track incidents, maintain logbook
• Automatically prioritize activities based
on criticality
• Log evidence
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate
containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling

16. IR Playbook

18. Process: Incident Detection and Response with Splunk ES

19. Security Anomalies

20. Recreating a chain of Events

21. 10 Tips building Security Incident Detection Response
1. Be a bit paranoid. Don’t trust your AV.
2. Train Hard. Regularly test your SIEM/SOC for new attacks patterns
3. Create anomalies by yourself.
4. Pretend to be attacker. Check your SOC analyst team to catch you.
5. Use honeypots (highly interactive and canary tokens)
6. Use your current Arsenal.
7. Configure alerts that really matter
8. Test your Incident Response Plan
9. Use automation for Incident Response. Automate as much as possible.

22. Effective Daily Log Monitoring
Tools and techniques

23. Improving Security with Endpoint Data
● Endpoint Data can help catch the hackers as they exploit a system
or letteraly move around your environment
● Endpoint Data can dramatic improve information security program
if enabled and configured of collection
● Endpoint Data can help detect attack or letteraly movement with
tools like “not malware”

24. Logs, Logs, Logs
There are more logs than you think
● There are the standard Windows logs
○ Application, Security, System & Setup
● “Windows PowerShell”
○ Logs-Under “Application and Services Logs” folder
● TaskScheduler/Operational
○ Under “Application and Services Logs/Microsoft /Windows” folder
● AppLocker
○ Under “Application and Services Logs/Microsoft /Windows” folder
● Other( Plan, Research, Check, Add)

25. Steps You Will Need to Take
● Enable Advanced Audit Policy in Windows
○ The “Windows Logging Cheat Sheet”
○ Audit Process Creation = Success 4688
○ Audit Logon = Success & Failure 4624
○ Audit File Share = Success 5140
○ Audit File System = Success 4663
○ Audit Filtering Platform Connection = Success 5156(Any/Any min)
○ Services already captured by System Log 7045 & 7040
● Enable and Configure to capture Process Command Line
● Use sysmon to “pimp your” SIEM

26. The Coolest 6
1. 4688/ 592 - New Process - Look for obvious .EXE`s: script.exe, sysprep.exe, nbstats.exe,
netstat.exe, ssh.exe, psexec.exe, nmap.exe, ipconfig.exe OR powershell.exe (SET Metasploit
modules). Added new process, that does not exist in software inv.
2. 4624/528/540 - Account logged in. What accounts did and what accounts at what times are
normal?
3. 5140/560 - A share was accessed. They most likely connected to the CS share.
4. 5156 - Windows Firewall Network connection by process. Can see the process connecting to an IP
that you can use GEOIP to resolve Country, Region and City.
5. 7045/601 - A new service is installed. Static system don`t get new services except at patch time
and new installs. 7040 is a change of state of a service, good too.
6. 4663/567 - File auditing must be enabled on directories you want to monitor. The new files
above would show up. 4657 will give more Registry details.

27. The coolest 6 - Summary
Win ID What Impact to Security Activity detected
4688/592 New Process executed Malware executed or Malware actor
trying the take action
New program installed by attacker
4624/528/540 Account logged in Attacker auth to the endpoint What account did and what account at
what times are normal?
5140/560 A share was accessed What endpoints were accessed C$ share or File share accessed
5156 Windows Firewall
Network connection by
process
Command and Control or origin of
attack
What application was used to
communicate with external or internal IP
7045/601 A service was installed in
the system
Persistence to load malware on
restart
Service added or modified
4663/567 An attempt was made to
access an object
Modifications to the system that
create holes or payloads used at a
late time
Files added and Registry Keys added to
audited locations

28. Other Valuable Queries
● EventID 4657 - A registry value was modified
● EventID 7040 - Service changes state
● EventID 4698 - A scheduled task was created
● EventID 501 - PowerShell log
● EventID 2004, 2005, 2006 - Windows firewall rule added, modified
or deleted
● Network logs(Cisco, squid…) by know Bad IP
○ Who visited a known Bad IP that you discover in malware analysis or
triggered logs mentioned in previous slides

29. Do's and Don'ts
Reducing or excluding events(save on license)
● Event ID`s 4688& 4689 (New Process Start/ Stop) and 5156 & 5168
(Windows Firewall) will be the Top 4 Events in quantity!
○ Storage and License required
○ 4689 and 5158 CAN be excluded as least valuable
● Do NOT exclude EventID`s that you want, exclude them by the
Message within the EventID
● I want 4688, but not splunk*.exe or googleupdate.exe, so exclude
by New_Proceess_Name to reduce normal noise
● I want 5156, but not things that are normal to xecute, so execlude
by Application_Name

30. Windows Logging Weaknesses
● Limited information captured for process creates and DLL loading
● Network connection information simultaneously too limited and
verbose
● No way to capture common attacker behavior (e.g. threat
injection)

31. Sysinternals Sysmon(System Monitor)
● Background system monitoring
utility
○ Record system events to the
Windows event log
○ Can be used for system anomaly
detection
○ Forensics can trace intruder
activity across the network

32. Sysmon configuration(fast) -- SwiftOnSecurity

33. Sysmon Events
Category EventID
Process Create 1
Process Terminated 5
Driver Loaded 6
Image Loaded 7
File Creation Time Changed 2
Network Connection 3
CreateRemoteThread 8
RawAccessRead 9
Sysmon Service State Change 4
Error 255

34. Hashes and VirusTotal
You can extract a hash and paste it into VT search for a report:

35. Splunk Search Anatomy

36. Walk Through of a Query
1. Index name
2. LogName(source)
3. Event ID
4. Exclusions - NOT(“item1” OR “item2”)
5. Inclusions - (“itemA” OR “itemB”)
6. Lookup list - “inputlookup” for larger list
7. Output - “table” or “stats count by XYZ”

37. Splunk Alerting

38. Splunk Alert Action( Adaptive Response)

39. Lets try find Needle in Haystack

40. Takeaways for real life
1. Start with Windows Logging (6 collect Use Cases), expand from
there.
2. Enable Command Line and PowerShell Logging.
3. Start Now- Use your WorkShop Experience.
4. Use the “Windows Logging Cheat Sheet” - easy to get started.
5. Prepare and test IR process.
6. Watch our blog - underdefense.com/blog/

41. Thank you!
Contact details:
email: nt@underdefense.com
email: dzh@underdefense.com
email: os@underdefense.com