ISSA Siem Fraud

Xavier Mertens
Xavier MertensFreelance Cyber Security Consultant, SANS ISC Handler, Blogger à Xavier Mertens Consulting, SANS ISC
Your Logs or ... Back to the Gold Rush ISSA-BE Event January 2011
$ whoami Xavier Mertens (@xme) Senior Security Consultant @ C C-CURE CISSP, CISA, CEH http://blog.rootshell.be I’m also on Maltego & Google! Some friends:
$ cat disclaimer.txt The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers...
-1- The situation today
acme.org
acme.org’s CSO Did you already get this feeling?
Today's Issues Technical Networks are complex Based on non-heterogeneous heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
Today's Issues Economical ”Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
Today's Issues Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc DSS, Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
Need for More Visibility More integration, more sources More chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database FIM Awareness
Need for More Visibility [**] [1:2050:14] SQL version overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434 UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404 Len: 376 [Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/p 039.mspx][Xref lugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002 bin/cvename.cgi?name=2002-0649][Xref => http:/ /www.securityfocus.com/bid/5310] [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167 ***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1475031583 2358505469 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80 TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167 ***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2086630937 3122214979 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167 ***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2530339421 2353821688 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80 TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167 ***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3995062809 1050363790
-2- Fraud?
What’s ”Fraud”? ”Deliberate deception, trickery, or cheating Deliberate intended to gain an advantage” Fraud represents 39% of crimes in the CERT.us database Occurs “below the radar”
Fraud Types Unauthorized addition or changes in databases Data theft or disclosure Rogue devices Identifity theft
Find the Intruder Keep an eye on the « malicious insider » Who is he? Current or past employee (m/f) Contractors / Business partners Non-technical as well as technical position technical He/she has authorized access to sensitive assets
Fraud == Suspicious The term “fraud” is closely linked to money Let’s use “suspicious which means suspicious” “inclined to suspect, to have doubts about; distrust” Detected outside the scope of regular operations Need for baselines, thresholds and watchdogs And... Procedures!
Baselines Interval of values Trigger an alert of above a threshold or outside an interval
Baselines Recurrence in time
Baselines Correlation between multiple sources
Impacts of Fraud? Quantitative $$$ Qualitative Brand Reputation Customers / Stakeholders
Some Examples CC used in country ”A” and used 4 hours later in country ”B”. A Belgian CC used to buy a 40” flat TV in Brazil A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand Stolen or shared credentials / access badges. SSL VPN access from a foreign country.
More Examples ”root” session opened on a Sunday 02AM. Data copied on removable devices Installation of keyloggers Rogue FTP servers
Security Convergence! Logical Security Credentials IP access lists Physical Security Access badges GeoIP Mobile devices Time references Let’s mix them!
Resources! Adding plus-value to your logs is resources value consuming! Temporary tables might be required Beware of time lines!
How to fight? Need for raw material Your logs Know the process flows! Talk to the ”business” Increase the logs value Add visibility Correlate with other information sources + Processes and communication!
When? Real-time Immediate investigationSource: Real Real-time alerts Before Proactivity (reporting - trending) After Forensic searches
-3- The tools
It’s not a product... ”... It’s a process!” (c) Bruce Incident Handling Correlation Reporting Search Log Collection
The Good, The Bad, The Ugly! Big Play€r$ (no names!) r$ All of them prone to be the best But often when you look inside:
Straight to the Point SIEM environments are exp exp€n$ive! Best choice? Must address the business requirements (not yours) You must be able to handle them
The Ingredients... Free software to the rescue! Some tools... OSSEC MySQL Iptables / Ulogd Google Maps API Perl The ”Cloud” (don’t be scared!)
You said ”OSS.. What?” OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”. More info @wimremes (ISSA 01/2010) wimremes
The Recipes Good news, you already have the main ingredient: your logs! Resources Policies External Logs Security Incidents
-4- MySQL Audit
Problem Authorized users added or modified data in a database. Lack of control and separation of duties Examples of fraud Rogue acces created Price changed Stock modified Data integrity not consistent anymore
Solution Database changes can be audited High performance impact All transactions are logged Not convenient to process Monitor changes on critical data Users credentials Financial data Audit INSERT, UPDATE & DELETE queries
Howto Use the MySQL UDF ”lib_mysqludf_log.so” mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so'; mysql> create function log_error returns string soname 'lib_mysqludf_log.so'; Use MySQL triggers mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”)); Triggers will write message in the MySQL errors.log
Howto Process the MySQL log via OSSEC <!-- MySQL Integrity check --> <rule id="100025" level="7"> <regex>^dddd-dd- dd dd:dd:dd Table: .</regex> <description>MySQL users table updated</description> </rule>
Howto Results: Received From: (xxxxx) xx.xxx.xxx.xxx xx.xxx.xxx.xxx- >/var/lib/mysql/errors.log Rule: 100025 fired (level 7) -> "MySQL users table updated” Portion of the log(s): 2011-01-08 00:31:24 Table: acme.users: 08 insert(8,brian,qavXvxlEVykwm) by admin@localhost --END OF NOTIFICATION
-5- USB Stick Detection
Problem Risks of data leak Risks of malware infections
Solution The Windows registry is a goldmine to audit a system! The OSSEC Windows agent can monitor the Windows registry.
Howto Interesting registry keys: HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnumCount Or HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTOR
Howto Create a new OSSEC rule: [USB Storage Inserted] [any] [] r:HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnum -> Count -> !0; If “Count” > 0 => USB Storage inserted Problem: will be reported by the rootkit detector and not in real time
Howto The second registry key changes when a USB stick is inserted: HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTORDisk&Ven_U SB&Prod_Flash_Disk&Rev_0.00 New rule: [USB Storage Detected] [any] [] CurrentControlSetServicesUSBSTOR; r:HKLMSYSTEMCurrentControlSet
Howto Results ** Alert 1268681344.26683: - ossec,rootcheck, 2010 Mar 15 20:29:04 (WinXP 192.168.38.100- WinXP) >rootcheck Rule: 512 (level 3) -> 'Windows Audit event.‘ > Src IP: (none) User: (none) Windows Audit: USB Storage Inserted.
-6- Detecting Rogue Access
Problem Stolen or shared credentials can be used from ”unknown” locations If your team members are local, is it normal to have sessions opened on your SSL VPN from Thailand or Brazil? An admin session started from the administration VLAN?
Solution Public IP addresses? They can be mapped to coordonatess using open GeoIP databases Private IP addresses? Hey, they’re yours, you should know them For public services, Google Maps offers a nice API
Howto Configure OSSEC for your application log file (write a parser if required) Create an “Active-Response” action triggered Response” when a specific action is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address
Howto If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC OSSEC generates an alert based on this event.
Howto Results: ** Alert 1270065106.2956457: mail - local,syslog, 2010 Mar 31 21:51:46 satanas satanas->/var/log/fraud.log Rule: 50001 (level 10) -> 'Fraud Detection‘ > Src IP: (none) User: (none) [31-03-2010 21:51:45] Suspicious activity detected 2010 for user johndoe via IP x.x.x.x in DE, Germany
-7- Mapping on Google Maps
Problem What the difference between: 195.75.200.200 (Netherlands) 195.76.200.200 (Spain) IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
Howto Geo-localization is performed using the MaxMind DB (free version) + Perl API use Geo::IP; my $gi = Geo::IP->open("GeoLiteCity.dat", >open("GeoLiteCity.dat", GEOIP_STANDARD); my $record = $gi->record_by_name record_by_name(“1.2.3.4"); print $record->latitude . "," . $record >latitude $record->longitude; Store results to a XML file.
Howto Submit the file to the Google map API from HTML code.
-8- Searching the Cloud
”LaaS” ? ”Logging as a Service” seems to be an emerging thread in 2011. Loggly offers beta accounts 200MB/day - 90 days of retention No SSL support Supported ”inputs” Syslog (UDP or TCP) HTTP(S)
”OSSEC phone Loggly” OSSEC can export to Syslog Events can be sent to Loggly using HTTP POST requests: https://logs.loggly.com/inputs/420fecf5-c332-4578- https://logs.loggly.com/inputs/420fecf5 a0cb-21b421d4cc46
”OSSEC phone Loggly” Perl to the rescue: # ./syslog2loggly.pl –h syslog2loggly.pl [-f keyfile] [ f [-D] [-h] [-v] [-p port] -D D : Run as a daemon -h : This help -f keyfile : Configuration file f (default: /etc/syslog2loggly.conf) -p port p : Bind to port (default 5140) -v v : Increase verbosity
Results
Conclusions The raw material is already yours. The amount of data to process makes it impossible to process it without appropriate tools. Suspicious activity occurs below the radar. Make your logs more valuable by cross cross- linking them with other sources. Be ”imaginative”!
References The scripts and references are available on my blog: http://blog.rootshell.be/ Keyword: ”OSSEC”
Thank You! Questions?
1 sur 64

ISSA Siem Fraud

Télécharger pour lire hors ligne
Technologie

How to detect fraud or suspicious events using open source tools (OSSEC). This talk was given during the ISSA Belgium chapter meeting in January 2011.

Xavier Mertens
Xavier MertensFreelance Cyber Security Consultant, SANS ISC Handler, Blogger à Xavier Mertens Consulting, SANS ISC

Recommandé

Using Big Data to Counteract Advanced Threats par
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
1.5K vues28 diapositives
DFIR Training: RDP Triage par
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
269 vues21 diapositives
Integrated Tools in OSSIM par
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
20.2K vues32 diapositives
A Threat Hunter Himself par
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
6.3K vues31 diapositives
SANS Digital Forensics and Incident Response Poster 2012 par
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
3.1K vues1 diapositive
Dynamic Population Discovery for Lateral Movement (Using Machine Learning) par
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
1.4K vues97 diapositives

Contenu connexe

Tendances

Power of logs: practices for network security par
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network securityInformation Technology Society Nepal
393 vues37 diapositives
Windows Forensic 101 par
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
547 vues27 diapositives
Ceh v8 labs module 08 sniffers par
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
673 vues90 diapositives
Preventing Advanced Targeted Attacks with IAM Best Practices par
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
401 vues38 diapositives
Windows Threat Hunting par
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
1.4K vues17 diapositives
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com par
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
4K vues6 diapositives

Tendances(20)

Power of logs: practices for network security par Information Technology Society Nepal
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
Information Technology Society Nepal393 vues
Windows Forensic 101 par Digit Oktavianto
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto547 vues
Ceh v8 labs module 08 sniffers par Asep Sopyan
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Asep Sopyan673 vues
Preventing Advanced Targeted Attacks with IAM Best Practices par Andy Thompson
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best Practices
Andy Thompson401 vues
Windows Threat Hunting par GIBIN JOHN
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN1.4K vues
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com par Michael Gough
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Michael Gough4K vues
Hacking Web Apps by Brent White par EC-Council
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council322 vues
Operational Security Intelligence par Splunk
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk1.2K vues
Defcon 22-tim-mcguffin-one-man-shop par Priyanka Aash
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash2.2K vues
Bsides Tampa Blue Team’s tool dump. par Alexander Kot
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
Alexander Kot141 vues
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware par Shah Sheikh
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh1.9K vues
The New Pentest? Rise of the Compromise Assessment par Infocyte
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte657 vues
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas... par Lastline, Inc.
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.1.3K vues
H@dfex 2015 malware analysis par Charles Lim
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
Charles Lim1.5K vues
How to Simplify PCI DSS Compliance with AlienVault USM par AlienVault
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
AlienVault1.9K vues
Splunk for Security Workshop par Splunk
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
Splunk1.1K vues
Anti-Forensics: Real world identification, analysis and prevention par Seccuris Inc.
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.3.3K vues
Finding the needle in the hardware haystack - HRES (1) par Tim Wright
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright455 vues
OT Security - h-c0n 2020 par Jose Palanco
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco266 vues
Network Security Data Visualization par amiable_indian
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian7K vues

En vedette

InfoSecurity.be 2011 par
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
704 vues36 diapositives
All Your Security Events Are Belong to ... You! par
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
2.9K vues49 diapositives
Automatic MIME Attachments Triage par
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments TriageXavier Mertens
3.6K vues12 diapositives
$HOME Sweet $HOME par
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
2.3K vues58 diapositives
The BruCO"NSA" Network par
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
5.3K vues12 diapositives
$HOME Sweet $HOME Devoxx 2015 par
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
1.6K vues57 diapositives

En vedette(17)

InfoSecurity.be 2011 par Xavier Mertens
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens704 vues
All Your Security Events Are Belong to ... You! par Xavier Mertens
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
Xavier Mertens2.9K vues
Automatic MIME Attachments Triage par Xavier Mertens
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
Xavier Mertens3.6K vues
$HOME Sweet $HOME par Xavier Mertens
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
Xavier Mertens2.3K vues
The BruCO"NSA" Network par Xavier Mertens
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
Xavier Mertens5.3K vues
$HOME Sweet $HOME Devoxx 2015 par Xavier Mertens
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
Xavier Mertens1.6K vues
What Will You Investigate Today? par Xavier Mertens
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
Xavier Mertens2.1K vues
Building A Poor man’s Fir3Ey3 Mail Scanner par Xavier Mertens
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens1.9K vues
Because we are just humans par Xavier Mertens
Because we are just humansBecause we are just humans
Because we are just humans
Xavier Mertens2K vues
$HOME Sweet $HOME SANSFIRE Edition par Xavier Mertens
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens1.3K vues
ISACA Ethical Hacking Presentation 10/2011 par Xavier Mertens
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens1.6K vues
Secure Web Coding par Xavier Mertens
Secure Web CodingSecure Web Coding
Secure Web Coding
Xavier Mertens1.3K vues
Developers are from Mars, Security guys are from Venus par Xavier Mertens
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
Xavier Mertens1.8K vues
Unity makes strength par Xavier Mertens
Unity makes strengthUnity makes strength
Unity makes strength
Xavier Mertens2.2K vues
Mobile Apps Security par Xavier Mertens
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
Xavier Mertens1.3K vues
Mobile Security par Xavier Mertens
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens6.2K vues
Social Networks - The Good and the Bad par Xavier Mertens
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
Xavier Mertens17.4K vues

Similaire à ISSA Siem Fraud

SplunkLive! Stockholm 2015 breakout - Analytics based security par
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
685 vues40 diapositives
FireSIGHT Management Center (FMC) slides par
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
4.3K vues33 diapositives
Microsoft Avanced Threat Analytics par
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
1.2K vues38 diapositives
Solvay secure application layer v2015 seba par
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
2.8K vues98 diapositives
Web security-–-everything-we-know-is-wrong-eoin-keary par
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
2.2K vues39 diapositives
SIEM - Activating Defense through Response by Ankur Vats par
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
2.6K vues33 diapositives

Similaire à ISSA Siem Fraud(20)

SplunkLive! Stockholm 2015 breakout - Analytics based security par Splunk
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk685 vues
FireSIGHT Management Center (FMC) slides par Amy Gerrie
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie4.3K vues
Microsoft Avanced Threat Analytics par Adeo Security
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
Adeo Security1.2K vues
Solvay secure application layer v2015 seba par Sebastien Deleersnyder
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder2.8K vues
Web security-–-everything-we-know-is-wrong-eoin-keary par drewz lin
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin2.2K vues
SIEM - Activating Defense through Response by Ankur Vats par OWASP Delhi
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi2.6K vues
OWASP Top 10 - The Ten Most Critical Web Application Security Risks par All Things Open
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open2.1K vues
MIT-MON Day4 Context.pptx par Couronne1
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptx
Couronne15 vues
Cybersecurity - Jim Butterworth par TechBiz Forense Digital
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital469 vues
Assessing cybersecurity_Anto Veldre par E-Government Center Moldova
Assessing cybersecurity_Anto VeldreAssessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto Veldre
E-Government Center Moldova3.2K vues
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha... par Amazon Web Services
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
Amazon Web Services695 vues
RIoT (Raiding Internet of Things) by Jacob Holcomb par Priyanka Aash
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash1.1K vues
All your logs are belong to you! par Security BSides London
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
Security BSides London1.4K vues
System Z Mainframe Security For An Enterprise par Jim Porell
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
Jim Porell1K vues
Preventing The Next Data Breach Through Log Management par Novell
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell1.1K vues
SplunkLive! Amsterdam 2015 - Analytics based security breakout par Splunk
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk547 vues
Visualization in the Age of Big Data par Raffael Marty
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty6.9K vues
How to protect your corporate from advanced attacks par Microsoft
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
Microsoft59 vues
We cant hack ourselves secure par Eoin Keary
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
Eoin Keary457 vues
Network Monitoring Basics par Rob Dunn
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
Rob Dunn5.1K vues

Plus de Xavier Mertens

FPC for the Masses (SANSFire Edition) par
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
1.4K vues36 diapositives
FPC for the Masses - CoRIIN 2018 par
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
1.6K vues33 diapositives
HTTP For the Good or the Bad - FSEC Edition par
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
4K vues74 diapositives
Unity Makes Strength par
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
1.8K vues52 diapositives
HTTP For the Good or the Bad par
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
4.3K vues65 diapositives
Malware Analysis Using Free Software par
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
4.3K vues50 diapositives

Plus de Xavier Mertens(11)

FPC for the Masses (SANSFire Edition) par Xavier Mertens
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
Xavier Mertens1.4K vues
FPC for the Masses - CoRIIN 2018 par Xavier Mertens
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
Xavier Mertens1.6K vues
HTTP For the Good or the Bad - FSEC Edition par Xavier Mertens
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens4K vues
Unity Makes Strength par Xavier Mertens
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
Xavier Mertens1.8K vues
HTTP For the Good or the Bad par Xavier Mertens
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens4.3K vues
Malware Analysis Using Free Software par Xavier Mertens
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
Xavier Mertens4.3K vues
You have a SIEM! And now? par Xavier Mertens
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
Xavier Mertens1.8K vues
What are-you-investigate-today? (version 2.0) par Xavier Mertens
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
Xavier Mertens4.5K vues
Unity Makes Strength SOURCE Dublin 2013 par Xavier Mertens
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
Xavier Mertens1.8K vues
BruCON 2010 Lightning Talk par Xavier Mertens
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
Xavier Mertens607 vues
Belnet events management par Xavier Mertens
Belnet events managementBelnet events management
Belnet events management
Xavier Mertens505 vues

Dernier

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online par
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
221 vues19 diapositives
The Power of Heat Decarbonisation Plans in the Built Environment par
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built EnvironmentIES VE
79 vues20 diapositives
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue par
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueShapeBlue
222 vues7 diapositives
Digital Personal Data Protection (DPDP) Practical Approach For CISOs par
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
158 vues59 diapositives
The Role of Patterns in the Era of Large Language Models par
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language ModelsYunyao Li
85 vues65 diapositives
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T par
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
152 vues34 diapositives

Dernier(20)

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online par ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue221 vues
The Power of Heat Decarbonisation Plans in the Built Environment par IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE79 vues
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue par ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue222 vues
Digital Personal Data Protection (DPDP) Practical Approach For CISOs par Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash158 vues
The Role of Patterns in the Era of Large Language Models par Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li85 vues
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T par ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue152 vues
NTGapps NTG LowCode Platform par Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu423 vues
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool par ShapeBlue
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue123 vues
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... par ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue180 vues
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue par ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue263 vues
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... par ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue106 vues
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... par The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer90 vues
State of the Union - Rohit Yadav - Apache CloudStack par ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue297 vues
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue par ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue203 vues
Kyo - Functional Scala 2023.pdf par Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil457 vues
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue par ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue135 vues
Ransomware is Knocking your Door_Final.pdf par Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp96 vues
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue par ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue147 vues
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... par ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue198 vues
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... par Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker54 vues

ISSA Siem Fraud

  • 1. Your Logs or ... Back to the Gold Rush ISSA-BE Event January 2011
  • 2. $ whoami Xavier Mertens (@xme) Senior Security Consultant @ C C-CURE CISSP, CISA, CEH http://blog.rootshell.be I’m also on Maltego & Google! Some friends:
  • 3. $ cat disclaimer.txt The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers...
  • 6. acme.org’s CSO Did you already get this feeling?
  • 7. Today's Issues Technical Networks are complex Based on non-heterogeneous heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
  • 8. Today's Issues Economical ”Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
  • 9. Today's Issues Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc DSS, Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
  • 10. Need for More Visibility More integration, more sources More chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database FIM Awareness
  • 11. Need for More Visibility [**] [1:2050:14] SQL version overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434 UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404 Len: 376 [Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/p 039.mspx][Xref lugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002 bin/cvename.cgi?name=2002-0649][Xref => http:/ /www.securityfocus.com/bid/5310] [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167 ***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1475031583 2358505469 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80 TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167 ***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2086630937 3122214979 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167 ***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2530339421 2353821688 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80 TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167 ***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3995062809 1050363790
  • 13. What’s ”Fraud”? ”Deliberate deception, trickery, or cheating Deliberate intended to gain an advantage” Fraud represents 39% of crimes in the CERT.us database Occurs “below the radar”
  • 14. Fraud Types Unauthorized addition or changes in databases Data theft or disclosure Rogue devices Identifity theft
  • 15. Find the Intruder Keep an eye on the « malicious insider » Who is he? Current or past employee (m/f) Contractors / Business partners Non-technical as well as technical position technical He/she has authorized access to sensitive assets
  • 16. Fraud == Suspicious The term “fraud” is closely linked to money Let’s use “suspicious which means suspicious” “inclined to suspect, to have doubts about; distrust” Detected outside the scope of regular operations Need for baselines, thresholds and watchdogs And... Procedures!
  • 17. Baselines Interval of values Trigger an alert of above a threshold or outside an interval
  • 19. Baselines Correlation between multiple sources
  • 20. Impacts of Fraud? Quantitative $$$ Qualitative Brand Reputation Customers / Stakeholders
  • 21. Some Examples CC used in country ”A” and used 4 hours later in country ”B”. A Belgian CC used to buy a 40” flat TV in Brazil A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand Stolen or shared credentials / access badges. SSL VPN access from a foreign country.
  • 22. More Examples ”root” session opened on a Sunday 02AM. Data copied on removable devices Installation of keyloggers Rogue FTP servers
  • 23. Security Convergence! Logical Security Credentials IP access lists Physical Security Access badges GeoIP Mobile devices Time references Let’s mix them!
  • 24. Resources! Adding plus-value to your logs is resources value consuming! Temporary tables might be required Beware of time lines!
  • 25. How to fight? Need for raw material Your logs Know the process flows! Talk to the ”business” Increase the logs value Add visibility Correlate with other information sources + Processes and communication!
  • 26. When? Real-time Immediate investigationSource: Real Real-time alerts Before Proactivity (reporting - trending) After Forensic searches
  • 28. It’s not a product... ”... It’s a process!” (c) Bruce Incident Handling Correlation Reporting Search Log Collection
  • 29. The Good, The Bad, The Ugly! Big Play€r$ (no names!) r$ All of them prone to be the best But often when you look inside:
  • 30. Straight to the Point SIEM environments are exp exp€n$ive! Best choice? Must address the business requirements (not yours) You must be able to handle them
  • 31. The Ingredients... Free software to the rescue! Some tools... OSSEC MySQL Iptables / Ulogd Google Maps API Perl The ”Cloud” (don’t be scared!)
  • 32. You said ”OSS.. What?” OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”. More info @wimremes (ISSA 01/2010) wimremes
  • 33. The Recipes Good news, you already have the main ingredient: your logs! Resources Policies External Logs Security Incidents
  • 35. Problem Authorized users added or modified data in a database. Lack of control and separation of duties Examples of fraud Rogue acces created Price changed Stock modified Data integrity not consistent anymore
  • 36. Solution Database changes can be audited High performance impact All transactions are logged Not convenient to process Monitor changes on critical data Users credentials Financial data Audit INSERT, UPDATE & DELETE queries
  • 37. Howto Use the MySQL UDF ”lib_mysqludf_log.so” mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so'; mysql> create function log_error returns string soname 'lib_mysqludf_log.so'; Use MySQL triggers mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”)); Triggers will write message in the MySQL errors.log
  • 38. Howto Process the MySQL log via OSSEC <!-- MySQL Integrity check --> <rule id="100025" level="7"> <regex>^dddd-dd- dd dd:dd:dd Table: .</regex> <description>MySQL users table updated</description> </rule>
  • 39. Howto Results: Received From: (xxxxx) xx.xxx.xxx.xxx xx.xxx.xxx.xxx- >/var/lib/mysql/errors.log Rule: 100025 fired (level 7) -> "MySQL users table updated” Portion of the log(s): 2011-01-08 00:31:24 Table: acme.users: 08 insert(8,brian,qavXvxlEVykwm) by admin@localhost --END OF NOTIFICATION
  • 41. Problem Risks of data leak Risks of malware infections
  • 42. Solution The Windows registry is a goldmine to audit a system! The OSSEC Windows agent can monitor the Windows registry.
  • 43. Howto Interesting registry keys: HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnumCount Or HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTOR
  • 44. Howto Create a new OSSEC rule: [USB Storage Inserted] [any] [] r:HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnum -> Count -> !0; If “Count” > 0 => USB Storage inserted Problem: will be reported by the rootkit detector and not in real time
  • 45. Howto The second registry key changes when a USB stick is inserted: HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTORDisk&Ven_U SB&Prod_Flash_Disk&Rev_0.00 New rule: [USB Storage Detected] [any] [] CurrentControlSetServicesUSBSTOR; r:HKLMSYSTEMCurrentControlSet
  • 46. Howto Results ** Alert 1268681344.26683: - ossec,rootcheck, 2010 Mar 15 20:29:04 (WinXP 192.168.38.100- WinXP) >rootcheck Rule: 512 (level 3) -> 'Windows Audit event.‘ > Src IP: (none) User: (none) Windows Audit: USB Storage Inserted.
  • 48. Problem Stolen or shared credentials can be used from ”unknown” locations If your team members are local, is it normal to have sessions opened on your SSL VPN from Thailand or Brazil? An admin session started from the administration VLAN?
  • 49. Solution Public IP addresses? They can be mapped to coordonatess using open GeoIP databases Private IP addresses? Hey, they’re yours, you should know them For public services, Google Maps offers a nice API
  • 50. Howto Configure OSSEC for your application log file (write a parser if required) Create an “Active-Response” action triggered Response” when a specific action is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address
  • 51. Howto If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC OSSEC generates an alert based on this event.
  • 52. Howto Results: ** Alert 1270065106.2956457: mail - local,syslog, 2010 Mar 31 21:51:46 satanas satanas->/var/log/fraud.log Rule: 50001 (level 10) -> 'Fraud Detection‘ > Src IP: (none) User: (none) [31-03-2010 21:51:45] Suspicious activity detected 2010 for user johndoe via IP x.x.x.x in DE, Germany
  • 54. Problem What the difference between: 195.75.200.200 (Netherlands) 195.76.200.200 (Spain) IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
  • 55. Howto Geo-localization is performed using the MaxMind DB (free version) + Perl API use Geo::IP; my $gi = Geo::IP->open("GeoLiteCity.dat", >open("GeoLiteCity.dat", GEOIP_STANDARD); my $record = $gi->record_by_name record_by_name(“1.2.3.4"); print $record->latitude . "," . $record >latitude $record->longitude; Store results to a XML file.
  • 56. Howto Submit the file to the Google map API from HTML code.
  • 58. ”LaaS” ? ”Logging as a Service” seems to be an emerging thread in 2011. Loggly offers beta accounts 200MB/day - 90 days of retention No SSL support Supported ”inputs” Syslog (UDP or TCP) HTTP(S)
  • 59. ”OSSEC phone Loggly” OSSEC can export to Syslog Events can be sent to Loggly using HTTP POST requests: https://logs.loggly.com/inputs/420fecf5-c332-4578- https://logs.loggly.com/inputs/420fecf5 a0cb-21b421d4cc46
  • 60. ”OSSEC phone Loggly” Perl to the rescue: # ./syslog2loggly.pl –h syslog2loggly.pl [-f keyfile] [ f [-D] [-h] [-v] [-p port] -D D : Run as a daemon -h : This help -f keyfile : Configuration file f (default: /etc/syslog2loggly.conf) -p port p : Bind to port (default 5140) -v v : Increase verbosity
  • 62. Conclusions The raw material is already yours. The amount of data to process makes it impossible to process it without appropriate tools. Suspicious activity occurs below the radar. Make your logs more valuable by cross cross- linking them with other sources. Be ”imaginative”!
  • 63. References The scripts and references are available on my blog: http://blog.rootshell.be/ Keyword: ”OSSEC”