Are you a "Hunter"?
It sound like an interesting question, isn't it? But what I'm referring to is us analyst that searches for unusual activity or you just wait for a trigger from an IDS/IPS or that a rule will trigger something from the SIEM.
I watched the opening keynote by Amit Yoran President of RSA at the RSA Singapore conference [1] and he was made reference to large organizations who have cutting edge security software/hardware and how bad they are still failing at catching bad actors still go undetected for a long time. He shared five points to go by to help catch bad actors in a network: Does it really Help (this shiny new device or software), Visibility, Identity, Intelligence and Prioritize. The fourth point Intelligence is where he talks about "CISO that gives their security team the time to hunt and learn their environment to understand what normal looks like are much more rapidly identifying unusual patterns (23:53m)"[1]
I do go "hunting" looking for unusual activity and pattern IDS/IPS or even the SIEM doesn't know about. There is a lot of threat intelligence out there that can be used to detect unusual pattern of activity. Maybe you have a security device that use some form of feeds to detect bad actors (i.e. some vendors use DShield feeds), reviewing what they trigger might yield interesting data. How about taking the time to review if the systems communicating with the HR server(s) are part of the allowed list? This example could be added to a SIEM to trigger for unusual activity.
If you are a “hunter”, what do you look for?
[1] http://www.rsaconference.com/media/the-game-has-changed?
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
Most of the time, when the IDS does report something, I'll investigate and find something else entirely, either because the rule has found some other kind of malicious behaviour, or it was a false positive, but something else unrelated catches my eye.
Anonymous
Aug 17th 2015
9 years ago
I believe that part of making SIEM better is allowing the analysts time to fully understand the environment, to know its norms and nuances. Above and beyond that the SIEM itself must have an excellent asset and network model that is clearly defined and kept up to to date. Also as has already been said, samples must be regularly taken and tested to ensure that everything is as it should be. Processes muse be defined, tested, refined and improved.
Another issue is, if you have too many rules the analysts can be overwhelmed, ddos'ed if you like. The rules need to be well defined and noise and false positives must be eradicated, but above all the analysts must fully understand the environment and the traffic flowing over it.
A framework for reaching operational maturity must also be standardised and worked on openly by a group of experienced and engaged professionals.
Finally SIEM must become part of the standard curricular for Security course in universities and colleges.
Anonymous
Aug 17th 2015
9 years ago
I call this "active defense". As said Yinette, I'm also investigating a lot, keeping an eye on my logs and running honeypots... Paste sites are also a nice source of juicy content
Anonymous
Aug 17th 2015
9 years ago
Anonymous
Aug 17th 2015
9 years ago
Regards,
ICI2I
Anonymous
Aug 17th 2015
9 years ago
Examples:
pastie.org
codepad.org
nopaste.net
pasteguru.com
postits4tga4cqts.onion
Anonymous
Aug 17th 2015
9 years ago
IMHO, it's important to make a difference between events and incidents.
- An event is "an observable change to the normal behaviour of a system, environment, process, workflow or person".
- A security incident is "a series of events that adversely affects the information assets of an organization".
I'm keeping 3 months of events (to have time to investigate and rollback to them)
Incidents (read: alerts based on correlation rules / filters) are kept forever... (until I've enough storage)
Of course, when you drop oldest events, you also drop potential evidences or interesting stuff... Keep in mind that, for compliance reasons, you can be forced to keep them x months.
Anonymous
Aug 17th 2015
9 years ago
Anonymous
Aug 17th 2015
9 years ago
Fortunately my SW emails me 2X daily in text, crushing them down is not an issue for size. I try to follow trends posted here and other sites and tag the ones that show up >5X in a week. So far all has been quiet. Fingers X!
Thanks
Anonymous
Aug 17th 2015
9 years ago
I wholeheartedly agree - it's when things are suddenly quiet that we should be paying extra attention to what's going on. Is it quiet because you're being left alone for a change (unlikely) or because the bad actors are using new tools all those fancy defenses we have in place don't detect.
We recently went on a phish education campaign at my $DAYJOB$ and it's paying off. I'm often getting phish reports and can often use them to not only check if anyone fell for them (DNS query logs, snort/firewall logs, etc), but can proactively prevent them by updating DNS filters, updating firewalls, etc. Best yet, my employer lets me spend time digging further. For instance, given a piece of malware found in some phish, often a downloader, I'll obtain a copy of what it's trying to download and run and then run some malware analysis tools on THAT (I really like www.hybrid-analysis.com for instance). Then I'll see what THAT malware does - who it talks to, what DNS queries it makes, etc. That gives me a whole 'nother batch of indicators that I can make snort rules for. That way the next round of phish that uses some new file-dropper that fetches the same secondary malware, I've already got either blocked and/or being watched for.
And don't forget the logs! When I go to the trouble of blocking hostnames that resolve to a particular IP or network, I also have a job that tells me every morning what hostnames were blocked because of one of these filters. That has occasionally led to "interesting" (tm) - stuff that nobody is detecting yet.
Anonymous
Aug 17th 2015
9 years ago