Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Billions & Billions of Logs
Similar to Billions & Billions of Logs (20)
Recently uploaded
Recently uploaded (20)
Billions & Billions of Logs
- 1. Billions & Billions of Logs; Oh My Jack Crook
- 2. whoami Jack Crook (@jackcr) Principal Incident Responder, GE-CIRT Husband of 23 or 24 years? Father of 4 Grandfather of 1 Finder of Bad Guys
- 3. What this talk is Thoughts based on my experiences
- 4. What this talk is not
- 5. How I think about threat hunting Hypothesis driven approach for identifying malicious behavior within my environment. These hypotheses are derived from: First hand knowledge Internally developed intel Trusted partner sharing Public reporting Utilize kill chain to focus efforts
- 6. The three most important ?’s What am I looking for? Why am I looking for it? How do I find it?
- 7. What we want hunting to be
- 8. Often times the reality
- 9. Reasons Why do we seem to flounder in that “sea of data”? Scope of hunt is not properly defined Scope of hunt is too broad We try and catch all instances of bad for a particular query We focus on a single method of finding the indicator We focus on singular events to attempt to draw conclusions We look for actions instead of behaviors
- 13. High level hypotheses Comprised of multiple actions Actions typically happen over short time spans Will often use legitimate windows utilities Will often use tools brought in with them Will often need to elevate permissions Will need to access various machines Will need to access files on filesystems
- 14. What can I define from these hypotheses Needs
- 15. 5 basic attacker needs Execution Credentials Enumeration Authentication Data Movement
- 16. Attacker Needs Execution Processes Scripts Services Scheduled Tasks Execution cmd.exe powershell.exe wmic.exe Custom tools
- 17. Attacker Needs Credentials Domain Administrative Accounts Local Services Accounts Accounts pertaining to group membership Credentials Registry hives Extract from lsass process Network sniffing Keylogging ntds.dit Clear text on filesystem
- 18. Attacker Needs Enumeration User / Group Enumeration Device Enumeration Filesystem Enumeration Enumeration “net” commands dir find whoami ping Custom tools
- 19. Attacker Needs Autehntication 4624Type 3 4624Type 10 4648 Authentication Domain admins Enterprise admins Local admins Service accounts Users /w GID
- 20. Attacker Needs Data Movement Tools Recon Data Exfil Data Data Movement copy xcopy rdpclip PsExec RemCom
- 21. Now what? We can look at these needs based actions individually and likely swim in our sea of reality, or… Is there possibly another way?
- 22. Behavior Chains
- 23. The thought Can we take interesting data, that doesn’t always point to malicious activity, and cluster it in a way that will surface actions often used by attackers?
- 24. How do we get there Develop queries for specific actions based on attacker needs Accuracy of query is key Volume of output is not Enhance data with queries from detection technologies Store output of queries in central location Each query makes a link The sum of links make up a chain
- 26. Consider the following commands copy bad.exe 192.168.56.10c$tempbad.exe dir 192.168.56.10c$temp wmic /node:192.168.56.10 /user:administrator /password:pass process call create “bad.exe”
- 27. Time How long would it take you to type those commands?
- 28. Source Host Does the source host show up in multiple clusters?
- 29. Destination Host What is the role of the destination machine?
- 30. User What is the number of users and role per cluster?
- 31. Action Does the cluster represent multiple needs?
- 32. Data Movement Source to Dest Windows Security Event ID = 5145 ObjectType = File Share Name = *$ Access Mask = 0x1000180 Access Mask = 0x80 Access Mask = 0x130197 Bucket 3 events within 1 sec by ComputerName
- 33. Enumeration Remote Dir $ Share Windows Security Event ID = 5145 Share Name = *C$ Share Name = *ADMIN$ Access Mask = 0x100080 Source Address != 127.0.0.1
- 34. ExecutionWMIC Remote Host Windows Security Event ID = 4688 Windows Security Event ID = 4624 LogonType = 3 Source Network Address != “” Search Process = wmiprvse.exe List Additional processes spawning within same second
- 35. Authentication Suspicious 4648 Logon Windows Security Event ID = 4648 Process Name = wmic.exe Target Server Name != localhost Target Server Name != *$
- 36. How our chain would look
- 37. Feed the Beast Windows Events Sysmon Powershell AV Whitelisting Flow NIDS/HIDS
- 38. Considerations Normalization of fields across data sources Standardization of time zones across logs Build queries to surface behaviors on both source and dest Identify areas across needs for additional opportunities Experiment with different methods of clustering
- 39. Benefits Huge reduction in high volume events Generates dynamic clusters of “interesting” Surface patterns of behavior that may otherwise be missed Can be used for all phases of the Kill Chain Can cluster behaviors across multiple data sources
- 40. I believe this will get me closer