Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detecting Malicious Activity on a Budget

11 views

Published on

Abstract: Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This presentation investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.

Bio: Sean is a Senior Consultant in the Wolf & Company, P.C. Information Technology (IT) Assurance Services group where he is responsible for coordinating and executing cybersecurity and IT audit services at client locations for financial, healthcare, educational and investment planning clients. Sean leads Wolfs security assessment and PCI DSS teams.

Related whitepaper: https://www.sans.org/reading-room/whitepapers/detection/attackers-walls-detecting-malicious-activity-39055

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Detecting Malicious Activity on a Budget

  1. 1. Presented to fulfill degree requirements for the SANS Technology Institute’s Master of Science Detecting Malicious Activity on a Budget Presented by Sean D. Goodwin GSEC, GCIH, GCIA Master’s Degree Candidate at the SANS Technology Institute
  2. 2. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Objectives  Identify a toolset that SMBs can implement to reduce resources needed to detect malicious activity on hosts  Minimize cost and time spent analyzing event logs  Minimize time spent vetting alerts for false-positive events
  3. 3. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Insufficient Detection Resources  Small and Mid-sized Businesses (SMBs) typically lack detection capabilities  Tools  Training & analyst skills  Inability to detect malicious actors  Seeking a “plug-and-play” solution for host-based detection
  4. 4. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Reliance on Existing Tools  Security Onion  Syslog  Wazuh  Microsoft Sysmon  SwiftOnSecurity configuration  Malware Archeology Audit Policy
  5. 5. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Testing for Known Attacks  MITRE Caldera  Simulate known attack methods  PsExec  Pass-the-Hash  xCopy (file collection for exfiltration)
  6. 6. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu TestCorp Network
  7. 7. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary One: PsExec 5145: AUDIT_SUCCESS Relative Target Name: PSEXESVC-5501- WKSTN1-4020-stdout
  8. 8. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary Two: Pass-the-Hash 4624: AUDIT_SUCCESS Logon Process: NtLmSsp Logon Type: 3 Key Length: 0
  9. 9. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Adversary Three: xCopy 5142: AUDIT_SUCCESS Account Name: admin02 Share Name: *Documents Share Path: C:Usersadmin02Documents
  10. 10. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Results  Data is available, but detection is not easy  All three attacks could be identified after the fact  “Living off the land” makes detection harder
  11. 11. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  12. 12. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  13. 13. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  14. 14. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  15. 15. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  16. 16. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Custom Alerts
  17. 17. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu Summary  SMBs continue to struggle detecting host-based attacks  Not a “plug and play” solution for detecting all attacks  Custom rules will aid in automating recurring log investigations  Additional data points (network traffic) may help

×