SlideShare a Scribd company logo

How to create correlation rule for threat detection in RuSIEM

Download as PPTX, PDF
Olesya Shelestova
Olesya Shelestova

How to create correlation rule for threat detection in RuSIEM. In case - Ransomware Win32/Diskcoder.Petya.C Video for this presentation: https://youtu.be/WK5q26iE09I

Software
1 of 17
HOW TO CREATE CORRELATION RULE FOR THREAT DETECTION IN RUSIEM CEO RuSIEM Olesya Shelestova https://rusiem.com support@rusiem.com In case - detection ransomware Win32/Diskcoder.Petya.C
EXAMPLE THREAT • Consider as an example a real threat: Ransomware Win32/Diskcoder.Petya.C
• You can not rely on patches that cover a vulnerability when creating a correlation rule. • At any time, a host may appear on which the patch is not installed. And you will not know about it at the most inopportune moment
WHAT ARE YOU NEED? • Discover. Even if at the moment you do not have a threat. • Automatic detection • Real time detection • Notifications (email/incident in workflow)
WHAT YOU NEED TO UNDERSTAND FIRST Threat: • Attack vectors (vulnerability, local/network, exploited software versions, …) • Distribution method (email/attachments/network/banners/sites) • Explore news for threat definition/signature How to detect: • Process/network/hash • Event logs/Cyber security systems (IDS/DPI/Network Analyzers/Antivirus/etc)
SCENARIO #1 1. You have an information security tool that detects a threat 2. SIEM receives a ready-made threat decision event 3. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
SCENARIO #2 1. You have a number of different software or hardware tools that provide information about processes, email, network connections, hashes. 2. It can be: windows event logs, firewalls, syslog, IDS, flow, network analyzers and other. 3. SIEM will receive simple events from these sources, check for correlations and detect incidents. 4. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
DIFFERENCE BETWEEN SCENARIO 1. In fact: you are faster than IDS / AV vendors can create a signature yourself. 2. The difference between the #1 and #2 scenarios is that in the case of correlation rules in SIEM, you get a more manageable centralized system. 3. There is no need to write rules for many different systems and monitor their deploy. 4. In practice, SIEM receives much more information for guaranteed threat detection. 5. In SIEM correlation rules it is possible to reduce the number of false positives. 6. In any case, processes of incident management and real-time response are needed. This does not have a classic protection
LOOK GOOGLE FOR THREAT Win32/Diskcoder.Pety a.C Process Remote WMI, “process call create "C:WindowsSystem32rundll32.exe "C:Windowsperfc.dat" #1” Email src/dst Connect to hosts mshta.exe %WINDIR%System32ms hta.exe" "C:myguy.xls.hta" 185.165.29.78 84.200.16.242 111.90.139.247 95.141.115.108 wowsmith123456@posteo.net iva76y3pr@outlook.com carmellar4hegp@outlook.com amanda44i8sq@outlook.com
OUR PATH • We will detect Win32/Diskcoder.Petya in this case by dst.ip (C&C) and sha1/sha256 hashes • Arrays of values put in the lists to be able to quickly change and add new values • When IDSs are updated - we will record incidents and by their warnings • If you have enabled audit on file servers – we also may create common rule. Example, “changes 100 or more files in 60 seconds”
CREATE LIST FOR IP ADDRESSES
CREATE LIST FOR SHA1 AND SHA256 HASHES
CREATE CORRELATION RULE FOR DETECT BY HASH
CREATE RULE FOR DETECTION BY DST.IP
ATTENTION ! • Be sure to test the created rule in a real infrastructure ! • You can always create or emulate the connection, the test process, the other symptom of the threat for verification • If an incident happens - it will be too late.
TEST THE CREATED RULE, CHECK THE INCIDENT
THANK YOU support@rusiem.com https://rusiem.com https://t.me/rusiem https://facebook.com/rvsiem Tags: #rvsiem #rusiem Software: RuSIEM, free RvSIEM

Recommended

RuSIEM IT assets
RuSIEM IT assetsRuSIEM IT assets
RuSIEM IT assets
Olesya Shelestova
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIM
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 

Recommended

RuSIEM IT assets
RuSIEM IT assetsRuSIEM IT assets
RuSIEM IT assets
Olesya Shelestova
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIM
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
Eguardian Global Services
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
Chandrapal Badshah
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
Ertugrul Akbas
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 

More Related Content

What's hot

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
Eguardian Global Services
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
Chandrapal Badshah
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
Ertugrul Akbas
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

What's hot (20)

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Mod Security
Mod SecurityMod Security
Mod Security
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
Mod security
Mod securityMod security
Mod security
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Similar to How to create correlation rule for threat detection in RuSIEM

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
computer virus full explain ppt.pptx
computer virus full explain ppt.pptxcomputer virus full explain ppt.pptx
computer virus full explain ppt.pptx
TayyabaAbbas4
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
 
Ransomware
Ransomware Ransomware
Ransomware
Deepak Kumar (D3)
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
cyber sec.ppt
cyber sec.pptcyber sec.ppt
cyber sec.ppt
C326PrathameshKhade
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
Network security
Network securityNetwork security
Network security
Shyam Kumar Singh
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Katherine Duffy
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
Jim Porell
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
xererenhosdominaram
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
Eduardo Chavarro
 

Similar to How to create correlation rule for threat detection in RuSIEM (20)

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
computer virus full explain ppt.pptx
computer virus full explain ppt.pptxcomputer virus full explain ppt.pptx
computer virus full explain ppt.pptx
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
 
Ransomware
Ransomware Ransomware
Ransomware
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
cyber sec.ppt
cyber sec.pptcyber sec.ppt
cyber sec.ppt
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Network security
Network securityNetwork security
Network security
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 

More from Olesya Shelestova

Руководство по формату событий для разработчиков
Руководство по формату событий для разработчиковРуководство по формату событий для разработчиков
Руководство по формату событий для разработчиков
Olesya Shelestova
 
RuSIEM vs SOC (En)
RuSIEM vs SOC (En)RuSIEM vs SOC (En)
RuSIEM vs SOC (En)
Olesya Shelestova
 
RuSIEM vs SOC (Rus)
RuSIEM vs SOC (Rus)RuSIEM vs SOC (Rus)
RuSIEM vs SOC (Rus)
Olesya Shelestova
 
RuSiem events collection and forwarding
RuSiem events collection and forwardingRuSiem events collection and forwarding
RuSiem events collection and forwarding
Olesya Shelestova
 
From SIEM to Business processes
From SIEM to Business processesFrom SIEM to Business processes
From SIEM to Business processes
Olesya Shelestova
 
Deploy RvSIEM (eng)
Deploy RvSIEM (eng)Deploy RvSIEM (eng)
Deploy RvSIEM (eng)
Olesya Shelestova
 
Free RvSIEM. Intro (Rus)
Free RvSIEM. Intro (Rus)Free RvSIEM. Intro (Rus)
Free RvSIEM. Intro (Rus)
Olesya Shelestova
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
Olesya Shelestova
 
Rusiem 2017_обзор
Rusiem 2017_обзорRusiem 2017_обзор
Rusiem 2017_обзор
Olesya Shelestova
 
SIEM use cases - как их написать
SIEM use cases - как их написатьSIEM use cases - как их написать
SIEM use cases - как их написать
Olesya Shelestova
 
Корреляция в SIEM системах
Корреляция в SIEM системахКорреляция в SIEM системах
Корреляция в SIEM системах
Olesya Shelestova
 
SIEM для ИТ
SIEM для ИТSIEM для ИТ
SIEM для ИТ
Olesya Shelestova
 
RuSIEM. Потребители. Состав продукта. Отличия. Применение.
RuSIEM. Потребители. Состав продукта. Отличия. Применение.RuSIEM. Потребители. Состав продукта. Отличия. Применение.
RuSIEM. Потребители. Состав продукта. Отличия. Применение.
Olesya Shelestova
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиOlesya Shelestova
 

More from Olesya Shelestova (17)

Руководство по формату событий для разработчиков
Руководство по формату событий для разработчиковРуководство по формату событий для разработчиков
Руководство по формату событий для разработчиков
 
RuSIEM vs SOC (En)
RuSIEM vs SOC (En)RuSIEM vs SOC (En)
RuSIEM vs SOC (En)
 
RuSIEM vs SOC (Rus)
RuSIEM vs SOC (Rus)RuSIEM vs SOC (Rus)
RuSIEM vs SOC (Rus)
 
RuSiem events collection and forwarding
RuSiem events collection and forwardingRuSiem events collection and forwarding
RuSiem events collection and forwarding
 
From SIEM to Business processes
From SIEM to Business processesFrom SIEM to Business processes
From SIEM to Business processes
 
Deploy RvSIEM (eng)
Deploy RvSIEM (eng)Deploy RvSIEM (eng)
Deploy RvSIEM (eng)
 
Free RvSIEM. Intro (Rus)
Free RvSIEM. Intro (Rus)Free RvSIEM. Intro (Rus)
Free RvSIEM. Intro (Rus)
 
RuSIEM overview (english version)
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
 
Rusiem 2017_обзор
Rusiem 2017_обзорRusiem 2017_обзор
Rusiem 2017_обзор
 
SIEM use cases - как их написать
SIEM use cases - как их написатьSIEM use cases - как их написать
SIEM use cases - как их написать
 
Корреляция в SIEM системах
Корреляция в SIEM системахКорреляция в SIEM системах
Корреляция в SIEM системах
 
SIEM для ИТ
SIEM для ИТSIEM для ИТ
SIEM для ИТ
 
RuSIEM. Потребители. Состав продукта. Отличия. Применение.
RuSIEM. Потребители. Состав продукта. Отличия. Применение.RuSIEM. Потребители. Состав продукта. Отличия. Применение.
RuSIEM. Потребители. Состав продукта. Отличия. Применение.
 
RuSIEM 2016
RuSIEM 2016RuSIEM 2016
RuSIEM 2016
 
RuSIEM (15.11.2015)
RuSIEM (15.11.2015)RuSIEM (15.11.2015)
RuSIEM (15.11.2015)
 
RuSIEM
RuSIEMRuSIEM
RuSIEM
 
автоматизируем пентест Wifi сети
автоматизируем пентест Wifi сетиавтоматизируем пентест Wifi сети
автоматизируем пентест Wifi сети
 

Recently uploaded

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
YAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring detailsYAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring details
NishanthaBulumulla1
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
AnkitaPandya11
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 

Recently uploaded (20)

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
YAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring detailsYAML crash COURSE how to write yaml file for adding configuring details
YAML crash COURSE how to write yaml file for adding configuring details
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 

How to create correlation rule for threat detection in RuSIEM

  • 1. HOW TO CREATE CORRELATION RULE FOR THREAT DETECTION IN RUSIEM CEO RuSIEM Olesya Shelestova https://rusiem.com support@rusiem.com In case - detection ransomware Win32/Diskcoder.Petya.C
  • 2. EXAMPLE THREAT • Consider as an example a real threat: Ransomware Win32/Diskcoder.Petya.C
  • 3. • You can not rely on patches that cover a vulnerability when creating a correlation rule. • At any time, a host may appear on which the patch is not installed. And you will not know about it at the most inopportune moment
  • 4. WHAT ARE YOU NEED? • Discover. Even if at the moment you do not have a threat. • Automatic detection • Real time detection • Notifications (email/incident in workflow)
  • 5. WHAT YOU NEED TO UNDERSTAND FIRST Threat: • Attack vectors (vulnerability, local/network, exploited software versions, …) • Distribution method (email/attachments/network/banners/sites) • Explore news for threat definition/signature How to detect: • Process/network/hash • Event logs/Cyber security systems (IDS/DPI/Network Analyzers/Antivirus/etc)
  • 6. SCENARIO #1 1. You have an information security tool that detects a threat 2. SIEM receives a ready-made threat decision event 3. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
  • 7. SCENARIO #2 1. You have a number of different software or hardware tools that provide information about processes, email, network connections, hashes. 2. It can be: windows event logs, firewalls, syslog, IDS, flow, network analyzers and other. 3. SIEM will receive simple events from these sources, check for correlations and detect incidents. 4. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
  • 8. DIFFERENCE BETWEEN SCENARIO 1. In fact: you are faster than IDS / AV vendors can create a signature yourself. 2. The difference between the #1 and #2 scenarios is that in the case of correlation rules in SIEM, you get a more manageable centralized system. 3. There is no need to write rules for many different systems and monitor their deploy. 4. In practice, SIEM receives much more information for guaranteed threat detection. 5. In SIEM correlation rules it is possible to reduce the number of false positives. 6. In any case, processes of incident management and real-time response are needed. This does not have a classic protection
  • 9. LOOK GOOGLE FOR THREAT Win32/Diskcoder.Pety a.C Process Remote WMI, “process call create "C:WindowsSystem32rundll32.exe "C:Windowsperfc.dat" #1” Email src/dst Connect to hosts mshta.exe %WINDIR%System32ms hta.exe" "C:myguy.xls.hta" 185.165.29.78 84.200.16.242 111.90.139.247 95.141.115.108 wowsmith123456@posteo.net iva76y3pr@outlook.com carmellar4hegp@outlook.com amanda44i8sq@outlook.com
  • 10. OUR PATH • We will detect Win32/Diskcoder.Petya in this case by dst.ip (C&C) and sha1/sha256 hashes • Arrays of values put in the lists to be able to quickly change and add new values • When IDSs are updated - we will record incidents and by their warnings • If you have enabled audit on file servers – we also may create common rule. Example, “changes 100 or more files in 60 seconds”
  • 11. CREATE LIST FOR IP ADDRESSES
  • 12. CREATE LIST FOR SHA1 AND SHA256 HASHES
  • 13. CREATE CORRELATION RULE FOR DETECT BY HASH
  • 14. CREATE RULE FOR DETECTION BY DST.IP
  • 15. ATTENTION ! • Be sure to test the created rule in a real infrastructure ! • You can always create or emulate the connection, the test process, the other symptom of the threat for verification • If an incident happens - it will be too late.
  • 16. TEST THE CREATED RULE, CHECK THE INCIDENT