SlideShare a Scribd company logo

ISSA Siem Fraud

Xavier Mertens
Xavier Mertens

How to detect fraud or suspicious events using open source tools (OSSEC). This talk was given during the ISSA Belgium chapter meeting in January 2011.

Technology
1 of 64
Download to read offline
Your Logs or ... Back to the Gold Rush ISSA-BE Event January 2011
$ whoami Xavier Mertens (@xme) Senior Security Consultant @ C C-CURE CISSP, CISA, CEH http://blog.rootshell.be I’m also on Maltego & Google! Some friends:
$ cat disclaimer.txt The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers...
-1- The situation today
acme.org
acme.org’s CSO Did you already get this feeling?
Today's Issues Technical Networks are complex Based on non-heterogeneous heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
Today's Issues Economical ”Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
Today's Issues Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc DSS, Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
Need for More Visibility More integration, more sources More chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database FIM Awareness
Need for More Visibility [**] [1:2050:14] SQL version overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434 UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404 Len: 376 [Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/p 039.mspx][Xref lugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002 bin/cvename.cgi?name=2002-0649][Xref => http:/ /www.securityfocus.com/bid/5310] [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167 ***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1475031583 2358505469 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80 TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167 ***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2086630937 3122214979 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167 ***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2530339421 2353821688 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80 TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167 ***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3995062809 1050363790
-2- Fraud?
What’s ”Fraud”? ”Deliberate deception, trickery, or cheating Deliberate intended to gain an advantage” Fraud represents 39% of crimes in the CERT.us database Occurs “below the radar”
Fraud Types Unauthorized addition or changes in databases Data theft or disclosure Rogue devices Identifity theft
Find the Intruder Keep an eye on the « malicious insider » Who is he? Current or past employee (m/f) Contractors / Business partners Non-technical as well as technical position technical He/she has authorized access to sensitive assets
Fraud == Suspicious The term “fraud” is closely linked to money Let’s use “suspicious which means suspicious” “inclined to suspect, to have doubts about; distrust” Detected outside the scope of regular operations Need for baselines, thresholds and watchdogs And... Procedures!
Baselines Interval of values Trigger an alert of above a threshold or outside an interval
Baselines Recurrence in time
Baselines Correlation between multiple sources
Impacts of Fraud? Quantitative $$$ Qualitative Brand Reputation Customers / Stakeholders
Some Examples CC used in country ”A” and used 4 hours later in country ”B”. A Belgian CC used to buy a 40” flat TV in Brazil A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand Stolen or shared credentials / access badges. SSL VPN access from a foreign country.
More Examples ”root” session opened on a Sunday 02AM. Data copied on removable devices Installation of keyloggers Rogue FTP servers
Security Convergence! Logical Security Credentials IP access lists Physical Security Access badges GeoIP Mobile devices Time references Let’s mix them!
Resources! Adding plus-value to your logs is resources value consuming! Temporary tables might be required Beware of time lines!
How to fight? Need for raw material Your logs Know the process flows! Talk to the ”business” Increase the logs value Add visibility Correlate with other information sources + Processes and communication!
When? Real-time Immediate investigationSource: Real Real-time alerts Before Proactivity (reporting - trending) After Forensic searches
-3- The tools
It’s not a product... ”... It’s a process!” (c) Bruce Incident Handling Correlation Reporting Search Log Collection
The Good, The Bad, The Ugly! Big Play€r$ (no names!) r$ All of them prone to be the best But often when you look inside:
Straight to the Point SIEM environments are exp exp€n$ive! Best choice? Must address the business requirements (not yours) You must be able to handle them
The Ingredients... Free software to the rescue! Some tools... OSSEC MySQL Iptables / Ulogd Google Maps API Perl The ”Cloud” (don’t be scared!)
You said ”OSS.. What?” OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”. More info @wimremes (ISSA 01/2010) wimremes
The Recipes Good news, you already have the main ingredient: your logs! Resources Policies External Logs Security Incidents
-4- MySQL Audit
Problem Authorized users added or modified data in a database. Lack of control and separation of duties Examples of fraud Rogue acces created Price changed Stock modified Data integrity not consistent anymore
Solution Database changes can be audited High performance impact All transactions are logged Not convenient to process Monitor changes on critical data Users credentials Financial data Audit INSERT, UPDATE & DELETE queries
Howto Use the MySQL UDF ”lib_mysqludf_log.so” mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so'; mysql> create function log_error returns string soname 'lib_mysqludf_log.so'; Use MySQL triggers mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”)); Triggers will write message in the MySQL errors.log
Howto Process the MySQL log via OSSEC <!-- MySQL Integrity check --> <rule id="100025" level="7"> <regex>^dddd-dd- dd dd:dd:dd Table: .</regex> <description>MySQL users table updated</description> </rule>
Howto Results: Received From: (xxxxx) xx.xxx.xxx.xxx xx.xxx.xxx.xxx- >/var/lib/mysql/errors.log Rule: 100025 fired (level 7) -> "MySQL users table updated” Portion of the log(s): 2011-01-08 00:31:24 Table: acme.users: 08 insert(8,brian,qavXvxlEVykwm) by admin@localhost --END OF NOTIFICATION
-5- USB Stick Detection
Problem Risks of data leak Risks of malware infections
Solution The Windows registry is a goldmine to audit a system! The OSSEC Windows agent can monitor the Windows registry.
Howto Interesting registry keys: HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnumCount Or HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTOR
Howto Create a new OSSEC rule: [USB Storage Inserted] [any] [] r:HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnum -> Count -> !0; If “Count” > 0 => USB Storage inserted Problem: will be reported by the rootkit detector and not in real time
Howto The second registry key changes when a USB stick is inserted: HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTORDisk&Ven_U SB&Prod_Flash_Disk&Rev_0.00 New rule: [USB Storage Detected] [any] [] CurrentControlSetServicesUSBSTOR; r:HKLMSYSTEMCurrentControlSet
Howto Results ** Alert 1268681344.26683: - ossec,rootcheck, 2010 Mar 15 20:29:04 (WinXP 192.168.38.100- WinXP) >rootcheck Rule: 512 (level 3) -> 'Windows Audit event.‘ > Src IP: (none) User: (none) Windows Audit: USB Storage Inserted.
-6- Detecting Rogue Access
Problem Stolen or shared credentials can be used from ”unknown” locations If your team members are local, is it normal to have sessions opened on your SSL VPN from Thailand or Brazil? An admin session started from the administration VLAN?
Solution Public IP addresses? They can be mapped to coordonatess using open GeoIP databases Private IP addresses? Hey, they’re yours, you should know them For public services, Google Maps offers a nice API
Howto Configure OSSEC for your application log file (write a parser if required) Create an “Active-Response” action triggered Response” when a specific action is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address
Howto If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC OSSEC generates an alert based on this event.
Howto Results: ** Alert 1270065106.2956457: mail - local,syslog, 2010 Mar 31 21:51:46 satanas satanas->/var/log/fraud.log Rule: 50001 (level 10) -> 'Fraud Detection‘ > Src IP: (none) User: (none) [31-03-2010 21:51:45] Suspicious activity detected 2010 for user johndoe via IP x.x.x.x in DE, Germany
-7- Mapping on Google Maps
Problem What the difference between: 195.75.200.200 (Netherlands) 195.76.200.200 (Spain) IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
Howto Geo-localization is performed using the MaxMind DB (free version) + Perl API use Geo::IP; my $gi = Geo::IP->open("GeoLiteCity.dat", >open("GeoLiteCity.dat", GEOIP_STANDARD); my $record = $gi->record_by_name record_by_name(“1.2.3.4"); print $record->latitude . "," . $record >latitude $record->longitude; Store results to a XML file.
Howto Submit the file to the Google map API from HTML code.
-8- Searching the Cloud
”LaaS” ? ”Logging as a Service” seems to be an emerging thread in 2011. Loggly offers beta accounts 200MB/day - 90 days of retention No SSL support Supported ”inputs” Syslog (UDP or TCP) HTTP(S)
”OSSEC phone Loggly” OSSEC can export to Syslog Events can be sent to Loggly using HTTP POST requests: https://logs.loggly.com/inputs/420fecf5-c332-4578- https://logs.loggly.com/inputs/420fecf5 a0cb-21b421d4cc46
”OSSEC phone Loggly” Perl to the rescue: # ./syslog2loggly.pl –h syslog2loggly.pl [-f keyfile] [ f [-D] [-h] [-v] [-p port] -D D : Run as a daemon -h : This help -f keyfile : Configuration file f (default: /etc/syslog2loggly.conf) -p port p : Bind to port (default 5140) -v v : Increase verbosity
Results
Conclusions The raw material is already yours. The amount of data to process makes it impossible to process it without appropriate tools. Suspicious activity occurs below the radar. Make your logs more valuable by cross cross- linking them with other sources. Be ”imaginative”!
References The scripts and references are available on my blog: http://blog.rootshell.be/ Keyword: ”OSSEC”
Thank You! Questions?

Recommended

Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Ceh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringCeh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringAsep Sopyan
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 

Recommended

Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Ceh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringCeh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringAsep Sopyan
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network securityInformation Technology Society Nepal
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 

More Related Content

What's hot

Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 

What's hot (20)

Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best Practices
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 

Viewers also liked

All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments TriageXavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humansXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the BadXavier Mertens
 

Viewers also liked (17)

InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
 

Similar to ISSA Siem Fraud

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
MIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxCouronne1
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...Amazon Web Services
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseJim Porell
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring BasicsRob Dunn
 

Similar to ISSA Siem Fraud (20)

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
MIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptx
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Assessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto VeldreAssessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto Veldre
 
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 

More from Xavier Mertens

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Xavier Mertens
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkXavier Mertens
 
Belnet events management
Belnet events managementBelnet events management
Belnet events managementXavier Mertens
 

More from Xavier Mertens (11)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

ISSA Siem Fraud

  • 1. Your Logs or ... Back to the Gold Rush ISSA-BE Event January 2011
  • 2. $ whoami Xavier Mertens (@xme) Senior Security Consultant @ C C-CURE CISSP, CISA, CEH http://blog.rootshell.be I’m also on Maltego & Google! Some friends:
  • 3. $ cat disclaimer.txt The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers...
  • 6. acme.org’s CSO Did you already get this feeling?
  • 7. Today's Issues Technical Networks are complex Based on non-heterogeneous heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
  • 8. Today's Issues Economical ”Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
  • 9. Today's Issues Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc DSS, Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
  • 10. Need for More Visibility More integration, more sources More chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database FIM Awareness
  • 11. Need for More Visibility [**] [1:2050:14] SQL version overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434 UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404 Len: 376 [Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/p 039.mspx][Xref lugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002 bin/cvename.cgi?name=2002-0649][Xref => http:/ /www.securityfocus.com/bid/5310] [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167 ***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1475031583 2358505469 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80 TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167 ***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2086630937 3122214979 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80 TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167 ***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2530339421 2353821688 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80 TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167 ***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3995062809 1050363790
  • 13. What’s ”Fraud”? ”Deliberate deception, trickery, or cheating Deliberate intended to gain an advantage” Fraud represents 39% of crimes in the CERT.us database Occurs “below the radar”
  • 14. Fraud Types Unauthorized addition or changes in databases Data theft or disclosure Rogue devices Identifity theft
  • 15. Find the Intruder Keep an eye on the « malicious insider » Who is he? Current or past employee (m/f) Contractors / Business partners Non-technical as well as technical position technical He/she has authorized access to sensitive assets
  • 16. Fraud == Suspicious The term “fraud” is closely linked to money Let’s use “suspicious which means suspicious” “inclined to suspect, to have doubts about; distrust” Detected outside the scope of regular operations Need for baselines, thresholds and watchdogs And... Procedures!
  • 17. Baselines Interval of values Trigger an alert of above a threshold or outside an interval
  • 19. Baselines Correlation between multiple sources
  • 20. Impacts of Fraud? Quantitative $$$ Qualitative Brand Reputation Customers / Stakeholders
  • 21. Some Examples CC used in country ”A” and used 4 hours later in country ”B”. A Belgian CC used to buy a 40” flat TV in Brazil A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand Stolen or shared credentials / access badges. SSL VPN access from a foreign country.
  • 22. More Examples ”root” session opened on a Sunday 02AM. Data copied on removable devices Installation of keyloggers Rogue FTP servers
  • 23. Security Convergence! Logical Security Credentials IP access lists Physical Security Access badges GeoIP Mobile devices Time references Let’s mix them!
  • 24. Resources! Adding plus-value to your logs is resources value consuming! Temporary tables might be required Beware of time lines!
  • 25. How to fight? Need for raw material Your logs Know the process flows! Talk to the ”business” Increase the logs value Add visibility Correlate with other information sources + Processes and communication!
  • 26. When? Real-time Immediate investigationSource: Real Real-time alerts Before Proactivity (reporting - trending) After Forensic searches
  • 28. It’s not a product... ”... It’s a process!” (c) Bruce Incident Handling Correlation Reporting Search Log Collection
  • 29. The Good, The Bad, The Ugly! Big Play€r$ (no names!) r$ All of them prone to be the best But often when you look inside:
  • 30. Straight to the Point SIEM environments are exp exp€n$ive! Best choice? Must address the business requirements (not yours) You must be able to handle them
  • 31. The Ingredients... Free software to the rescue! Some tools... OSSEC MySQL Iptables / Ulogd Google Maps API Perl The ”Cloud” (don’t be scared!)
  • 32. You said ”OSS.. What?” OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”. More info @wimremes (ISSA 01/2010) wimremes
  • 33. The Recipes Good news, you already have the main ingredient: your logs! Resources Policies External Logs Security Incidents
  • 35. Problem Authorized users added or modified data in a database. Lack of control and separation of duties Examples of fraud Rogue acces created Price changed Stock modified Data integrity not consistent anymore
  • 36. Solution Database changes can be audited High performance impact All transactions are logged Not convenient to process Monitor changes on critical data Users credentials Financial data Audit INSERT, UPDATE & DELETE queries
  • 37. Howto Use the MySQL UDF ”lib_mysqludf_log.so” mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so'; mysql> create function log_error returns string soname 'lib_mysqludf_log.so'; Use MySQL triggers mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”)); Triggers will write message in the MySQL errors.log
  • 38. Howto Process the MySQL log via OSSEC <!-- MySQL Integrity check --> <rule id="100025" level="7"> <regex>^dddd-dd- dd dd:dd:dd Table: .</regex> <description>MySQL users table updated</description> </rule>
  • 39. Howto Results: Received From: (xxxxx) xx.xxx.xxx.xxx xx.xxx.xxx.xxx- >/var/lib/mysql/errors.log Rule: 100025 fired (level 7) -> "MySQL users table updated” Portion of the log(s): 2011-01-08 00:31:24 Table: acme.users: 08 insert(8,brian,qavXvxlEVykwm) by admin@localhost --END OF NOTIFICATION
  • 41. Problem Risks of data leak Risks of malware infections
  • 42. Solution The Windows registry is a goldmine to audit a system! The OSSEC Windows agent can monitor the Windows registry.
  • 43. Howto Interesting registry keys: HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnumCount Or HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTOR
  • 44. Howto Create a new OSSEC rule: [USB Storage Inserted] [any] [] r:HKLMSYSTEMCurrentControlSet CurrentControlSetServicesUSBSTOREnum -> Count -> !0; If “Count” > 0 => USB Storage inserted Problem: will be reported by the rootkit detector and not in real time
  • 45. Howto The second registry key changes when a USB stick is inserted: HKLMSYSTEMCurrentControlSet CurrentControlSetEnumUSBSTORDisk&Ven_U SB&Prod_Flash_Disk&Rev_0.00 New rule: [USB Storage Detected] [any] [] CurrentControlSetServicesUSBSTOR; r:HKLMSYSTEMCurrentControlSet
  • 46. Howto Results ** Alert 1268681344.26683: - ossec,rootcheck, 2010 Mar 15 20:29:04 (WinXP 192.168.38.100- WinXP) >rootcheck Rule: 512 (level 3) -> 'Windows Audit event.‘ > Src IP: (none) User: (none) Windows Audit: USB Storage Inserted.
  • 48. Problem Stolen or shared credentials can be used from ”unknown” locations If your team members are local, is it normal to have sessions opened on your SSL VPN from Thailand or Brazil? An admin session started from the administration VLAN?
  • 49. Solution Public IP addresses? They can be mapped to coordonatess using open GeoIP databases Private IP addresses? Hey, they’re yours, you should know them For public services, Google Maps offers a nice API
  • 50. Howto Configure OSSEC for your application log file (write a parser if required) Create an “Active-Response” action triggered Response” when a specific action is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address
  • 51. Howto If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC OSSEC generates an alert based on this event.
  • 52. Howto Results: ** Alert 1270065106.2956457: mail - local,syslog, 2010 Mar 31 21:51:46 satanas satanas->/var/log/fraud.log Rule: 50001 (level 10) -> 'Fraud Detection‘ > Src IP: (none) User: (none) [31-03-2010 21:51:45] Suspicious activity detected 2010 for user johndoe via IP x.x.x.x in DE, Germany
  • 54. Problem What the difference between: 195.75.200.200 (Netherlands) 195.76.200.200 (Spain) IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...
  • 55. Howto Geo-localization is performed using the MaxMind DB (free version) + Perl API use Geo::IP; my $gi = Geo::IP->open("GeoLiteCity.dat", >open("GeoLiteCity.dat", GEOIP_STANDARD); my $record = $gi->record_by_name record_by_name(“1.2.3.4"); print $record->latitude . "," . $record >latitude $record->longitude; Store results to a XML file.
  • 56. Howto Submit the file to the Google map API from HTML code.
  • 58. ”LaaS” ? ”Logging as a Service” seems to be an emerging thread in 2011. Loggly offers beta accounts 200MB/day - 90 days of retention No SSL support Supported ”inputs” Syslog (UDP or TCP) HTTP(S)
  • 59. ”OSSEC phone Loggly” OSSEC can export to Syslog Events can be sent to Loggly using HTTP POST requests: https://logs.loggly.com/inputs/420fecf5-c332-4578- https://logs.loggly.com/inputs/420fecf5 a0cb-21b421d4cc46
  • 60. ”OSSEC phone Loggly” Perl to the rescue: # ./syslog2loggly.pl –h syslog2loggly.pl [-f keyfile] [ f [-D] [-h] [-v] [-p port] -D D : Run as a daemon -h : This help -f keyfile : Configuration file f (default: /etc/syslog2loggly.conf) -p port p : Bind to port (default 5140) -v v : Increase verbosity
  • 62. Conclusions The raw material is already yours. The amount of data to process makes it impossible to process it without appropriate tools. Suspicious activity occurs below the radar. Make your logs more valuable by cross cross- linking them with other sources. Be ”imaginative”!
  • 63. References The scripts and references are available on my blog: http://blog.rootshell.be/ Keyword: ”OSSEC”