21. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Log collection
Centralized aggregation
Long-term log retention
Log rotation
Log search and reporting.
Log analysis after storage
!"#$%&'&#(%(')$*!%+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Same functionality as “LM”
Standard Correlation
Alerting
Dashboards
Retention (Correlated Event)
Forensic Analysis
,(-./0)1$0'-02(')$&'2$(3(')$
%&'&#(%(')$*,0(%+
3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
Same functionality as “SIEM”
Advanced correlation
Intelligence Feed
Anomalies Detection
Support Customization
Support Cloud Deployment
Integration with Security Solution
'(4)$#('(/&)0"'$,0(%$*'#,0(%+
The Challenge
g Huge log-volumes
g Log-format diversity
g Proprietary log-formats
g False positive log records
The Challenge
g Lack of Intelligence Feed
g Intensive Human Analytics
g Lack of Incident Work Flow
g Rigid Deployment Scale
The Challenge
g Security Analytic Framework
g Storage Architecture
g Actionable Intelligence
g Implementer Skillset
g ID Management Integration
52%%%%%%B9 +)"2%%%%%B9 !&+)"252%%%%%%B9 +)"2%%%%%B9 !&+)"2
38. • Condition 1
High inbound traffic from one source IP
towards multiple port
• Condition 2
High GET 200,GET 403, GET 404 request
from Web Server
Result: Correlate both Condition 1 & 2
Indicator of Compromise
40. DDoS attacks are not a new phenomenon and we often hear companies getting hit by these attacks. We need to
understand that before DVN DNS attack. There is 2 major DDOS attack which is Brian Kerbs 665Gbps and
OVH 1TTbps.
Apparently, the attack was a response to his blog post
in which he exposed a DDoS service vDOS operators.
41. This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send
>1.5Tbps DDoS.
Type: tcp/ack, tcp/ack+psh, tcp/syn.
IOT BOTNET ATTACK
33:]
3)F"()I DW
3)F"()I
,F)($ :]I
W(*'$"(I N"9*)
WH)/"(
42. MIRAI BONET DETECTION USING NGSOC
Most SOC have actually detected the Indicator of compromise upon
gathering intelligence from news feed and forum ahead of the attack date.
The IOC hunting reveal that MIRAI had been scanning for available IOT or
DNS Server within this region between July to October 2016. However those
attempt were mainly drop by firewall.
Here is the chronology of detection at our SOC:
21 Oct 2016 7:00 PM DDOS Started using Mirai AT US…..
21 Oct 2016 6:24PM Threat Intelligence about Nyadrop IOT DDOS Related
21 Oct 2016 5:00PM All client have been notify on IOC result
21 Oct 2016 IOC hunting revealed that 191.96.249.29 and 93.158.200.66 had been
preforming scan (Port UDP 53, 123, 19, 53413) in very small volume between 28 July
2016 to 11 October 2016
20 Oct 2016 1:19AM Threat Intelligence about MIrai IOT DDOS Related