Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Webinar

    Încărcat de

    Shobhit Mittal
    53 vizualizări16 pagini
    sdfcsdfasdfasfasfas

    Titlu original

    webinar

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    sdfcsdfasdfasfasfas

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    53 vizualizări16 pagini

    Webinar

    Încărcat de

    Shobhit Mittal
    sdfcsdfasdfasfasfas

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 16

    9/13/2018

    Which User and What Program Sponsored by


    Sent This Packet, and Should I be
    Concerned? Correlating Network
    Security Alerts with Host Logs for
    Full Traffic Attribution

    © 2018 Monterey Technology Group Inc.

     Made possible by

    Thanks to

    1
    9/13/2018

     Starting with a packet


     Which computer?
    Preview of key  Black box
    points  Log options
     Security Log
     Sysmon
     Let’s do some network monitoring

    Starting with a
    packet
    Source IP, Port
    Destination IP, Port

    2
    9/13/2018

    Internal IP

    yes DHCP?
    no
    Which Search
    computer? DHCP
    Server Logs
    Reverse
    DNS

    Consult
    system
    logs

    Which
    user/program?

    Black box
    Source IP, Port
    Destination IP, Port

    3
    9/13/2018

     Windows Security Log


    Log options  Built into Windows Further filtering at
    source available with
     Sysmon Windows Event
     Requires installation Forwarding Xpath
     More filtering available Queries

    Windows
    Security Log  Audit policy
     Events

    4
    9/13/2018

    Audit Policy

     Event logged when


     Allows or blocks a connection
     Permits or blocks a bind to a local port
    Audit Policy  Permits or blocks an application or service to listen on a port for
    incoming connections
     Success audits record events generated when connections are
    allowed and Failure audits record events generated when
    connections are blocked
     For our use case, disable Failed events

    5
    9/13/2018

     5156: The Windows Filtering Platform has allowed a connection


    The Windows Filtering Platform has allowed a connection.
    Application Information:
    Process ID: 1752
    Application Name: \device\harddiskvolume1\...\dns.exe
    Network Information:
    Events Direction: Inbound
    Source Address: 10.45.45.103
    Source Port: 53
    Destination Address: 10.45.45.103
    Destination Port: 50146
    Protocol: 17
    Filter Information:
    Filter Run-Time ID: 5
    Layer Name: Receive/Accept
    Layer Run-Time ID: 44

     Installation
    Sysmon  https://www.ultimatewindowssecurity.com/webinars/register.a
    spx?id=1438
     Configuration
     Events

    6
    9/13/2018

    <Sysmon schemaversion="4.0">

    <EventFiltering>

    <NetworkConnect onmatch="include">
    <Initiated condition="is">true</Initiated>
    Sysmon </NetworkConnect>

    configuration </EventFiltering>
    </Sysmon>

     Event ID 3
    Connection detected:
    UtcTime: 2017-04-28 22:12:22.557
    ProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
    ProcessId: 13220
    Image: C:\Program Files (x86)\Google\Chrome\...\chrome.exe
    User: LAB\rsmith
    Protocol: tcp
    Sysmon Event Initiated: true
    SourceIsIpv6: false
    SourceIp: 192.168.1.250
    SourceHostname: rfsH.lab.local
    SourcePort: 3328
    SourcePortName:
    DestinationIsIpv6: false
    DestinationIp: 104.130.229.150
    DestinationHostname:
    DestinationPort: 443
    DestinationPortName: https

    7
    9/13/2018

     Which process started this process?


     Security Log Event ID 5156
     Take Process ID and search back in time for most recent Event
    Tracing up the ID 4688 with same ProcessID
     Look at parent process info
    process
     Sysmon Event ID 3
    lineage  Take Process GUID and search for Event ID 1 with same GUID
     Look at parent process info
     Tracing up the process lineage
     Gather more facts about the logon
     Network monitoring

    Gathering  What type of logon?


    more facts  From where?
    about the  How to do it
     Take logon ID from 5156 or 3
    logon  Search back in time through events from that computer for
    most recent 4624 with same Logon ID
     Checkout logon type and client info

    8
    9/13/2018

    Windows Security Log Sysmon

     Configured with Group  Must install and maintain


    Policy configuration file
    Log options  Minimal granularity in which  Greater control over which
    compared events logged events logged
     Can be further filtered with  Can be further filtered with
    WEC WEC
     Doesn’t log user name or  Logs username and
    DNS sometimes DNS

     It all starts with network monitoring


    Let’s do some  Liam Mayron from LogRhythm, will discuss network
    monitoring and analysis, particularly alarms based on network
    network traffic that can provide starting points for host attribution.
    monitoring  Network traffic analysis can be the first sign of misuse or even
    compromised systems.
     We’ll have a look at how a network monitoring tool can be
    configured to alert on relevant events, particularly those that
    can correlate to host information for an investigation.

    © 2018 Monterey Technology Group Inc.

    9
    9/13/2018

    Network Monitoring with LogRhythm


    Liam Mayron
    Senior Technical Product Manager, Network Monitoring

    September 2018

    Network Monitoring

    Internet Egress Point

    • Riskiest traffic is on the Internet


    • Monitor applications in use by the enterprise
    Firewall
    • Inside interface of the firewall
    Mirror
    Core Switch

    Network Segments
    Mirror
    • Monitor all ingress/egress traffic on a segment
    • Lateral movement
    Distribution Distribution • Uplinks between distribution switches
    Switch Switch

    ©LogRhythm 2018. All rights reserved. Company Confidential 20

    10
    9/13/2018

    Threat Hunting

    ©LogRhythm 2018. All rights reserved. Company Confidential 21

    Threat Hunting

    Application bandwidth
    over time

    ©LogRhythm 2018. All rights reserved. Company Confidential 22

    11
    9/13/2018

    Threat Hunting

    Application tag

    ©LogRhythm 2018. All rights reserved. Company Confidential 23

    Threat Hunting

    Detailed metadata

    ©LogRhythm 2018. All rights reserved. Company Confidential 24

    12
    9/13/2018

    Alerting on P2P traffic

    ©LogRhythm 2018. All rights reserved. Company Confidential 25

    Alerting on P2P traffic

    ©LogRhythm 2018. All rights reserved. Company Confidential 26

    13
    9/13/2018

    Alerting on P2P traffic

    ©LogRhythm 2018. All rights reserved. Company Confidential 27

    What type of metadata?


    Field Value Field Value
    Application twitch MessageSize 172,404
    ApplicationFamily Web PacketsDelta 70
    ApplicationPath /ip/tcp/ssl/https/twitch Session
    ApplicationTags im_mc, social_network, web, SrcBytes 305.518KB
    mm_streaming
    SrcIP
    DestIP
    SrcMAC
    DestMAC
    SrcPort 57,103
    DestPort 443
    TimeStart September 8th 2018, 08:29:39.000
    Duration 6:57:23
    #TotalBytes 305.518KB
    FieldCount 48
    #TotalPackets 4,651
    FlowClassified true

    ©LogRhythm 2018. All rights reserved. Company Confidential 28

    14
    9/13/2018

    Port misuse

    • Port 88
    • 96.5% of traffic is Kerberos
    • What is the other 3.5%?

    • Known usage of port 88


    • Kerberos
    • Infostealer.Likmet.A
    (trojan)
    • BackDoor-AXC (trojan)
    • Xbox games

    ©LogRhythm 2018. All rights reserved. Company Confidential 29

    Going deeper – automated detection

    ©LogRhythm 2018. All rights reserved. Company Confidential 30

    15
    9/13/2018

    Going deeper – automated detection

    ©LogRhythm 2018. All rights reserved. Company Confidential 31

    Demo Time

    16

    S-ar putea să vă placă și