Intelligence Driven Intrusion Detection

Similar documents

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Network Security Monitoring

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Lesson 5: Network perimeter security

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

EZ Snort Rules Find the Truffles, Leave the Dirt. David J. Bianco Vorant Network Security, Inc. 2006, Vorant Network Security, Inc.

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Intrusion Detection in AlienVault

APPLICATION PROGRAMMING INTERFACE

Introduction of Intrusion Detection Systems

Network Security Monitoring

SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Dynamic Rule Based Traffic Analysis in NIDS

Network Security Monitoring: Looking Beyond the Network

Attackers are reusing attacks (because they work)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network

Intro to Firewalls. Summary

Overview. Firewall Security. Perimeter Security Devices. Routers

Flow Analysis Versus Packet Analysis. What Should You Choose?

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Suricata IDS. What is it and how to enable it

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Analysis of Network Beaconing Activity for Incident Response

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

S N O R T I D S B L A S T C O U R S E

F-SECURE MESSAGING SECURITY GATEWAY

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG All rights reserved

Bridging the gap between COTS tool alerting and raw data analysis

WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS

Who am I? BlackHat RSA

IBM SECURITY QRADAR INCIDENT FORENSICS

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

ΕΠΛ 674: Εργαστήριο 5 Firewalls

How To Protect A Network From Attack From A Hacker (Hbss)

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Network Intrusion Analysis (Hands-on)

_Firewall. Palo Alto. How Logtrust works with Palo Alto Networks

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

Internet Security Firewalls

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Performing Advanced Incident Response Interactive Exercise

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Intrusion Detections Systems

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

All Information is derived from Mandiant consulting in a non-classified environment.

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Cisco Application Networking for IBM WebSphere

JOOMLA REFLECTION DDOS-FOR-HIRE

Network Layers. CSC358 - Introduction to Computer Networks

Unified Security, ATP and more

SECURITY ADVISORY FROM PATTON ELECTRONICS

On-Premises DDoS Mitigation for the Enterprise

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Scalable Extraction, Aggregation, and Response to Network Intelligence

Network Security Management

Technical Note. ForeScout CounterACT: Virtual Firewall

Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks

Using Jquery with Snort to Visualize Intrusion

First Line of Defense

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Network Metrics Content Pack for VMware vrealize Log Insight

IDS / IPS. James E. Thiel S.W.A.T.

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Palo Alto Networks. October 6

Securing Local Area Network with OpenFlow

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Missing the Obvious: Network Security Monitoring for ICS

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Network Monitoring for Cyber Security

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

Snort ids. Alert (file) Fig. 1 Working of Snort

Memory Forensics & Security Analytics: Detecting Unknown Malware

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Concierge SIEM Reporting Overview

Basics of Internet Security

Firewalls. Chapter 3

Transcription:

Intelligence Driven Intrusion Detection Matthias Wübbeling: matthias.wuebbeling@cs.uni-bonn.de Arnold Sykosch: sykosch@cs.uni-bonn.de Friedrich-Wilhelms-Universität Bonn: Working Group IT Security Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE: Cyber Security Department

OVERVIEW Threat Intelligence in a Nutshell Exchange of TI Utilization of TI STIX2Suricata STIX2GRR 2

Threat Intelligence in a Nutshell What do you need TI for? Identify emerging threats before being targeted by an attacker. Share intelligence information of ongoing or finished attacks. Common sense: To survive, a gazelle must run faster than the slowest gazelle. 3 (image from http://quoteinvestigator.com) Common sense is not so common (unknown source). How about this quote in the field of Internet attacks / APT?

Threat Intelligence in a Nutshell How about the hunters and the hunted in the Internet age? To survive: You have to be faster than the fastest attacker! 4

Threat Intelligence in a Nutshell How about the hunters and the hunted in the Internet age? To survive: You have to be faster than the fastest attacker! Common goal: Being faster than 85%-99% of the attackers. 5

Exchange of Threat Intelligence Common data exchange format: XML Existing standards for TI data: OpenIOC STIX/CybOX OpenIOC OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker s methodology, or other evidence of compromise. OpenIOC was created by MANDIANT (www.openioc.org) STIX/CybOX Developed by MITRE. At least as expressively as OpenIOC. Therefore: => we use STIX/CybOX. How to get Threat Intelligence? Become part of a TI sharing community Buy TI feeds or get the free ones (e.g. from hailataxii.com) 6

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? 7

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! 8

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? 9

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. 10

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. Beg the vendor or your appliance to implement STIX/CybOX? 11

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. Beg the vendor or your appliance to implement STIX/CybOX? Sure you do! Will take a while. 12

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. Beg the vendor or your appliance to implement STIX/CybOX? Sure you do! Will take a while. Map STIX/CybOX information to the applications /appliances configuration! 13

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. Beg the vendor or your appliance to implement STIX/CybOX? Sure you do! Will take a while. Map STIX/CybOX information to the applications /appliances configuration! Might be a good chance to get it now! 14

Utilization of Threat Intelligence How to use Threat Intelligence to protect your infrastructure? Have an employee consuming TI the whole day extracting the relevant information? Better not! Enable your security equipment to understand STIX/CybOX? Not possible if you use security appliances. Beg the vendor or your appliance to implement STIX/CybOX? Sure you do! Will take a while. Map STIX/CybOX information to the applications /appliances configuration! Might be a good chance to get it now! We just started to map STIX to a Host and a Network IDS: Suricata (NIDS; same rule syntax as SNORT) GRR Rapid Response (HIDS; hunting for artifacts ) 15

STIX2Suricata Goal: Generate Suricata rules based on STIX/CybOX TI. 1 st Step: Identify relevant data fields in STIX/CybOX. 2 nd Step: Mapping identified fields to Suricata rule elements. 3 rd Step: Implement tool for automated rule generation. STIX/CybOX elements relevant for network intrustion detection systems: Address, NetworkConnection, Packet, Port, Socket ArchiveFile, DNSQuery, DNSRecord, DomainName, EmailMessage, File, Hostname, HTTPSession, Link, NetFlow, URI, X509Certificate 16

STIX2Suricata Suricata rule syntax: <Action> <Header> <Options> 17

STIX2Suricata Suricata rule syntax: <Action> <Header> <Options> <Action> Pass Drop Reject Alert 18

STIX2Suricata Suricata rule syntax: <Action> <Header> <Options> <Action> Pass Drop Reject Alert <Header> Protocol: (IP/UDP/TCP + some application layer protocols) Source IP-Address Source TCP/UDP-Port Direction of traffic Destination IP-Address Destination TCP/UDP-Port STIX2Suricata mapping for <Header> elements: Address, NetworkConnection, Packet, Port, Socket 19

STIX2Suricata <Header> mapping example: STIX/Cybox data: <indicator:observable id="example:observable-1c798262-a4cd-434d-a958-884d6980c459"> <cybox:object id="example:object-1980ce43-8e03-490b-863a-ea404d12242e"> <cybox:properties xsi:type="addressobject:addressobjecttype" category="ipv4-addr"> <AddressObject:Address_Value condition="equals" apply_condition="any"> 10.1.0.1##comma##10.2.0.2##comma##10.3.0.3 </AddressObject:Address_Value> </cybox:properties> </cybox:object> </indicator:observable> 20 Resulting Suricata rule: alert ip [10.1.0.1, 10.2.0.2, 10.3.0.3] any <> any any (<Options>)

STIX2Suricata Suricata rule syntax: <Action> <Header> <Options> <Options> msg sid rev gid classtype reference priority metadata content STIX2Suricata mapping for <Options> elements: ArchiveFile, DNSQuery, DNSRecord, DomainName, EmailMessage, File, Hostname, HTTPSession, Link, NetFlow, URI, X509Certificate 21

STIX2Suricata <Options> mapping example: STIX/Cybox data: <EmailMessageObj:Header> <EmailMessageObj:From category="e-mail"> <AddressObj:Address_Value condition="startswith"> match@state.gov </AddressObj:Address_Value> </EmailMessageObj:From> </EmailMessageObj:Header> <cybox:related_objects> <cybox:related_object> <cybox:properties xsi:type="fileobj:fileobjecttype"> <FileObj:File_Extension>pdf</FileObj:File_Extension> <FileObj:Size_In_Bytes>87022</FileObj:Size_In_Bytes> </cybox:properties> </cybox:related_object> </cybox:related_objects> 22 Resulting Suricata rule: alert tcp any any <> any any (msg:"stix2suricata: Malicious Email"; flow:established; content:from: match@state.gov; nocase; fileext:"pdf"; sid:513000; )

STIX2Suricata Current development status: Python prototype maps data relevant for NIDS to Suricata rules. Integration into [large company name here] Threat Intelligence tool. 23

STIX2GRR GRR Rapid Response (GRR) GRR is forensic framework focused on scalability enabling powerful analysis. (https://github.com/google/grr) A forensic framework is not a Host IDS!!!11? But: It is possible to use GRR to remotely get the state of host systems. Why GRR and not OSSEC or similar? GRR is state based as STIX/CybOX data is 24 GRR is hunt based Define artifact to look for. Select target hosts. Start hunt. Wait for rapid responses.

STIX2GRR GRR Rapid Response (GRR) GRR is highly extensible and written in python. 25 Image from: https://github.com/google/grr

STIX2GRR Mapable STIX/CybOX data fields: WindowsDriver, ArchiveFile, File, ImageFile, PDFFile, UnixFile, WindowsExecutableFile, WindowsFile, Mutex, Address, DomainName, DNSQuery, EmailMessage, HTTPSession, NetworkConnection, SocketAddress, URI, Process, UnixProcess, WindowsProcess, WindowsRegistryKey Goal: Generate hunts for given STIX/CybOX TI data: 1 st Step: Identify relevant data fields in STIX/CybOX. 2 nd Step: Mapping identified fields to artifacts. 3 rd Step: Implement tool for automated hunt generation (+ artifact support). 26

STIX2GRR Current development status: Python prototype maps data relevant for HIDS and creates hunts directly in GRR server system. Integration into [large company name here] Threat Intelligence tool. 27

Conclusion Identified relevant Objects in STIX/CybOX. Created mapping for STIX/CybOX => (N H)IDS. Implemented prototype as proof-of-concept. Integrated it into a TI management framework. 28

Questions? Thank you very much for your attention 29 Credits: Image Lion and Gazelle from quoteinvestigator.com. Image GRR hunt from github.com/google/grr Other images from pixabay.com (CC License)