Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

Similar documents
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

SANS Top 20 Critical Controls for Effective Cyber Defense

Common Event Expression

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Subject: Request for Information (RFI) Franchise Tax Board (FTB) Security Information and Event Management (SIEM) Project.

The Ontological Approach for SIEM Data Repository

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Concierge SIEM Reporting Overview

Solicitation RFI-FTB-1415-SIEM Project. SIEM Project. Bid designation: Public. State of California

UNDERSTANDING EVENT CORRELATION AND THE NEED FOR SECURITY INFORMATION MANAGEMENT

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Audit Logging. Overall Goals

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

How To Use A Policy Auditor (Macafee) To Check For Security Issues

The Comprehensive Guide to PCI Security Standards Compliance

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

High End Information Security Services

Network Security Monitoring: Looking Beyond the Network

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

How To Protect A Network From Attack From A Hacker (Hbss)

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Cyber Security Metrics Dashboards & Analytics

Tivoli Security Information and Event Manager V1.0

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

Guideline on Auditing and Log Management

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

The SIEM Evaluator s Guide

CorreLog Alignment to PCI Security Standards Compliance

Secunia Vulnerability Intelligence Manager (VIM) 4.0

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Fast Innovation requires Fast IT

Powerful Management of Financial Big Data

Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

Cloud Customer Architecture for Web Application Hosting, Version 2.0

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Corporate Security Intelligence Services

Architecture Overview

THE TOP 4 CONTROLS.

Mark S. Orndorff Director, Mission Assurance and NetOps

Where can I install GFI EventsManager on my network?

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

LogRhythm and PCI Compliance

Mitra Innovation Leverages WSO2's Open Source Middleware to Build BIM Exchange Platform

Information Technology Policy

Log Management, Compliance and Auditing

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

How To Monitor Your Entire It Environment

End-user Security Analytics Strengthens Protection with ArcSight

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Developing Microsoft SharePoint Server 2013 Advanced Solutions

GFI White Paper PCI-DSS compliance and GFI Software products

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Common Event Format. Imperva SecureSphere July 27, 2009

Managing your Red Hat Enterprise Linux guests with RHN Satellite

How To Protect A Web Application From Attack From A Trusted Environment

Firewall Builder Architecture Overview

Critical Controls for Cyber Security.

ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel

How to Secure Your SharePoint Deployment

Where can I install GFI EventsManager on my network?

CERTIFIED MULESOFT DEVELOPER EXAM. Preparation Guide

Developing Microsoft SharePoint Server 2013 Advanced Solutions MOC 20489

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

GFI Product Manual. Administrator Guide

GFI Product Manual. Administrator Guide

IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

MD Link Integration MDI Solutions Limited

IONA Security Platform

Towards security management in the cloud utilizing SECaaS

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Simple Network Management Protocol

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Log Audit Ensuring Behavior Compliance Secoway elog System

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Avaya TM G700 Media Gateway Security. White Paper

Intrusion Detection in AlienVault

Introduction to Network Discovery and Identity

Avaya G700 Media Gateway Security - Issue 1.0

OWASP Logging Project - Roadmap

ILM et Archivage Les solutions IBM

QRadar SIEM 6.3 Datasheet

Raytheon Oakley Systems

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP. Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS

Continuous Monitoring

Course 20489B: Developing Microsoft SharePoint Server 2013 Advanced Solutions OVERVIEW

PCI Requirements Coverage Summary Table

Injazat s Managed Services Portfolio

Capacity Plan. Template. Version X.x October 11, 2012

Transcription:

Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis. Computer Network Defense (CND) situational awareness would be greatly improved if there was a way to automate audit log analysis in near real time. This presentation describes a task currently underway at NSA to address this perceived situational awareness gap through efficient analysis of audit log data.

3 Nonstandard Audit Log Formats are a Problem Log Repository Log Repository Log Repository No Standard Syntax No Common Normalization No Standard Transport

Objectives The overall objective of this task is to architect and execute a reference implementation system that will allow the analyst to extract, aggregate, normalize, and pre-screen audit data for attack signatures. A Proof-of-Concept showed that we can deploy a generic tap on network platforms and that specific log data elements can be extracted, normalized to a draft Common Event Expression (CEE) format, and then be matched against pre-determined attack patterns in near real time. Future signatures will enable further audit policy enhancements through focusing on collecting and analyzing only those data elements relevant for specific uses. 4

5 Proposed Module Multi- Platform Architecture Hub Firewall Host Based Security System Server (HBSS epo) Repository for Correlation and Analysis Capability DMZ Network Server Web Server Enclave Router Workstation Printer

6 Program Phases What Does It Take to Get There? Secure Automated Data Extraction: Applicable for CND and Network Operations - Determine the specific log data elements - Requires use case signature development Data Normalization: Common data dictionary to support multiple platforms - Enables enhanced multi-platform signature development Intelligent Data Storage: - Data compression - Data provenance - Data security - Privilege management Phase I (Initial Proof-of-Concept) Install extraction module on MS Windows workstations Extract selected data elements and all log data from sample network Parse date elements against a normalized CEE draft data dictionary Develop and apply example use case attack signatures against the extracted data Identify example attacks from log data in near-real time Phase II (Multi-Platform Proof of Concept) Install extraction module on additional network platforms (LINUX workstations, CISCO Routers, Web Servers) Securely extract and normalize to CEE selected data elements from multiple network platforms and store in Tier 3 SIM Evaluate Tier 3 SIM capabilities Develop and apply example use case attack signatures against the extracted data Use patterns to identify example attacks in near-real time Potentially may deploy and extract data from HBSS AEM module Phase III (System Integration) Deploy host modules through existing agent architectures Deploy extraction module to other network platforms Securely extract and intelligently store data to Tier 3 SIM Data reduction, compression, provenience Privilege management control to access data Integrate into existing architectures Develop and use EMAP language with CEE

Current Development Activities Phase 1 (Proof of Concept) Research, collect and generate attack use cases. Define the necessary data elements required, their location, and the sequence to validate the use case (the signature). Initial research addressed attacks against Windows and Linux workstations, IIS and Apache Webservers, and CISCO Routers. Develop a means to automatically extract log and log-like data elements.

8 Use Case Template 1 USE CASE NAME - (Insert Uniquely Identifiable Meta-data) SCOPE Summary: 1-3 SENTENCES Importance: Critical Essential Expected Desired Optional Priority: Critical Essential Expected Desired Optional Use Frequency: Always Often Sometimes Rarely Once Threat Actor Threat Activity Stakeholder LE/CI/CNDSP/OTHER achievable outcome Alt Stakeholder LE/CI/CNDSP/OTHER Responder Actors: Enablers supporting stakeholder PRECONDITION (Prereq) State what special and interesting standards or configurations must be true for this particular case to work Success - end condition Primary stakeholder s goal is satisfied Event Trigger 1. Main Success Scenario: 1. STEP principal actor does something 2. STEP system response Alternative "index" Scenario Extensions: BRANCH CONDITION 1. ALTERNATIVE STEP 2. ALTERNATIVE STEP 2. desired quality or technological limitation Special Requirements Assumptions: 1. Variations 2. possible change in technology or data format Post-conditions List the interesting things that are true after a scenario is completed. Notes and Questions NOTE: Open issues to research NOTE: QUESTION: QUESTION Mitigation

9 Detailed Use Case Title: Suspicious File Access Reference Use Case # #11724 Audit Data Sequence Audit Data Elements Operating System or Application Source Platform #1 2005-08-26 18:33:30 W3SVC68783193 SBS2003 192.168.2.2 GET /images/ - 80-192.168.2.1 HTTP/1.1 403 14 5 412 433 #2 2005-08-26 18:33:30 W3SVC68783193 SBS2003 192.168.2.2 GET /images/a_secured_file.doc 80 192.168.2.1 HTTP/1.1 403 02 5 412 433 #3 2005-08-26 18:33:30 W3SVC68783193 SBS2003 192.168.2.2 GET /images/a_secured_file.doc - 80 192.168.2.1 HTTP/1.1 401 03 5 412 433 #4 Security ID: SBS2003\A_User_Account Account Name: A_User_Account Account Domain: W3SVC68783193 Logon ID: 0x1fd23 Object: IIS IIS IIS Windows 2008 Web Server Web Server Web Server Web Server

10 Extraction Module Capabilities 1.Can extract from a wide range of data sources and log like file types using a single deployed generic agent. Arbitrarily-formatted logs/files. File system entities SQL databases. Operating system utilities, APIs and external programs, including Windows event logs. 2.Flexible and readily configurable regular expression parsing of arbitrarily-formatted text extracted from files, processes, OS utilities, etc. 3.Configurable SQL extraction from SQL databases. 4.Configurable normalization of captured data through mapping to user-defined data elements.

11 Additional Unique Capabilities 5. Plug-in interface for data transformations and generation of derived data elements from one or more extracted elements. e.g. white/black lists. 6. Plug-in interface for key-value lookup of related data from a cache, which can be maintained dynamically (i.e. not just a static lookup table). 7. Modular, integrated rule-based aggregator/correlator. 8. User-defined rules implemented by SQL database back-end. Point-and-click rule builder.

12 Module Architecture Data Extraction Agent (Tap) Secure Network Transport (TLS, other) Data Delivery, Transformation & Fusion Agent (Bridge) Map to normalized data elements Map to destination data structure Source Database Log XML Process Destination Database Log XML Process

13 Current False Positives Reduction Measures already implemented in Tap module Deliberate audit settings. Aggregating like events within limited time interval. Address limited number of high priority scenarios. Filter out events of low interest by signature, category. Filter on event content.

14 Future False Positives Reduction Measures to be implemented in Tap module Screen single events based on combinations of attribute values (e.g. user <> acted-on user). Stateful capability to detect event sequences within limited time window. Apply thresholds e.g. report after accesses to > 3 different files of other user. Plug-in interface for analysis modules.

15 Next Development Steps Phase II (Multi-Platform Proof of Concept) Refine use cases for other platforms and for multiplatform use cases. Deploy module on multiple network platforms and extract additional log data elements. Investigate legacy or new Tier-3 data repository capabilities to accumulate extracted, parsed, and normalized audit log data.

16 Initial Proof-of-Concept Data Flow Enterprise Level Collection Policy EMAP Compliant The The analyst is is automatically alerted. Local Enclave Level Collection Policy Log Log audit audit event is is normalized and and stored. Data Normalization (CEE)) Signature Detection Log Storage (Near Term) Module Sink Future Reduction/ Compression Protected Data Transport Device Level Policy requires new new detection signature Data Extraction Log Sources A user user performs a suspicious or or malicious activity. Representative Platforms

17 Future Development Steps Phase III (System Integration) Develop network operational use cases. Develop and deploy extraction modules on additional platform types. Develop an integrated storage architecture: Develop data reduction and compression techniques. Incorporate data provenance Incorporate privilege management Integrate into various architectures Ensure CEE and EMAP acceptance by industry

18 Common Event Expression Common Event Expression (CEE): A Standard Log Language for Event Interoperability in IT Systems Standardizes how computer/device events are described, logged, and exchanged. Led by MITRE, numerous Government and vendor organizations are supporting the CEE working group to mature the CEE standard. NSA is engaged with NIST to mature and validate the standard.

19 CEE Basic Components CEE differs from other log standards in that it breaks the recording and exchanging of logs into four (4) components: Event Taxonomy Specifies the type of event. A reduced language set or event listing can be used to ensure that all events of the same type are recorded in the same way. Log Syntax How the event and its details are recorded. The syntax could be a binary encoded, XML, or other text-based specification, and allows the data to be unambiguously parsed from the logs. To maintain consistency and compatibility among the different syntaxes, CEE provides a data dictionary. The dictionary contains the unique syntax identifiers along with their meaning, format, and usage suggestions. Log Transport The transport simply defines how the logs are transmitted. Logging Recommendations A collection of logging best practices and log-related information. While not a standard itself, it is a complementary portion of CEE to ensure maximum utility.

UNCLASSIFIED//FOR OFFICIAL USE ONLY Sample CEE Data Dictionary *field name* *data type* *Explanation* actedon_user string User name that is being acted upon. action string The action as reported by the logging device. app string application layer protocol--e.g. HTTP, HTTPS, SSH, IMAP. bytes_in number How many bytes this device/interface took in. bytes_out number How many bytes this device/interface sent out. category string A category that a device may have assigned an event to. channel string 802.11 channel number of a wireless transmission count number The number of times the event has been seen. cve string CVE vulnerability reference. database_name string Name of a database. database_table string Name of a database table. database_query string Query issued against a database. delay integer Delay in seconds. UNCLASSIFIED//FOR OFFICIAL USE ONLY 20

21 EMAP/OEEL 2. The profile & refined log data are fed as inputs to OEEL Profile Logging Device 1. Common Event Filter Enumeration (CEFE) and Common Event Rule Enumeration (CERE) are used to match signature patterns and reduce the volume of log data Audit Data 4. Using a device profile, OEEL transforms the proprietary log format of legacy devices into CEE compliant output SCAP Data 3. Relevant Security Content Automation Protocol (SCAP) data may be included as input to OEEL. Open Event Exchange Language CEE Compliant Data 5. CEFE and CERE are used to perform multi-platform pattern matching and reduce the volume of log data and perform pattern matching at the storage level CEE Storage & Data Management CEE Compliant Data 6. In CEE compliant form, the data is now stored in a standardized format for retrieval and use by various stakeholders Tools for Data Analysis Alerts & Findings Users of Audit Data & Analysis Findings 7. Users such as Network Operations, Computer & Network Defense (CND), Forensics, and others leverage the data and analysis Collection of Audit Data Data Management for Audit Data Analysis of Audit Data

22 Enhanced AM Environment DOD Top Enterprise Level Collection Policy Analysts Publish/Subscribe Query/Response Enterprise Level Collection Policy EMAP Analysts Publish/Subscribe Query/Response EMAP Audit Log Management System Event Exchange Interface Enclave Level Collection Policy Normalization (Legacy) Archived Logs (Near Term) Archived Logs (Long Term) Reduction/ Compression Device Level Log Sources (CEE Based)

23 Physical Components Aug 09 Oct 09 Dec 09 FY 10 Future Current use cases detect events based on insider threats. Host Platform Workstation Audit Data & Pattern Alerts DoD Collector/Processor Pattern Matches Auditable Activities Network Platform (Generic) Audit Data Bridge Processor/ Storage Pattern Matches Log Data Analyst (Local CERT) Digital Policy Translation & Management AM Temp Storage Tier 3 SIM* Data Management, Authorization, (Publish/Subscribe/Discover) To Users User Queries Long Term Storage & Archive Local Audit Manager Interface Note: Multi-platform pattern matching performed at Security Information Manager (SIM/SIEM)

24 Approximate Schedule Phase 1 Phase 2 Phase 3 Data Capture for Workstation Log and Log-like Data Elements Pre-Proof of Concept Workstation Data Element Pattern Matching to Reduce False Positives Multi-Platform Data Capture and Large Scale Pattern Matching on Log Data Repository T3 SIM Integration, Data Provenance, Secure Storage, Transport using EMAP Data normalization to DRAFT CEE Demonstration of Workstation Capability CEF Normalized to CEE Standard Vetted CEE Standard FY2009 FY2010 FY2011 DEU/AEM Development HBSS Network Piloting Workstations/Web Servers Architecture Integration

Questions? Dr. Bruce Gabrielson bcgabri@nsa.gov

26 Definitions Logs This includes audit logs, event logs, system logs, etc. that can be retrieved from routers, servers, web servers, firewalls, and workstations. Logs contain a history of events that have occurred on a device. Normalization The process where each log data field is converted to a particular data representation and categorized consistently. In our context, this is where event log data from dissimilar systems are converted into a common event exchange language. Aggregation The act of collecting data or logs. An aggregator can be on a specific host or device in order to collect logs or logs can be sent from multiple hosts and the aggregation can be done on a centralized location or SIM. Data Reduction Process where unneeded data elements/fields are removed from logs in order to reduce storage as well as minimize analytical overhead. Compression Storing a log file in a way that reduces the amount of storage space needed for the file without altering the meaning of its contents. SIM A Security Information Manager (also sometimes called a SEIM or SEM) is a centralized collection point where data is aggregated, normalized, compressed and stored.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information