Beyond Check The Box

Similar documents
Beyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014

Critical Security Controls

The SIEM Evaluator s Guide

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

White Paper. Deploying EUM. SurfControl Web Filter for MS Windows. rev. 1.1, January Enterprise Threat Protection

Enabling Security Operations with RSA envision. August, 2009

GFI White Paper PCI-DSS compliance and GFI Software products

Top 20 Critical Security Controls

ACS Noise Filter Guide

SANS Top 20 Critical Controls for Effective Cyber Defense

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Automate PCI Compliance Monitoring, Investigation & Reporting

Goals. Understanding security testing

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Auburn Montgomery. Registration and Security Policy for AUM Servers

Concierge SIEM Reporting Overview

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data

Introduction of Intrusion Detection Systems

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

QRadar SIEM 6.3 Datasheet

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Performing Advanced Incident Response Interactive Exercise

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Architecture Overview

4. Getting started: Performing an audit

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

All Information is derived from Mandiant consulting in a non-classified environment.

Scalability in Log Management

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

3 BIG DATA SECURITY ANALYTICS TECHNIQUES YOU CAN APPLY NOW TO CATCH ADVANCED PERSISTENT THREATS

SUPPLIER SECURITY STANDARD

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Vendor Questionnaire

Defending against Cyber Attacks

Chapter 9 Firewalls and Intrusion Prevention Systems

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Centre for the Protection of National Infrastructure Effective Log Management

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

Configuration Information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

FIVE PRACTICAL STEPS

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Network Instruments white paper

Locking down a Hitachi ID Suite server

Achieving PCI-Compliance through Cyberoam

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SonicWALL PCI 1.1 Implementation Guide

74% 96 Action Items. Compliance

How To Manage Security On A Networked Computer System

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES


Hosts HARDENING WINDOWS NETWORKS TRAINING

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Security Event Management. February 7, 2007 (Revision 5)


Log Management for the University of California: Issues and Recommendations

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

Global Partner Management Notice

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

IBM. Vulnerability scanning and best practices

A Decision Maker s Guide to Securing an IT Infrastructure

Software that provides secure access to technology, everywhere.

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Fuzzy Network Profiling for Intrusion Detection

Windows Log Monitoring Best Practices for Security and Compliance

PCI DSS Reporting WHITEPAPER

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

RSA Security Analytics

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Fortinet Solutions for Compliance Requirements

Audit Policy Subcategories

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Lesson 5: Network perimeter security

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

APPLICATION PROGRAMMING INTERFACE

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Section 12 MUST BE COMPLETED BY: 4/22

Transcription:

Beyond Check The Box Powering Intrusion Investigations PRESENTED BY: Jim Aldridge 27 MARCH 2014

Five Important Capabilities Mapping an IP address to a hostname Identifying the systems to which a specified account authenticated Determining the systems that communicated with a specified Internet IP address Tracking domain name resolution attempts Identifying indicators of compromise across the environment 2

Big-Picture Incident Response Questions 1. What information was exposed? 2. Do I need to notify regulators or customers? 3. What is the extent of the compromise? 4. How much money did we lose? 5. How did the attacker gain entry? 6. How do we effectively stop the attack and remove the attacker? 3

Investigative Questions When and what was the earliest evidence of compromise? How did the attacker gain entry? What is the latest evidence of attacker activity? What systems are (or were previously) under the attacker s control? What systems did the attacker access? What actions did the attacker execute on the systems with which he interacted? How does the attacker maintain access to the environment? How does the attacker operate inside of the environment? What tools has the attacker deployed? What accounts did the attacker compromise? 4

#1: Mapping an IP address to a hostname Ensure the logs are enabled DHCP audit logs are located by default at %windir%\system32\dhcp (Win2k8) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters\DhcpLogFilesMaxSize (max size in MB) Reference: http://technet.microsoft.com/enus/library/cc726869(v=ws.10).aspx Absent logs, leverage config management software or antivirus to log the changing IP address to hostname mappings Collect logs, make searchable, and archive SIEM (ideal) Scheduled task to copy log files off and compress to a central file share daily PowerGREP is your friend 5

#2: Systems to which a specified account authenticated Log authentication events On all systems! Successful more important than failed Very important, even if you do not have a way to search or aggregate them At a minimum, push domain controller logs into a SIEM Or copy off logs to a central location for manual searching This will enable querying Kerberos Service Tickets Realize that you don t have visibility into local account activity Can make up for that by querying data on individual systems, under Capability #5, but only if you have been logging the data already 6

Authentication-related Logging Recommendations Audit Setting Scope Important EIDs Account Logon: Audit Credential Validation Success Failure All 4776 (Account validated) Account Logon: Audit Kerberos Authentication Service Success Domain Controllers 4768 (Kerberos TGT requested) Account Logon: Audit Kerberos Service Ticket Operations Success Domain Controllers 4769 (Kerberos service ticket requested) Account Logon: Audit Other Account Logon Events Success All 4778 (session reconnected to window station) Logon/Logoff: Audit Account Lockout Success All 4625 (account locked out) Logon/Logoff: Audit Logoff Success All 4634, 4647 (account logged off) Logon/Logoff: Audit Logon Success / Failure All 4624, 4648 (account logged on, explicit credentials logon) *Windows 7/2008; reference: http://technet.microsoft.com/en-us/library/dd772662(v=ws.10).aspx *Also reference Randy Franklin Smith s UltimateWindowsSecurity.com site for great descriptions of event IDs: http://www.ultimatewindowssecurity.com/default.aspx 7

#3: Determining the systems that communicated with a specified Internet IP address Log firewall accepts or NetFlow for outbound traffic If the volume of data becomes prohibitive Filter out events associated with the most common legitimate destinations Avoid filtering out ranges associated with open-to-the-public hosting environments, could be used for hosting C2 Test the scenario where you query this data to identify communications with an IP address Ensure you have DHCP logs and can determine the source host name Implement alerting capability 8

#4: Tracking domain name resolution attempts If the volume of data becomes prohibitive Filter out events associated with internal name lookups and top known-good domains Block resolution of dynamic DNS names 9

#5: Identifying indicators of compromise across the environment Host-based or network-based artifacts May be artifacts associated with a specific attacker or intrusion May be general conditions indicating malicious activity Without a purpose-built tool to fulfill this need: Antivirus System/configuration management software Email system logs NIDS SIEM Vulnerability scanners PowerShell/WMI 10

Conclusions Develop IR use cases, conduct simulations Determine what capabilities _you_ need in your environment for the types of threats you face Define requirements for new roles, processes, and tools Ensure you are measuring something useful Mean-time-to-remediate Mean-time-to-detect 11

Contact information: E-mail: Jim.Aldridge@Mandiant.com Twitter: @jimaldridge 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information