CCCTechCenter Splunk-Security Operations Center (SOC)
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CCCTechCenter Splunk- Security Operations Center (SOC)
Need For Security Operations Center (SOC)
• CCCTechCenter
We’ve been collecting Splunk-
security related Security
data for a sometimes and require a focal
point to help usOperations
see the big picture
Center (SOC)
• Data from
Prepared by Amir Khan
• Security Events
(Lead
• Vulnerability Security Analyst)
scans
• IPS/IDS dataDated: Feb 27th, 2019
• System logs
• We want to build a SOC to be able address security incidents in proactive manner
• The SOC is a logical place to collect, analyze and distribute data collected to support
our Defense in Depth Strategy
• Preventing Network Based Attacks
• Preventing Host Based Attacks
• Eliminating Security Vulnerabilities
• Supporting Authorized Users
• Providing tools for Minimizing Data Loss
What’s Next
Splunk Phases II:
• Advance Security Dashboarding/Alerts/Reporting/Queries; installation of specific plug- in.
• Continuous monitoring for new security threats, identification of outlier security threats and
correlation of such threats with behaviors of known attackers, with continuous evolution of
Service Community College's incident response team will be informed effectively to address
identified high-risk threats at the earliest stages of an attack and minimize the impact.
• Personalized intelligence reports to support community college in understanding college’s
risk profile.
• Ingest more logs such as Switch, Proxy, Bro, Nessus, Net Flow, Spirion, Databases, etc.
• Provide Security Operation Center services via automation. Communicate security related
events, incidents, recommendations, etc to school.
• In addition, Provide Security Operation Center support Personnel Tier II and Tier to assist
colleges with Security Alerts, Configuration, Dashboarding, Queries, Apps, Reporting, etc.
• Provide more robust templates for Complex event types & monitoring scenarios
Note: Currently on planning and budgeting phase for Splunk Phase II. Offering may be increased.
What is a CCCTECHCENTER Security
Operations Center (SOC)
Security Indexed key IT systems of Community
Operations Colleges of California are monitored,
Center assessed and defended from cyber attacks.
PRIMARY GOAL: Reduce risk via improved security
SECONDARY GOALS: Compliance, anti-DDOS attack, fraud detection
Before Building SOC Need to Understand: Understand scope of CCCTechCenter offering and scope Prerequisite is a certain security maturity level Structure may vary for each college Important to prioritize and phase the build-out Current Limited funding and growth over the period of time
Three Interrelated Components of a SOC
Process
Technology People
Process: Threat Modeling & Playbooks
• Sensitive data (PII systems, ..), compliance, etc.
What threats does the Colleges
1 care about?
• Prioritize based on impact
What would the threat look • How it would access and exfiltrate
2 Sensitive data
like?
• Requires machine data and external context
How would we detect/block • Searches or visualizations that would detect it
3 the threat? (correlated events, anomaly detection, deviations
from a baseline, risk scoring)
• Severity, response process, roles and
What is the playbook/process
4 for each type of threat?
responsibilities, how to document, how to
remediate, when to escalate or close, etc.
Process: Potential SOC Tiers
ALERTS FROM: • Monitoring
• CCCTechCenter to
TIER • Reporting
Colleges 1
• Senior Analysts and reporting
TIER • Recommendation
2
• Advanced investigations/CSIRT
College • Prevention
• Threat hunting
(MINIMIZE INCIDENTS
• Forensics
REACHING THEM) • Counter-intelligence
• Malware reverser
Other Process Items
Evolve
• Business people, IT teams, SMEs
• Threat modeling, investigations, remediation
Incorporate Learnings Into the SOC and Colleges
• Adjust correlation rules or IT configurations,
user education, change business processes
Automate Processes
• Use SOC to accelerate investigations and alerting, ticketing
systemSOC Value Anecdotes Metrics on events Regular Show reduced of threats communication security risk defeated to Colleges
Enables Many Security Use Cases
INCIDENT SECURITY & REAL-TIME DETECTING FRAUD INSIDER
INVESTIGATIONS COMPLIANCE MONITORING OF UNKNOWN DETECTION THREAT
& FORENSICS REPORTING KNOWN THREATS THREATS
SOCConnect the “Data-Dots” to See the Whole Story
Threat Pattern
Delivery, Exploit Gain Trusted Upgrade (Escalate) Data Gathering Exfiltration Persist,
Persist,Repeat
Repeat
Installation Access Lateral Movement
• External threat intel Attacker, know sites, infected sites,
• Internal threat intel attack/campaign intent and attribution
Threat Intelligence • Indicators of compromise
• Firewall • Malware sandbox Where they went to, who talked to whom, attack
• IDS / IPS • Web proxy transmitted, abnormal traffic, malware download
Network
Activity/Security • Vulnerability scanner • NetFlow
• Endpoint (AV/IPS/FW) What process is running (malicious, abnormal, etc.)
• DHCP
• ETDR • DNS Process owner, registry mods, attack/malware
• OS logs • Patch mgmt artifacts, patching level, attack susceptibility
Endpoint
Activity/Security
• Active Directory • Operating System Access level, privileged users, likelihood of
• LDAP • Database infection, where they might be in kill chain
Authorization – • CMDB • VPN, AAA, SSO
User/RolesCCCTECHCENTER-Splunk SOC Maturity
Real-Time
Risk Proactive
Security Insight
Situational
Awareness
Proactive
Monitoring
Search and Alerting
and
Investigate Technology that
enhances all your SOC
personnel and processes ReactiveCCCTECHCENTER- Splunk SOC
searches, alerts, reports, dashboards, workflow
Dashboards and Reports Incidents
Statists Assets and Identity Aware
15Key Takeaways SOC requires investment in people, process and technology Build environment that can power your SOC Use Splunk to make our SOC personnel and processes more efficient
Immed SOC-Next Steps Design – Build, implement, optimize a SOC – Includes people, process, and technology Attain funding and provide services best suited with limited resources
Whiteboard: Splunk SOC
Points: Offload Search load to Splunk Search Heads
• Build from previous architecture
• Cover Search Head
– Function
– Sizing
• Cover TAs Auto load-balanced forwarding to Splunk Indexers
– Function
– Benefits
Send data from thousands of servers from Splunk Heavy forwardersMerge the Entity And Adversary Models
SSCM Chef
•AD •Data
High High Recon Delivery Exploitation C2 Intent
Controls
Nessus Tripwire
•Scans •DNS Windows/Linu
AD Sysmon DNS
Exposure Entity Audit Medium •Intel •Red Team Medium
x
Red Team
Nmap AD
Monitor •Nessus •IDS/IPS
Outbound
Low •Graphing •Outbound Low
OSINT Email IDS/IPS
Mon
Intel GraphingExample: Connecting the “data-dots”
Delivery, Exploit Gain Trusted Upgrade (Escalate) Data Gathering Exfiltration
Installation Access Lateral movement
Blacklisted IP Blacklisted IP
Threat Intelligence Malware
download Continued
sessions during
abnormal hours,
Network Malware and periodicity,
Activity/Security endpoint Sessions patterns, etc.
execution data across different
Program access points
installation (web, remote
control, tunneled)
Host
Activity/Security
High confidence event Machine data
User on machine, Malware install
link to program Med confidence event Traffic data
and process Low confidence event Abnormal behavior
Auth - User RolesSPLUNK SEARCH USE CASE
Splunk Search Use Case 1
Overview:
• Local admin accounts are used by legitimate technicians, but they're also used
by attackers. This search looks for newly created accounts that are elevated to
local admins.
• Potential Classification: Advanced Threat Detection, Security Monitoring,
Compliance, Endpoint Compromise
• First, verify that you have Windows Security Logs coming in, and that you have
Implemented account change auditing. Once your logs are coming in, you
should be able to search for sourcetype="WinEventLog:Security"
EventCode=4720 OR EventCode=4732 to see account creation or change
events. Finally, make sure that your local admin group name is "administrators"
so that we are looking for the right group membership changes.
• Prepared by Amir Khan California Community Colleges Technology Center
21SPLUNK SEARCH USE CASE
Splunk Search Use Case
Analysis:
• The only real source of false positives for this search would be for help
desk admins who create local admin accounts. If this is common
practicein your environment, you should filter out their admin account
creation messages by excluding their usernames from the base
search. If your
local admin group doesn't include the term "administrators" then it
would potentially generate false negatives.
• When this search returns values, initiate your incident response
process and capture the time of the creation, as well as the user
accounts that created the account and the account name itself, the
system that initiated the request and other pertinent information.
Contact the owner of the system. If it is authorized behavior, document
that this is authorized and by whom.
• Prepared by Amir Khan California Community Colleges Technology Center
22SPLUNK SEARCH USE CASE
Splunk Search Use Case
Analysis:
• If not, the user credentials have been used by another party and
additional investigation is warranted.
• Must have Local Account Management Logs (Event ID 4720). Turn on
Account Management Audit Logs in your Local Windows Security
Policy
• Consider list of the event IDs which covers the user activities for the
accounts: Create User, Delete User ,User Account Enabled, User
Account Password Reset, User Account Profile Path Set, User Account
Rename, Create Local Group, Add User to Local Group, Remove User
from Local Group, Delete Local Group, Rename Local Group, etc.
• Prepared by Amir Khan California Community Colleges Technology Center
23SPLUNK SEARCH USE CASE
Splunk Search Use Case
• Prepared by Amir Khan California Community Colleges Technology Center
24SPLUNK SEARCH USE CASE
Splunk Search Use Case
• Prepared by Amir Khan California Community Colleges Technology Center
25SPLUNK SEARCH USE CASE
Splunk Search Use Case
• Prepared by Amir Khan California Community Colleges Technology Center
26SPLUNK SEARCH USE CASE
Analysis:
• If not, the user credentials have been used by another party and
additional investigation is warranted.
• Must have Local Account Management Logs (Event ID 4720). Turn on
Account Management Audit Logs in your Local Windows Security Policy
• Consider list of the event IDs which covers the user activities for the
accounts: Create User, Delete User ,User Account Enabled, User Account
Password Reset, User Account Profile Path Set, User Account Rename,
Create Local Group, Add User to Local Group, Remove User from Local Group,
Delete Local Group, Rename Local Group, etc.
• Prepared by Amir Khan California Community Colleges Technology CenterUser Account
Splunk Lockouts
Search Use Case
• Prepared by Amir Khan California Community Colleges Technology CenterUser Account
Splunk Lockouts
Search Use Case Dashboard
• Prepared by Amir Khan California Community Colleges Technology CenterSuspicious Failed Logons : Splunk Search Use Case
• Login attempts to accounts that do not exist and accounts that are expired or disabled.
• A high number of these results may be misconfigurations and more operational than pure security but
can help one understand what normal is in an environment.
• Prepared by Amir Khan California Community Colleges Technology CenterInactive Account Management: Splunk Search Use Case
• This example dashboard is around account management. It is important to make sure that AD is
cleaned up and stale objects pruned out if only to keep things clean and organized. This report can help
pinpoint stale user and computer objects.
• Prepared by Amir Khan California Community Colleges Technology CenterCreated Accounts
• Alerts can be configured in many ways depending on how often they want the information to
be sent, how the info is displayed, who to send to, and other parameters shown below.
• The InfoSec team or team lead of those creating accounts in the organization could receive this
report daily, for more oversight and control over accounts created in the domain.
• If local users on servers are a concern, a similar report should be created for that. Someone
could match created accounts with the ticketing system or audit accounts after creation to
make sure users conform to the user account creation standards.
• If an account is created by someone that should not be creating accounts, that is cause for an
investigation. If an Identity and Access Management (IAM) system is used, those logs should be
sent to Splunk also.
• Prepared by Amir Khan California Community Colleges Technology CenterSensitive Groups
Splunk Search Use Case
• Monitor and alert on changes to any Sensitive Groups. Additions to a group such as Domain Admins is a significant change and
should be audited.
• If there is a change control process for that, this can assist in monitoring additions and removals. An attacker may just
compromise the user in one of these groups and not add to them, but it will cover a scenario where they add a new user to these
powerful groups for persistence purposes. This alert helps enforce the principle of minimum privileges at least for the AD groups
and increases security by adding auditing and visibility.
• Prepared by Amir Khan California Community Colleges Technology CenterAccount Activity • Prepared by Amir Khan California Community Colleges Technology Center
Event IDs that Matter: Domain Controllers
EventID Description Impact
4768 Kerberos auth ticket (TGT) was requested Track user Kerb auth, with client/workstation name.
4769 User requests a Kerberos service ticket Track user resource access requests & Kerberoasting
4964 Custom Special Group logon tracking Track admin & “users of interest” logons
4625/4771 Logon failure Interesting logon failures. 4771 with 0x18 = bad pw
4765/4766 SID History added to an If you aren’t actively migrating accounts
account/attempt failed between domains, this could be malicious
4794 DSRM account password change attempt If this isn’t expected, could be malicious
4780 ACLs set on admin accounts If this isn’t expected, could be malicious
4739/643 Domain Policy was changed If this isn’t expected, could be malicious
4713/617 Kerberos policy was changed If this isn’t expected, could be malicious
4724/628 Attempt to reset an account's password Monitor for admin & sensitive account pw reset
4735/639 Security-enabled local group changed Monitor admin/sensitive group membership changes
4737/641 Security-enabled global group changed Monitor admin/sensitive group membership changes
4755/659 Security-enabled universal group changed Monitor admin & sensitive group membership changes
5136 A directory service object was modified Monitor for GPO changes, admin account
modification, specific user attribute modification,
etc.Event IDs that Matter: All Windows systems
EventID Description Impact
1102/517 Event log cleared Attackers may clear Windows event logs.
4610/4611/ Local Security Authority modification Attackers may modify LSA for escalation/persistence.
4614/4622
4648 Explicit credential logon Typically when a logged on user provides different credentials to
access a resource. Requires filtering of “normal”.
4661 A handle to an object was requested SAM/DSA Access. Requires filtering of “normal”.
4672 Special privileges assigned to new Monitor when someone with admin rights logs on. Is this an
logon account that should have admin rights or a normal user?
4723 Account password change attempted If it’s not an approved/known pw change, you should know.
4964 Custom Special Group logon tracking Track admin & “users of interest” logons.
7045/4697 New service was installed Attackers often install a new service for persistence.
4698 & 4702 Scheduled task creation/modification Attackers often create/modify scheduled tasks for persistence.
Pull all events in Microsoft-Windows-TaskScheduler/Operational
4719/612 System audit policy was changed Attackers may modify the system’s audit policy.
4732 A member was added to a (security- Attackers may create a new local account & add it to the local
enabled) local group Administrators group.
4720 A (local) user account was created Attackers may create a new local account for persistence.
Sean Metcalf [@Pyrotek3 | sean@TrimarcSecurity.com]Event IDs that Matter (Newer Windows systems)
EventID Description Impact
3065/3066 LSASS Auditing – checks for code integrity Monitors LSA drivers & plugins.
Test extensively before
deploying!
3033/3063 LSA Protection – drivers that failed to load Monitors LSA drivers & plugins & blocks
ones that aren’t properly signed.
4798 A user's local group membership Potentially recon activity of local
was enumerated. group membership. Filter out
normal activity.
LSA Protection & Auditing (Windows 8.1/2012R2 and newer):
https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx
4798: A user's local group membership was enumerated (Windows 10/2016):
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4798A Note About Logon Types (4624)
Logo Name Description Creds Creds Distribution
n on in
Type Disk Memo
# ry
0 System Typically rare, but could alert to malicious activity Yes Yes *
2 Interactive Console logon (local keyboard) which includes No Yes #5 / 0%
server KVM or virtual client logon. Also standard
RunAs.
3 Network Accessing file shares, printers, IIS (integrated No No #1 / ~80%
auth, etc), PowerShell remoting
4 Batch Scheduled tasks Yes Yes #7 / 0%
5 Service Services Yes Yes #4 /Auditing Subcategories to Events
Auditing Subcategory Event IDs
Audit Audit Policy Change 4719: System audit policy was changed.
4908: Special Groups Logon table modified.
Audit Authentication Policy Change 4706: A new trust was created to a domain.
4707: A trust to a domain was removed.
4713: Kerberos policy was changed.
4716: Trusted domain information was modified.
4717: System security access was granted to an account. 4718:
System security access was removed from an account. 4739:
Domain Policy was changed.
4865: A trusted forest information entry was added. 4866:
A trusted forest information entry was removed. 4867: A
trusted forest information entry was modified. 4706: A
new trust was created to a domain.
4707: A trust to a domain was removed.
Audit Computer Account Management 4741: A computer account was created.
4742: A computer account was changed.
4743: A computer account was deleted.Auditing Subcategories to Events
Auditing Subcategory Event IDs
Audit DPAPI Activity 4692: Backup of data protection master key was attempted.
4693: Recovery of data protection master key was attempted.
4695: Unprotection of auditable protected data was attempted.
Audit Kerberos Authentication Service 4768: A Kerberos authentication ticket (TGT) was requested
4771: Kerberos pre-authentication failed
4772: Kerberos authentication ticket request failed
Audit Kerberos Service Ticket Operation 4769: A Kerberos service ticket (TGS) was
requested 4770: A Kerberos service ticket was
renewed
Audit Logoff 4634: An account was logged off.
Audit Logon 4624: An account was successfully logged on.
4625: An account failed to log on.
4648: A logon was attempted using explicit credentials.
Audit Other Account Logon Events 4648: A logon was attempted using explicit
credentials 4649: A replay attack was detected.
4800: The workstation was
locked. 4801: The workstation
was unlocked.
5378: The requested credentials delegation was disallowed by policy.Auditing Subcategory Event IDs
Auditing Subcategories to Events
Audit Other Object Access Events 4698: A scheduled task was
created. 4699: A scheduled
task was deleted. 4702: A
scheduled task was updated.
Audit Process Creation 4688: A new process has been created.
Audit Security Group Management 4728: A member was added to a security-enabled global group. 4729:
A member was removed from a security-enabled global group. 4732: A
member was added to a security-enabled local group.
4733: A member was removed from a security-enabled local group.
4735: A security-enabled local group was changed.
4737: A security-enabled global group was changed.
4755: A security-enabled universal group was
changed.
4756: A member was added to a security-enabled universal group. 4757: A
member was removed from a security-enabled universal group. 4764: A
group's type was changed.
Audit Security System Extension 4610: An authentication package has been loaded by the Local Security
Authority.
4611: A trusted logon process has been registered with the Local
Security Authority.
4697: A service was installed in the system.Auditing Subcategories to Events
Auditing Subcategory Event IDs
Audit Sensitive Privilege Use 4672: Special privileges assigned to new
logon. 4673: A privileged service was
called.
4674: An operation was attempted on a privileged object.
Audit Special Logon 4964: Special groups have been assigned to a new logon.
Audit User Account Management 4720: A user account was created.
4722: A user account was enabled.
4723: An attempt was made to change an account's password.
4724: An attempt was made to reset an account's password.
4725: A user account was
disabled. 4726: A user
account was deleted. 4738: A
user account was changed.
4740: A user account was
locked out.
4765: SID History was added to an account.
4766: An attempt to add SID History to an account failed.
4767: A user account was unlocked.
4780: The ACL was set on accounts which are members of
administrators groups.
4794: An attempt was made to set the Directory Services Restore Mode.You can also read
