DFS40083 - Chapter 5
DFS40083 - Chapter 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Monitoring Common Protocols
Syslog and NTP
▪ Syslog and Network Time Protocol (NTP) essential to work of cybersecurity analyst
• Syslog is used for logging event messages from network devices and endpoints.
• Syslog servers typically listen on UDP port 514.
• Syslog servers may be a target for threat actors.
• Hackers may block the transfer of data, tamper with log data, or tamper with software that
creates and transmits log messages.
• Enhancements provided by syslog-ng (next generation).
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Monitoring Common Protocols
NTP
▪ Syslog messages are usually timestamped
using the Network Time Protocol (NTP).
▪ NTP operates on UDP port 123.
▪ Timestamps are essential for detection of an
exploit.
▪ Threat actors may attempt to attack NTP to
corrupt time information used to correlate
logged network events.
▪ Threat actors use NTP systems to direct DDoS
attacks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Monitoring Common Protocols
DNS
▪ DNS is used by many types of malware.
▪ Attackers encapsulate different network protocols within DNS to evade security devices.
▪ Some malware use DNS to communicate with command-and-control (CnC) servers and to
exfiltrate data in traffic disguised as normal DNS queries.
▪ Malware could encode stolen data as the subdomain portion of a DNS lookup for a domain
where the nameserver is under control of an attacker.
▪ DNS queries for randomly generated domain names, or extremely long random-appearing
subdomains, should be considered suspicious, especially if their occurrence spikes
dramatically on the network.
DNS Exfiltration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Monitoring Common Protocols
HTTP and HTTPS
▪ All information carried in HTTP is transmitted in plaintext from the source computer
to the destination on the Internet.
▪ HTTP does not protect data from alteration or interception.
▪ Web-based threats consist of malware scripts that have been planted on
webservers that direct browsers to infected servers by loading iframes.
• In iFrame injection, a threat actor compromises a webserver and plants malicious code
which creates an invisible iFrame on a commonly visited webpage.
• When the iFrame loads, malware is downloaded.
HTTP iFrame
Injection Exploit
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Monitoring Common Protocols
HTTP and HTTPS (Cont.)
▪ HTTPS adds a layer of encryption to the HTTP protocol by using secure
socket layer (SSL).
• SSL makes the HTTP data unreadable as it leaves the source computer until
it reaches the server.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Monitoring Common Protocols
HTTP and HTTPS (Cont.)
▪ Encrypted HTTPS traffic complicates network security monitoring.
▪ HTTPS adds complexity to packet captures.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Monitoring Common Protocols
Email protocols
▪ Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to
spread malware, exfiltrate data, or provide channels to malware CnC servers.
• SMTP sends data from a host to a mail server and between mail servers and is not always
monitored.
• IMAP and POP3 are used to download email messages from a mail server to the host
computer and can be responsible for bringing malware to the host.
• Security monitoring can identify when a malware attachment entered the network and
which host it first infected.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Monitoring Common Protocols
ICMP
▪ ICMP can be used to craft a number of types of exploits.
• Can be used to identify hosts on a network, the structure of a network, and
determine the operating systems at use on the network.
• Can also be used as a vehicle for various types of DoS attacks.
• ICMP can also be used for data exfiltration through ICMP traffic from inside the
network.
• ICMP tunneling - Malware uses crafted ICMP packets to transfer files from infected hosts
to threat actors.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Security Technologies
ACLs
▪ ACLs may provide a false sense of security.
• Attackers can determine which IP addresses, protocols, and ports are allowed by
Access Control Lists (ACLs), by port scanning, penetration testing, or through
other forms of reconnaissance.
• Attackers can craft packets that use spoofed source IP addresses or applications
can establish connections on arbitrary ports.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Security Technologies
NAT and PAT
▪ NAT and PAT can complicate security monitoring.
• Multiple IP addresses are mapped to one or more public addresses that
are visible on the Internet.
• Hides the individual IP addresses that are inside the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Security Technologies
Encryption, Encapsulation, and Tunneling
▪ Encryption
• Makes traffic contents unreadable by cybersecurity analysts.
• Part of Virtual Private Network (VPN) and HTTPS.
▪ Virtual point-to-point connection between an internal host and threat actor
devices
• Malware can establish an encrypted tunnel that rides on a common and trusted
protocol, and use it to exfiltrate data from the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Security Technologies
Peer-to-Peer Networking and Tor
▪ Peer-to-Peer network activity
• Can circumvent firewall protections and is a common vector for the spread of malware.
• Three types of Peer-to-Peer applications exist: file sharing, processor sharing, and IM
• File-sharing P2P applications should not be allowed on corporate networks.
▪ Tor is a software platform and network of Peer-to-Peer hosts that function as Internet routers
on the Tor network.
• Allows users to browse the Internet anonymously using a special browser.
• Can be used to hide identity of threat actors and used by criminal organizations.
Tor
P2P Operation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Security Technologies
Load Balancing
▪ Load balancing is the distribution of traffic between devices or network paths to
prevent overwhelming network resources.
• Some load balancing approaches use DNS to send traffic to resources that have the
same domain name but multiple IP addresses.
• This can result in a single Internet transaction being represented by multiple IP
addresses on the incoming packets.
• This may cause suspicious features to appear in packet captures.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
5.2 Evaluating Alerts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Sources of Alerts
Security Onion
▪ Security Onion is an open-source suite of
Network Security Monitoring (NSM) tools that
run on an Ubuntu Linux distribution.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Sources of Alerts
Detection Tools for Collection
▪ CapME provides the cybersecurity analyst with an
easy-to-read means of viewing an entire Layer 4
session.
A Security Onion Architecture
▪ Snort uses rules and signatures to generate alerts.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Sources of Alerts
Alert Generation
▪ Alerts are generated in Security Onion by Sguil Window
many sources including Snort, Bro, Suricata,
and OSSEC, among others.
▪ Sguil provides a console that integrates alerts
from multiple sources into a timestamped
queue.
▪ Alerts will generally include the following five-
tuples information:
• SrcIP - the source IP address for the event.
• SPort - the source (local) Layer 4 port for the
event.
• DstIP - the destination IP for the event.
• DPort - the destination Layer 4 port for the
event.
• Pr - the IP protocol number for the event.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Sources of Alerts
Rules and Alerts
▪ Alerts can come from a number of sources:
• NIDS - Snort, Bro and Suricata
• HIDS – OSSEC
• Asset management and monitoring - Passive Asset Detection System (PADS)
• HTTP, DNS, and TCP transactions - Recorded by Bro and pcaps
• Syslog messages - Multiple sources
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Sources of Alerts
Snort Rule Structure
▪ Snort rules consist of the rule header and
rule options.
• Rule header contains the action, protocol,
addressing, and port information
• Rule options include the text message
that identifies the alert also metadata
about the alert.
▪ Snort rules come from a variety of
sources including Emerging Threats
(ET), SourceFire, and Cisco Talos.
▪ PulledPork is a Security Onion
component that can download new rules
automatically from snort.org.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Sources of Alerts
Lab – Snort and Firewall Rules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Overview of Alert Evaluation
The Need for Alert Evaluation
▪ Exploits will inevitably evade
protection measures, no matter how
sophisticated they may be.
▪ Detection rules should be overly
conservative.
▪ It is necessary to have skilled
cybersecurity analysts investigate
alerts to determine if an exploit has
actually occurred.
▪ Tier 1 cybersecurity analysts will work
through queues of alerts in a tool like
Sguil, pivoting to tools like Bro,
Wireshark, and ELSA .
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Overview of Alert Evaluation
Evaluating Alerts
▪ Alerts can be classified as follows:
• True Positive: The alert has been verified to be an actual security incident.
• False Positive: The alert does not indicate an actual security incident.
• True Negative: No security incident has occurred.
• False Negative: An undetected incident has occurred.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
5.3 Working with Network
Security Data
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
A Common Data Platform
ELSA
▪ Enterprise Log Search and Archive
(ELSA) is an enterprise-level tool for
searching and archiving NSM data that
originates from multiple sources.
▪ ELSA is able to normalize log file entries
into a common schema that can then be
displayed in the ELSA web interface.
▪ ELSA receives logs over Syslog-NG,
stores logs in MySQL databases, and
indexes using Sphinx Search.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
A Common Data Platform
Data Reduction
▪ Data reduction is the identification of
data that should be gathered and
stored to reduce the burden on
systems.
▪ By limiting the volume of data, tools
like ELSA will be far more useful.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
A Common Data Platform
Data Normalization
▪ Data normalization is the process of combining data from a number of
sources into a common format for indexing and searching.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
A Common Data Platform
Data Archiving
▪ Retaining NSM data indefinitely is not
feasible due to storage and access issues.
▪ Compliance frameworks may require
storage of data for a specified period of
time.
▪ ELSA can be configured to retain data for
a period of time. The default is 90 days.
▪ Sguil alert data is retained for 30 days by
default.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
A Common Data Platform
Lab – Convert Data Into a Universal Format
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Investigating Network Data
Working in Sguil
▪ In Security Onion, the first place that a
cybersecurity analyst will go to verify
alerts is Sguil.
▪ Sguil automatically correlates similar
alerts into a single line and provides a
way to view correlated events
represented by that line.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Investigating Network Data
Sguil Queries
▪ Queries can be constructed in Sguil using the Query Builder, which simplifies
constructing queries.
▪ Cybersecurity analyst must know the field names and some issues with field
values.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Investigating Network Data
Pivoting from Sguil
▪ Sguil provides the ability to “pivot”
the investigation to other tools such
as ELSA, Wireshark, or Bro.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Investigating Network Data
Event Handling in Sguil
▪ Three tasks can be completed
in Sguil to manage alerts.
• Alerts that have been found to
be false positives can be
expired.
• An event can be escalated by
pressing the F9 key.
• An event can be categorized.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Investigating Network Data
Working in ELSA
▪ ELSA provides access to a large
number of log file entries.
▪ ELSA will only retrieve the first 100
records for the previous 48 hours.
▪ The easiest way to see information in
ELSA is to issue the built-in queries that
appear to the left of the ELSA window
and then adjust the dates and resubmit
the query using the Submit Query
button.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Investigating Network Data
Queries in ELSA
▪ ELSA provides field summary and value information for every field that is indexed in the
query results. This permits refining queries based on a wide range of values.
▪ Clicking an entry in the Value column will display the query with the value added to the
previous query. This process can be repeated to narrow down search results easily.
▪ Regular expressions are executed in ELSA using the grep function.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Investigating Network Data
Investigating Process or API Calls
▪ If malware can fool an OS kernel into
allowing it to make system calls, many
exploits are possible.
▪ OSSEC rules detect changes in host-
based parameters like the execution of
software processes, changes in user
privileges, and registry modifications,
among others.
▪ OSSEC rules will trigger an alert in Sguil.
▪ Opening the Files queries and selecting Mime Types in the menu displays a list of the
types of files that have been downloaded.
▪ MD5 and SHA-1 hashes for downloaded files are also available.
▪ File hash values can be submitted to online sites to determine if the file is known
malware.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Investigating Network Data
Lab – Regular Expression Tutorial
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Investigating Network Data
Lab – Extract an Executable from a PCAP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Enhancing the Work of the Cybersecurity Analyst
Dashboards and Visualizations
▪ Dashboards provide an interactive combination of data and visualizations designed to
improve the value of large amounts of information.
▪ Allow analysts to focus on specific details and information
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Enhancing the Work of the Cybersecurity Analyst
Workflow Management
▪ Network security monitoring requires workflows to be managed.
• Enhances efficiency of the cyberoperations team
• Increases the accountability of staff
• Ensures that all potential alerts are treated properly
• Each alert should be systematically assigned, processed, and documented
▪ Sguil provides basic workflow management but not a good choice for large operations, third
party systems are available that can be customized
▪ Automated queries add efficiency to workflow
• Search for complex security incidents that may evade other tools
• ELSA query can be configured as an alert rule and run regularly
• Can be created in a scripting language such as Python
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
5.4 Incident Response Models
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
The Cyber Kill Chain
Steps of the Cyber Kill Chain®
Steps of the Cyber Kill Chain
▪ Developed by Lockheed Martin to
identify and prevent cyber intrusions.
• The steps of the Cyber Kill Chain
help analysts understand the
techniques, tools, and procedures of
threat actors.
• The threat actor gains more access
to the target as they progress
through the steps.
• The goal is to stop them as early as
possible to lessen the damage done.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
The Cyber Kill Chain
Reconnaissance
▪ Reconnaissance is when the threat actor performs research,
gathers intelligence, and selects targets.
▪ Organizations may provide information on websites, public-
facing network devices, in news articles, conference
proceedings, and social media outlets.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
The Cyber Kill Chain
Weaponization
▪ Weaponization uses the vulnerability information gathered in
the reconnaissance step to identify and develop a weapon
against specific targeted systems in the organization.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
The Cyber Kill Chain
Delivery
▪ Delivery is when the threat actor delivers the developed
weapon using either a website, a removable USB media, or
an email attachment.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
The Cyber Kill Chain
Exploitation
▪ Exploitation is when the threat actor triggers the
weapon and executes it to compromise the vulnerability
and gain control of the target.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
The Cyber Kill Chain
Installation
▪ Installation is when the threat actor establishes a back
door into the system to allow for continued access to the
target.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
The Cyber Kill Chain
Command and Control
▪ Command & Control (CnC or C2) is when an outside
server channel is used by the threat actor to manipulate a
target by issuing commands to the software that they
installed on the target.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
The Cyber Kill Chain
Actions on Objectives
▪ Actions on Objectives is the final step of the kill chain and
is when the attacker achieves attack objective.
• Can be used for data theft, performing a DDoS attack, or using
the compromised network to create and send spam.
• Threat actor is deeply rooted in the systems of the
organization and may be extremely difficult to remove from the
network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
The Diamond Model of Intrusion
Diamond Model Overview
▪ The Diamond Model identifies four parts involved in a security incident.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
The Diamond Model of Intrusion
Pivoting Across the Diamond Model
▪ The Diamond Model is ideal for illustrating how the adversary pivots from one event to the next.
For example
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
The Diamond Model of Intrusion
The Diamond Model and the Cyber Kill Chain
▪ The example illustrates the process used by an adversary as they traverse the Cyber Kill Chain.
Delivery
3) Adversary sends phishing emails with a Trojan horse attached to
the network administrators.
Exploitation
4) One network administrator (NA1) opens the malicious attachment
which executes the enclosed exploit.
Installation
5) NA1’s host registers with a CnC controller by sending an HTTP
C2 Post message and receiving an HTTP Response in return.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
The Diamond Model of Intrusion
The Diamond Model and the Cyber Kill Chain (Cont.)
▪ The example illustrates the process used by an adversary as they traverse the Cyber Kill Chain.
Weaponization 9) Adversary checks NA1’s email contact list for any contacts from
Interesting Research Inc. and discovers the contact for the
Delivery Interesting Research Inc. Chief Research Officer.
Action on
Objectives
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
The VERIS Schema
What is the VERIS Schema?
▪ Vocabulary for Event Recording and Incident Sharing (VERIS) schema is a set of metrics to
describe security incidents in a structured way.
VERIS schema
▪ In the VERIS schema, risk is defined as the
intersection of four landscapes of Threat, Asset,
Impact, and Control.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
The VERIS Schema
Create a VERIS Record
▪ When creating records to add to the database, start with the
basic facts about the incident and use the VERIS elements
outlined by the community.
• The only required fields in the record are those where the attribute
is present.
• As more is known about the incident, data can be added.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
The VERIS Schema
Top-Level and Second-Level Elements
▪ The VERIS Schema identifies five top-level elements, providing a different aspect of the incident.
• Each top-level element contains several second-level elements for classifying collected incident data.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
The VERIS Schema
The VERIS Community Database
▪ The VERIS Community Database
(VCDB) is a very useful shared
database for organizations willing to
participate.
• Organizations can submit security
incident details to the VCDB for the
community to use.
• The larger and more robust the VCDB
becomes, the more useful it will be in
prevention, detection, and remediation
of security incidents.
• It will also become a very useful tool
for risk management, saving
organizations data, time, effort, and
money.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60