security incident discovery and correlation on gov
play

Security Incident Discovery and Correlation on .Gov Networks Cory - PowerPoint PPT Presentation

Sep 11, 2022 •13 likes •353 views

Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT Surface Analysis Group Timothy Tragesser US-CERT Fusion Analysis & Development Agenda Overview Data Collection Malware Activity

  1. Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT Surface Analysis Group Timothy Tragesser US-CERT Fusion Analysis & Development

  2. Agenda  Overview  Data Collection  Malware Activity Sets:  Beaconing  Redirection  Suspicious Activity  Findings/Analysis  Samples/Examples  Recommendations  Takeaways 2 Presenter’s Name June 17, 2003

  3. Who we are…  US-CERT is the operational arm for cyber security under the Department of Homeland Security  Analysis Branch uses flow data from Einstein sensors deployed across .gov networks 3 Presenter’s Name June 17, 2003

  4. Information Correlation… Industry Military State/Local Gov Private Citizens US-CERT Federal Gov ISACs U5/International Law Enforcement Media Intel Facilitating collective analysis of cyber threats through partnerships. 4 Presenter’s Name June 17, 2003

  5. Threat Summary  Security incidents reported to/by US-CERT since 1 January  ~108,000 total incidents reported YTD  13,000 Malicious Code Incidents YTD  Malicious Logic Incidents comprise primary focus area CAT3 IP Addresses 59 106 16 22 45 17 15 173 Crimeware Kit Rogueware Spam Web Threat Koobface Rootkits Dropper Other 5 Presenter’s Name June 17, 2003

  6. Context  What we have:  Repository of federal/state/local govt, private/foreign sector security incidents  ~108K so far this year  What we needed:  Automated method to detect and identify security incidents/events using netflow  What we devised:  Queries to mine database, correlate information and positively identify security incidents 6 Presenter’s Name June 17, 2003

  7. Prep: Data Collection Initial Data Pull/RW Binary Creator  Creates bin file to prep and execute queries: #!/bin/sh perl -pi -e "s/ \|/\|/g" hosts.txt perl -pi -e "s/\| /\|/g" hosts.txt perl -pi -e "s/ //g" hosts.txt BINFILE=`date "+%Y-%m-%d-%T.bin"` day=`date +"%a"` if [ "$day" = "Mon" ]; then STARTDATE=`date -d '-4 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` elif [ "$day" = "Sun" ]; then STARTDATE=`date -d '-7 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` elif [ "$day" = "Sat" ]; then STARTDATE=`date -d '-8 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` else STARTDATE=`date -d '-3 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` fi if [ -f $BINFILE ]; then echo "$BINFILE already exists !!!" echo "Please insure rwprocessor.sh is not already running and then move or remove $BINFILE" else if [ -f temphosts.txt ]; then rm -f temphosts.txt fi if [ -f temphosts.set ]; then rm -f temphosts.set fi 7 Presenter’s Name June 17, 2003

  8. Initial data pull: RW Binary Creator  Creates bin file to execute queries against (cont.) for i in `cat hosts.txt | cut -d "|" -f1 | sort | uniq` do echo $i >> temphosts.txt done rwsetbuild temphosts.txt temphosts.set echo "Einstein query from $STARTDATE to $ENDDATE" echo "Created $BINFILE" rwfilter --anyset=temphosts.set --type=all --start-date=$STARTDATE --end-date=$ENDDATE --pass=$BINFILE & if [ -f temphosts.txt ]; then rm -f temphosts.txt fi if [ -f temphosts.set ]; then rm -f temphosts.set fi Fi 8 Presenter’s Name June 17, 2003

  9. Malware Activity Patterns  Main Focus Areas:  Beaconing  Redirect  Suspicious Image from procalme.com 9 Presenter’s Name June 17, 2003

  10. Beaconing  Goal is to detect and identify beaconing activity to/from constituent systems  Regular and irregular patterns  High and low volume connections  Known malicious IPs/domains  Investigate to identify data exfiltration / low-and- slow actions  Triggers when victim IP address sends requests on the same dest port with a consistent packet size and at a specific time interval or pattern (i.e., 60 secs., 60 mins., Image from Wellroundedsquare.com etc.)  Beaconing is a symptom 10 Presenter’s Name June 17, 2003

  11. Beaconing  Personal favorite  ‘Quick and easy’ to vet true positives  Good indicator of compromise/infection Sample Output (beaconing occurring at 1 hour / 10 minute intervals): sTime| sIP| dIP| sPort| dPort| bytes| sensor| InitFlag 2010/10/04T13:06:38| 199.9.9.9| 195.161.112.6| 1315| 80| 1623| USGA| S 2010/10/04T14:16:40| 199.9.9.9| 195.161.112.6| 1366| 80| 1623| USGA| S 2010/10/04T15:26:42| 199.9.9.9| 195.161.112.6| 1418| 80| 1623| USGA| S 2010/10/04T16:36:44| 199.9.9.9| 195.161.112.6| 1515| 80| 1623| USGA| S 2010/10/04T17:46:45| 199.9.9.9| 195.161.112.6| 1600| 80| 1623| USGA| S 2010/10/04T18:56:48| 199.9.9.9| 195.161.112.6| 1721| 80| 1623| USGA| S Automated Byte Sizes Initial Flags Timestamps 11 Presenter’s Name June 17, 2003

  12. Beaconing Script  The beaconing script uses several commands, as sampled below, to filter by flows for indications of hourly/daily/weekly beaconing activity: for bytes in `rwfilter --saddress=$victimip --daddress=$badip --type=all bin/$i.bin --pass=stdout | rwuniq --fi=bytes --flows=5 --no-titles --no-final-delimiter --no-columns | cut -d "|" -f1` do daycount=`rwfilter bin/$i.bin --type=all --saddress=$victimip -- daddress=$badip --bytes=$bytes --pass=stdout | rwcut --fi=9 --no-titles | cut -d "/" -f3 | cut -d "T" -f1 | sort -u | wc -l` 12 Presenter’s Name June 17, 2003

  13. Findings Analysis: Beaconing  Using seconds/milliseconds to build timeline  Helps dispel irregularities  Common traffic obfuscation technique for FakeAV and Rootkits Sample Output (note the second count): sTime| sIP| dIP|sPort|dPort| bytes| sensor|initialF|Records| 2010/08/17T11:25:23| 199.9.9.9| 94.228.209.200| 1529| 80| 549| USGA1| S | 1| 2010/08/17T14:21:23| 199.9.9.9| 94.228.209.200| 1989| 80| 549| USGA1| S | 1| 2010/08/17T21:26:24| 199.9.9.9| 94.228.209.200| 2346| 80| 549| USGA1| S | 1| 2010/08/17T22:32:24| 199.9.9.9| 94.228.209.200| 2602| 80| 549| USGA1| S | 1| 2010/08/18T02:09:24| 199.9.9.9| 94.228.209.200| 3103| 80| 549| USGA1| S | 1| 2010/08/18T05:43:24| 199.9.9.9| 94.228.209.200| 3607| 80| 549| USGA1| S | 1| 2010/08/18T14:10:25| 199.9.9.9| 94.228.209.200| 3996| 80| 549| USGA1| S | 1| 2010/08/18T16:18:25| 199.9.9.9| 94.228.209.200| 4295| 80| 549| USGA1| S | 1| 2010/08/18T18:51:24| 199.9.9.9| 94.228.209.200| 4640| 80| 549| USGA1| S | 1| 2010/08/19T05:22:24| 199.9.9.9| 94.228.209.200| 1229| 80| 549| USGA1| S | 1| 2010/08/19T09:56:24| 199.9.9.9| 94.228.209.200| 1341| 80| 549| USGA1| S | 1| 2010/08/19T15:42:24| 199.9.9.9| 94.228.209.200| 1806| 80| 549| USGA1| S | 1| 2010/08/20T06:24:24| 199.9.9.9| 94.228.209.200| 2186| 80| 549| USGA1| S | 1| 2010/08/20T09:37:25| 199.9.9.9| 94.228.209.200| 2321| 80| 549| USGA1| S | 1| 2010/08/20T12:04:25| 199.9.9.9| 94.228.209.200| 2871| 80| 549| USGA1| S | 1| 2010/08/21T15:22:25| 199.9.9.9| 94.228.209.200| 3439| 80| 549| USGA1| S | 1| 2010/08/21T17:34:25| 199.9.9.9| 94.228.209.200| 3532| 80| 549| USGA1| S | 1| 13 Presenter’s Name June 17, 2003

  14. Findings Analysis: Beaconing  Graphical Representation  Easy-to-read synopsis of activity  Helpful handout/reference for constituency 0:00:00 21:36:00 19:12:00 16:48:00 14:24:00 12:00:00 9:36:00 7:12:00 4:48:00 2:24:00 0:00:00 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/17/2010 11/17/2010 11/17/2010 11/18/2010 11/18/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 - Victim IP observed beaconing every 8 minutes and 55 seconds 14 Presenter’s Name June 17, 2003

Recommend

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25

Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25

Enabling Grids for E-sciencE Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25 September 2009 www.eu-egee.org EGEE09 V. Konoplev September 21-25 2009 Barcelona Subject history

287 views • 10 slides
Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

CORRELATION AND REGRESSION Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign > direction Magnitude > strength Correlation and Regression Near perfect correlation Correlation and

929 views • 35 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra SECURITY ENGINEER github.com/zzenonn linkedin.com/in/zzenonn t h s Module Define Elastic Load Balancing Overview Understand different ELB security

666 views • 33 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

704 views • 39 slides
Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web Sites Fingerprinting OS FingerPrinting IP Stacks Share Scans Chapter 14 SNMP Vulnerabilities FingerPrinting TCP/IP Services

439 views • 8 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Does Your Employee Tree Have Bad Fruit That Could Ripen into a Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM US workers report being victims of workplace violence each year.* WV costs to

393 views • 10 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Today bivariate correlation bivariate regression multiple regression Bivariate Correlation Pearson product-moment correlation (r) assesses nature and strength of the linear relationship between two continuous variables ( X

1.03k views • 89 slides
Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

: ESTIMATES AND TESTS Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient Testing the correlation coefficient Non-linear relationships Old exam question Further study THE CORRELATION COEFFICIENT

404 views • 22 slides
Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a focus on services for specialized public service providers, finance industry and corporations with high data sensitivity. NRDCS.L T TIMETABLE FOR

612 views • 12 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
International Atomic Energy Agency Department of Nuclear Safety and Security Incident and

International Atomic Energy Agency Department of Nuclear Safety and Security Incident and

International Atomic Energy Agency Department of Nuclear Safety and Security Incident and Emergency Centre IAEA Assessment and Prognosis Side Event Presentation Introduction Lesson from Fukushima Daiichi accident - Agency has new response

574 views • 38 slides
Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre

Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre

Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre (IEC) International Atomic Energy Agency Department of Nuclear Safety and Security: http://www-ns.iaea.org/default.asp Inside Nuclear Safety and

376 views • 19 slides
Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy Tolbert MicroFocus ArcSight and Siemplify Addressing the needs of SOCs, including: Relieving resource constraints by automating

476 views • 19 slides
Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC plans are typically more strategic than field IAPs A planning process helps synchronize operations and ensure they support incident objectives

510 views • 34 slides
Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident Description Immediate Causes and Latent Failures Swiss Cheese Model Key HSSE Themes from the Grating Incident Weak Signals from

564 views • 14 slides
1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs

1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs

1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs Correlation function Entropy-based analytical framework Correlation and coding efficiency Correlation-aware routing protocol design

677 views • 28 slides
Correlation Quantitative A Aptitude & & Business S Statistics Correlation

Correlation Quantitative A Aptitude & & Business S Statistics Correlation

Correlation Quantitative A Aptitude & & Business S Statistics Correlation Correlation is the relationship that exists betw een tw o or more variables. If tw o variables are related to each other in such a w ay that change

1.15k views • 98 slides

More recommend