incident response on a shoestring budget
TRANSCRIPT
![Page 1: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/1.jpg)
Incident Response on a Shoestring Budget
DetectingAttackersonYourNetworkUsingOpenSourceTools
![Page 2: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/2.jpg)
Who, what, when?
• AtBHISwestillrarelyseeeffectiveloggingandmonitoringfordetectingattackeractivity
• Effectiveingress/egressnetworktrafficlogstodeterminewhatwentwhereandwhen
• Consolidatedendpointloggingfordeterminingwhatranonwhatsystemandwhen
• Freeandopensourcecanprovidethisthenecessaryvisibility
![Page 3: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/3.jpg)
Bio
• SecurityAnalystatBlackHillsInformationSecurity• PreviousBlueTeam,nowmostlyRedTeam• CitySec Meetup Organizer– TidewaterSec (Hampton,VA)• AvidOWAenthusiast
![Page 4: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/4.jpg)
Standard Disclaimer• Enterprisedeploymentsofmonitoringandloggingsolutionshavetobesizedappropriatelyfortheamountoftraffic,logs,andanalysis
• Thisistrueforcommercialandopensourcetools• Theopensourceandfreetoolsdiscussedinthispresentationwillscaletotheenterprise
• Itstilltakesplanningandresourcesbeyondwhatcanbecoveredinanhour
• Onesizedoesnotfitall• Yourmileagemayvary
![Page 5: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/5.jpg)
Detection vs. Prevention
• Preventionisidealbutdetectionisamust• Preventivemeasurescanbebypassed• Preventivesolutionspotentiallycostasubstantialamountofmoney• Manydetectivesolutionscanbedonefor“free”• Detectivesolutionsareessentialin identifyingthe“fullpicture”onanincident
![Page 6: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/6.jpg)
Value of Time
• Opensourceandfreesoftwareisnotcostfreeifyouvalueyourtime• Tradeoffsforfiguringoutvs.abilitytocallthevendor
• Ifyougowithcompletelyfreeandopensourcesolutions,youmaybeonyourowntofigureitoutandmakeitwork
• ButyoursecurityKungFuwillgetbetterbecauseofthis
![Page 7: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/7.jpg)
Core Monitoring Components
• NetworkMonitoring• HostBasedMonitoring(monitoringedgedevices)• ForensicsatScale(oneanalysttomanysystems)• CentralizedLogging• LogCorrelationandalerting(SIEM)
![Page 8: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/8.jpg)
Threat Intelligence?CyberKillChain®(lockheedmartin.com/cyber) 1)Reconnaissance
2)Weaponization
3)Delivery
4)Exploitation
5)Installation
6)CommandandControl
7)ActionsonObjectives
![Page 9: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/9.jpg)
Where are you now?
![Page 10: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/10.jpg)
Network Monitoring
• Brovs.Snort- Applesandoranges• Broisnetworkprotocoldecodingatscale
• Forensicgroundtruthofwhathappensonthenetwork
• Snortmatchespacketstosignaturestodetectpotentiallybadtraffic• Theyhavedifferentusecases– usetherighttoolforthejob
![Page 11: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/11.jpg)
Host Based Monitoring
• Withcloudandmobile,increasinglymoreimportanttogainedgedevicevisibility
• Sysmon isaneasywintodeploytoWindowsEndpoints• Processcreationwithfullcommandline• Hashofprocess(SHA1)• NetworkConnections• Filecreationtimechanges
![Page 12: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/12.jpg)
SysmonProcessCreate:UtcTime:2017-06-0900:57:42.516ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00}ProcessId:3232Image:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCommandLine:powershell /HeLloCurrentDirectory:C:\Users\BruceL.Roy\User:WIN-OK4HSK4QBPH\BruceL.RoyLogonGuid: {3f6cf078-30ec-5938-0000-002031df1000}LogonId:0x10df31TerminalSessionId: 1IntegrityLevel:MediumHashes:SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48DParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00}ParentProcessId:3364ParentImage:C:\Windows\System32\cmd.exeParentCommandLine: "C:\Windows\system32\cmd.exe"
![Page 13: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/13.jpg)
Log Consolidation
• Centralizelogcollectionfromalledgedevicesandboundarydevices• SyslogclientonLinuxsystems• NXLog supportssyslogshippingofWindowsEventLogs
• MicrosoftWindowsEventCollector• Boundarydevicesyslog(Firewall,proxies,etc.)
![Page 14: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/14.jpg)
SIEM For Free
• AnyDIYSIEMsolutioncouldbetimeandlaborintensive• ElasticLogstash Kibana (ELK)/ElasticStack• Graylog• Ifyouhavebudgetandhavetochoosewheretospend,thismaybethebestplace
• Ifyouarenotcentralizinglogsnowstartsimple• Consolidatedeviceandendpointlogsintosyslogwithnxlog
![Page 15: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/15.jpg)
Forensics at Scale
• AbilityforIRandforensicsstafftoquicklyandremotelyacquirenecessaryevidencetoanalyzeanattack
• CanbedifficultandtimeconsumingtoimageRAManddiskevidenceforeveryinvestigation
• F-Response(notfree)• PossiblewithPowerShell• GoogleGRR
• IncidentResponseFramework
![Page 16: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/16.jpg)
Tool ConfigurationEnd Point Monitoring
![Page 17: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/17.jpg)
nxlog
• Endpointagenttoshiplogstoasyslogcollector• SupportforWindowsEventlogshippingtoremotecollector– we’regoingtobesendingJSON
• Textbasedconf file• ApplicationlogselectingEVTIDs1102,4103,4104• SecuritylogselectingEVTIDs 1102,4624,4625• SystemlogselectingEVTIDs1102,7009,7045• AllofSysmon log(filteringdoneinSysmon config)
https://gist.github.com/deruke/20e77eaa14ad193fd6ab85a76c64cb21
![Page 18: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/18.jpg)
Additional EVT Logs
• WindowsLoggingCheatSheetatwww.malwarearchaeology.com• NSASpottheAdversaryList
![Page 19: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/19.jpg)
PowerShell Logging
• ModuleLogging• Recordspipelineexecutiondetails
• ScriptBlockLogging• Recordsblocksofcodeastheyareexecuted• Alsorecordsde-obfuscatedcodeexecution• PowerShell5.0automaticallylogsscriptblocksconsideredas“suspicious”
• Transcription• UniquerecordofeveryPowerShellsession• Allinputandoutput
![Page 20: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/20.jpg)
PowerShell Logging
• AdministrativeTemplates>WindowsComponents>WindowsPowerShell
![Page 21: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/21.jpg)
GPO Caveats
• IfrunningWindows7ObtainAdministrativeTemplatesforWindows10
• Copyboththerequisitefilesinto%systemroot%\PolicyDefinitions• PowerShellExecutionPolicy.admx• PowerShellExecutionPolicy.adml
• Copyto\\sysvol\Policies\PolicyDefinititions ifperformingthisasdomainGPO
![Page 22: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/22.jpg)
Sysmon Config File
• InstallwithXMLbasedconfigurationto• Startwith@SwiftOnSecurity’s fileasabasethencustomizetofityourenvironment
• https://github.com/SwiftOnSecurity/sysmon-config
• FilterseventsbasedonSysmon eventtype• Foreverytype,sensibleexclusionsandinclusionstoreducenoiseorlookforspecificallysuspiciousactivity
![Page 23: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/23.jpg)
Sysmon Config File
![Page 24: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/24.jpg)
Collector • Ubuntu16.04LTSsystemrunningElasticStack(ELK)• Logstash ingestsincomingsyslogfromendpointsandoutputstoElasticsearch
• Kibana webfrontendtosearchandvisualizethedata
• ScalestoEnterprise,butyouwillneedtoplanaccordingly
Logstash config:https://gist.github.com/deruke/093e9fa9b666aa211cfdce81921cb3ce
![Page 25: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/25.jpg)
Deployment via GPO
• ScriptBlockLogging• Nxlog installationand/orservicestartonstartup• Sysmon installationand/orservicestartonstartup
https://gist.github.com/deruke/743a80c89740fdedcb7f8871cdf02536
![Page 26: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/26.jpg)
Demo Time
![Page 27: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/27.jpg)
What about Prevention?
• Configurationchangescanbeeffectiveprevention• Strongpasswordpolicy
• 15charactersminforusers• 28charactersforserviceandadministratoraccounts
• 2FAonallexternalfacingportals• Restrictadministrativeaccess
• LAPS• MicrosoftTieredArchitectureApproach
• Restrictclient-to-clientcommunication• PrivateVLANs orWindowsFirewall
![Page 28: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/28.jpg)
What about Prevention?
• ApplicationWhitelisting• Windows10Enterprisefeatures
• DeviceGuard– attemptstopreventmaliciouscodefromeverrunning,onlyknowngoodcodecanrun
• CredentialGuard– hardeningofkeyuserandsystemsecrets,attemptedmitigationofcredentialbasedattacks
• BothuseVirtualSecureMode(VMS)• Bothrequireplanninganddeployment
![Page 29: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/29.jpg)
Resources• NetworkMonitoring
• www.bro.org• snort.org• molo.ch
• HostBasedMonitoring• Sysmon - technet.microsoft.com/en-
us/sysinternals/bb545021.aspx• Sysmon Config:
https://github.com/SwiftOnSecurity/sysmon-config• Nxlog:nxlog.co
• Blogonsetup:• https://www.blackhillsinfosec.com/endpoint-
monitoring-shoestring-budget-webcast-write/
• Liveresponseatscale• GoogleGRR:https://github.com/google/grr
• LogCorrelation• Elastic:https://www.elastic.co/• Graylog:https://www.graylog.org/
• MicrosoftEnvironmentConfiguration• LAPS:https://www.microsoft.com/en-
us/download/details.aspx?id=46899• ADTieredModel:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
![Page 30: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/30.jpg)
Conclusions
• FreeandOpenSourcesolutionscaneffectivelybeusedformonitoring,detection,andliveresponse
• Edgebasedhostmonitoringwithcentralizedloggingisapowerfulcombination
• Configurationchangesareanimportantaspectofpreventingcompromise
![Page 31: Incident response on a shoestring budget](https://reader033.vdocuments.mx/reader033/viewer/2022052706/5a64936c7f8b9a27568b6c27/html5/thumbnails/31.jpg)
Conclusions
• DerekBanks- @0xderuke• @BHInfoSecurity – http://www.blackhillsinfosec.com
0x3F