[et_pb_section fb_built=”1″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”This blog covers three main topics:” _builder_version=”4.7.0″ _module_preset=”default”]This blog covers three main topics:

• Three Key Questions Needing Answers Within Three Minutes When You Suspect a Breach
• Using Deception and Endpoint Logs to Backtrack Command and Control
• Improving SOC Triage Workflow with Prevention Failure Detection
  

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/CLOCK3.png” title_text=”CLOCK3″ _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”An adversary has targeted your organization” _builder_version=”4.7.0″ _module_preset=”default”]An adversary has targeted your organization and commencedB aB campaign to breach yourB defenses, establish a foothold and begin toB either gather up your proprietary information or encrypt it and hold you hostage until you pay the ransom demand. If your present security solutions provide any warnings, they will be sent along to the front pane of glass of your Security Operations Center (SOC). Here, it is up to your team of analysts performing triage of the alerts to separate the wheat from the chaff, look at the alert details, and determine whether the alert is telling them something impactful is occurring, or decide it can be ignored.
What could possibly go wrong? Plenty.[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”Security Teams need to do three things to make their lives better:” _builder_version=”4.7.0″ _module_preset=”default”]

RACE TO THE BOTTOM (OF THE ALERT PILE)

Most organizations utilize a Security Information Event Management (SIEM) solution in their SOC to aggregate, correlate and prioritize alerts presented to the front lineB SOC Analyst.B B Initial triage of alerts is generally handled by a Level I Analyst b often the newest, and most inexperienced members of the team.B B With Network-based IDS often spitting out 40 events per second along with a myriad of other security solutions and operating / application logs feeding into the SIEM, it is a daunting task to keep up with the alerts on the screen.B B To further increase the pressure, SOC Analysts are usually expected to triage an alert in three minutes or less.B B Get it right, you live to triage another day; get it wrong, your stock price tumbles, people lose jobs and your company gets a ton of negative press.
Security Teams need to do three things to make their lives better:

1. Refocus front-line triage on Prevention Failure Detection (PFD)
2. Prioritize solutions that provide high-fidelity, but low-volume alerts during triage
3. Enable correlations that answer three key questions every SOC Analyst must know when investigating alerts

[/et_pb_text][et_pb_text _builder_version=”4.7.0″ _module_preset=”default” hover_enabled=”0″ admin_label=”PREVENTION FAILURE DETECTION” sticky_enabled=”0″]

PREVENTION FAILURE DETECTION

I first heard the term bPrevention Failure Detectionb from a friend of mine, Tim Crothers, Vice-President of Cyber Security for Target Corporation. PFD refocuses your detection capabilities away from trying to detectB everythingB happening in your environment and instead focus your detection efforts on where your prevention capabilities are most likely to fail.B B It also focuses your alerting, visualizations and SOC displays not onB everythingB that has been seen, but only what your PFD workflows say is important.B B You donbt need pie charts and bar graphs telling you how many times your AV quarantined a file or your firewall blocked an access attempt b those distract your team away fromB the alerts that matter.B B You want to establish clear hunting grounds for your SOC and Incident Response teams to focus their efforts.[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”HIGH-FIDELITY ALERTS” _builder_version=”4.7.0″ _module_preset=”default”]

HIGH-FIDELITY ALERTS

If you knew an alert was a true positive every time it fired, how would that impact your workflows and decision process in handling that particular incident?B B High-Fidelity alerts essentially mean you can trust and act on the information contained within the alert.B B They also tend to be very low in volume (unless youbre having aB reallyB bad day).B B There are not many solutions out there that can claim zero false positives (and I would be wary of any vendor that does make that claim!); however, letbs consider how Deception Solutions rate when looking at Fidelity and Alert volume.

Deception and High-Fidelity

Deception-based solutions utilize decoys and misinformation to divert and delay an adversary giving the SOC / IR teams sufficient time to perform remediation before the adversary can complete his mission.B B Deception objects are not known to normal end-users and are white-listed against allowed vulnerability and IT Asset Discovery scanning systems in the organization b so no one should ever touch a deception decoy.B B Letbs consider the possible ways a decoy could be touched:

1. Network MisconfigurationB b a scanner was missed in the whitelist or some other misconfiguration causes a system to attempt communications with a decoy
2. Curious InsiderB b an end-user or system administrator pokes around outside of their normal duties, comes across a decoy and reaches out to see what the system is all about
3. Malicious InsiderB b an end-user or system administrator is looking to steal information or cause disruption and stumbles across a decoy while looking for the crown jewels
4. External AdversaryB b an adversary of varying skill level and resources has evaded your prevention layers and is now poking around inside your network

In all four cases, some type of action is required that demands immediate attention.B B The first two are not malicious in nature and will most likely involve different groups resolving the issue other than the security teams (most likely Network Operations for the first and Human Resources for the second).B B The last two are malicious and require immediate escalation and gathering of additional information to learn the full nature of the attack.[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”Deception and Low-Volume” _builder_version=”4.7.0″ _module_preset=”default”]

Deception and Low-Volume

Deception is aB Breach Detection Solution.B B By that we mean that Deception is not generally used to detectB IntrusionB AttemptsB or evenB BreachB Attempts.B B Deception is a greatB Prevention Failure DetectionB solution because it focuses detection capabilities on adversaries and malware that haveB already successfully bypassed your prevention capabilities.
If we take a typical breach scenario, an adversary will spear-phish an end-user, get them to click on the malicious attachment or link, a payload gets downloaded and/or detonated on the end-userbs system and command and control is established between the adversary and the compromised system.
Breach Accomplished.B B The Doomsday Clock starts ticking.
Many security solutions had toB failB for this to happen.B B This first beachhead is not the mission of the adversary, they want your data or to disrupt your operations.B B They must establish additional beachheads, reach out to application and database servers, map out your organizationbs assets and determine what are likely targets.B B Most intrusion / breach attempts will be blocked by your prevention technologies, you arenbt losing sleep over those.B B It is the ones that get through you need to lose sleep over – and this is where Deception solutions step in and present the adversary with inviting targets b targets that only an adversary should be touching.
Because of this, Deception alerts are few and far between (as I said earlier, unless youbre having aB reallyB bad day!)[/et_pb_text][et_pb_text admin_label=”THREE KEY QUESTIONS EVERY TRIAGE ANALYST MUST ANSWER” _builder_version=”4.7.0″ _module_preset=”default”]

THREE KEY QUESTIONS EVERY TRIAGE ANALYST MUST ANSWER

Whenever I have seen an analyst investigating a network-based alert (alerts that only contain IP addresses, ports and service information) there are always three questions at the top of their minds b and if they had the answers would greatly speed up the time to triage as well as accuracy of any decisions made.

1. User –B What is the endpoint user session responsible for causing this alert to occur (I.E.:B Which user clicked on something they shouldnbt have?)
2. Process –B What is the endpoint user sessionbs process and parent process responsible for causing this alert to occur (I.E.: Was it a userbs interactive program like Chrome or Firefox, or was it an underlying process that normally doesnbt communicate like Explorer?)
3. Network –B Who else has this system communicated with in the past few minutes of this alert being generated?

Answering Question #1 lets me focus on what roles and permissions that user has so I can determine the potential extent of a breach (does this user have local admin rights?B B Is it a domain administrator?).
Answering Question #2 can tell me if this was a user-initiated action (John clicked a website in Chrome and downloaded a malicious payload) or an adversary-initiated action (Adversary through an injectedB svchostB process downloadedB mimikatzB to the workstation).B B One is pre-breach/pre-detonation, the other is post-breach requiring a different level of urgency.
Answering Question #3 tells me if the adversary has laterally moved, can I identify potential command and control servers or if a malware detonation is spreading to other systems.[/et_pb_text][et_pb_text admin_label=”PREPARING FOR THE APOCALYPSE” _builder_version=”4.7.0″ _module_preset=”default”]

PREPARING FOR THE APOCALYPSE

Now that we know some key questions needing answers, we turn our attention to high-fidelity alerts that are focused around Prevention Failure Detection.B B We need to identify potential base and correlated events that will help us realize our vision.B B Once the logs, alerts and workflows have been identified, we can begin building out content that will make alert triage efficient and actionable.

Base Logs and Alerts

This paper will not address every potential log source and operating system; however, the concepts should be universally applied to your environment.B B For purposes of this paper, we will focus on Windows Workstations (because they are one of the most likely points of first breach) for our event source andB ArcSightB andB SplunkB (because thatbs what I know) for our SIEM correlation efforts.B B As always, there may be more than one method to accomplish the goal, organizations should explore what methods fit best to their environments.

Event Logs

Log Source	Description	Key Fields Required
WindowsB EndpointB B LogB -B Sysmon	SysmonB is a MicrosoftB Sysinternalstools that can be installed on Windows Workstations that provide additional logging capabilities.B B SysmonB will allow us to log network connections with associated process information. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon	Network Tuple Process ID User Session
Windows Endpoint Log b Security	The Windows Security Event file contains log entries for all processes created (and terminated) on the endpoint.B B Process creation/termination auditing must be enabled in the security policy.	User Session Process Name Process ID Parent Process ID
High-Fidelity Network-based Alert	This can really come from any source so long as you consider it to be a high-fidelity alert that you always want correlated against the other event sources described above.B B For this paper we will be using Deception-based Network alerts from theB AcalvioShadowPlexB solution.	Network Tuple

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/CORRELATING-HIGH-FIDELITY-ALERTS.png” title_text=”CORRELATING-HIGH-FIDELITY-ALERTS” _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”CORRELATING HIGH-FIDELITY ALERTS” _builder_version=”4.7.0″ _module_preset=”default”]

CORRELATING HIGH-FIDELITY ALERTS

The first step in defining solid correlation use cases is being able to define and understand the problem.
Letbs review a (highly simplified) diagram of a typical breach by an adversary.B B The attacker sends a spear-phishing email to an end-user who opens the attachment or clicks on the link.B B The detonated process establishes persistence to ensure it will run if the system is rebooted or the user logs out/in.B B When this process runs, it will usually inject itself into a legitimate process and establish command and control (C&C) back to the adversary.B B From his remote system, the attacker will direct activities through the C&C channel and use tools that he downloads, or built-in system programs, to laterally move to other targets in the environment.[/et_pb_text][et_pb_text admin_label=”If I start with my high-fidelity alert and work backwards” _builder_version=”4.7.0″ _module_preset=”default”]If I start with my high-fidelity alert and work backwards, I can establish the correlations required to provide answers to those three most sought-after questions:
Correlate:

• Deception-based Alert
• Sysmon Network Process Log

Correlate:

• Sysmon Network Process (above)
• Process Creation Log

Correlate:

• Process Creation Log (above)
• Parent Process Creation Log

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”ARCSIGHT HIGH-FIDELITY BREACH ALERT CORRELATION EXAMPLE” _builder_version=”4.7.0″ _module_preset=”default”]

ARCSIGHT HIGH-FIDELITY BREACH ALERT CORRELATION EXAMPLE

Here is what the associated logic would look like in theB ArcSightB Common Condition Editor (CCE):[/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/high-fidelity-breach-alert.png” title_text=”high-fidelity-breach-alert” _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.7.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.7.0″ _module_preset=”default”][et_pb_text admin_label=”SPLUNK HIGH-FIDELITY BREACH ALERT CORRELATION EXAMPLE” _builder_version=”4.7.0″ _module_preset=”default”]

SPLUNK HIGH-FIDELITY BREACH ALERT CORRELATION EXAMPLE

Here is what the associated logic would look like in the Splunk Search Interface if sending the events in tagged-field format:

Deception and Matching Endpoint Events

(“NETWORK CONNECTION DETECTED” AND “MICROSOFT-WINDOWS-SYSMON/OPERATIONAL” AND NOT “SOURCEISIPV6: TRUE”) OR (“ACALVIO|SHADOWPLEX”) | REX “CEF:1\|ACALVIO\|.* SRC=(?<DECEPTIONSOURCE>\D{1,3}\.\D{1,3}\.\D{1,3}\.\D{1,3})” | REX “CEF:1\|ACALVIO\|.* DST=(?<DECEPTIONDESTINATION>\D{1,3}\.\D{1,3}\.\D{1,3}\.\D{1,3})” | REX “CEF:1\|MICROSOFT\|.* SRC=(?<SYSMONSOURCE>\D{1,3}\.\D{1,3}\.\D{1,3}\.\D{1,3})” | REX “CEF:1\|MICROSOFT\|.* DST=(?<SYSMONDESTINATION>\D{1,3}\.\D{1,3}\.\D{1,3}\.\D{1,3})” | REX “SPROC=(?<SOURCEPROCESS>\S.*?\ )[A-Z].*?\=?” |B B REX “CEF:1\|ACALVIO\|(.*?)\|(.*?)\|(.*?)\|(?<IDSALERT>.*?)\|” | EVAL TESTSIP=COALESCE(DECEPTIONSOURCE,SYSMONSOURCE) | EVAL TESTDIP=COALESCE(DECEPTIONDESTINATION,SYSMONDESTINATION) | TRANSACTION TESTSIP TESTDIP MAXSPAN=5M | SEARCH “ACALVIO|SHADOWPLEX” SYSMON EVENTCOUNT>1 | EVAL “COMPROMISED IP”=TESTSIP, “DECOY IP”=TESTDIP, “COMPROMISED USER SESSION NAME”=SUSER, “COMPROMISED PROCESS NAME”=SOURCEPROCESS | TABLE _TIME IDSALERT,”COMPROMISED IP”, “DECOY IP”, “COMPROMISED USER SESSION NAME”, “COMPROMISED PROCESS NAME”

[/et_pb_text][et_pb_text admin_label=”RELATED COMMUNICATIONS FROM SUSPECT ENDPOINT” _builder_version=”4.7.0″ _module_preset=”default”]

RELATED COMMUNICATIONS FROM SUSPECT ENDPOINT

Now that I have a high-fidelity alert correlating against endpoint process logs, I also want to be able to gather up any other communications the compromised endpoint transmits.B B The goal is to help the analyst identify the attackerbs C&C channel more effectively.

Matching Communications to Breach Alert

Here is an example of the correlation rule in theB ArcSightB CCE, we are aggregating all matching events within a seven-minute time window:[/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/matching-communications-breach-alert.png” title_text=”matching-communications-breach-alert” _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][et_pb_text admin_label=”PUTTING IT ALL TOGETHER” _builder_version=”4.7.0″ _module_preset=”default”]

PUTTING IT ALL TOGETHER

With this correlation in place, the SOC Analyst has visibility into systems involved, program/process information, user session and the parent process ID responsible for the security alert.:
QUESTION 1: WHO IS THE RESPONSIBLE USER AND PROCESS?
This correlation clearly tells me it is Stevebs user session runningB firefoxB that reached out and touched the Deception Decoy.[/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/Correlation-Alert-in-Arcsight-2.jpg” title_text=”Correlation-Alert-in-Arcsight-2″ _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][et_pb_text admin_label=”QUESTION 3: WHAT IS THE PARENT PROCESS FOR THE RESPONSIBLE COMMUNICATION?” _builder_version=”4.7.0″ _module_preset=”default”]

QUESTION 3: WHAT IS THE PARENT PROCESS FOR THE RESPONSIBLE COMMUNICATION?

As we see in Question 1, the Parent Process ID of the process that generated the alert is 2340.B B I can pivot in my logs searching for the Process Creation event for this Process ID to find out which process is most likely injected with malicious code.B B Bear in mind this process could have been created when the user session originally started, Active Lists inB ArcSightB and additional correlation techniques could help locate this faster, but are a topic for another day.
This pivot shows me that the Explorer.exe process is the parent process responsible for creating the task that reached out and touched my Deception Decoy.

Correlation Alert inB Arcsight

[/et_pb_text][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/Correlation-Alert-in-Arcsight-3.jpg” title_text=”Correlation-Alert-in-Arcsight-3″ _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/Correlation-Alert-in-Arcsight-4.jpg” title_text=”Correlation-Alert-in-Arcsight-4″ _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][et_pb_image src=”https://acalvio.p2staging.us/wp-content/uploads/2017/11/Correlation-Alert-in-Arcsight-5.jpg” title_text=”Correlation-Alert-in-Arcsight-5″ _builder_version=”4.7.0″ _module_preset=”default”][/et_pb_image][et_pb_text admin_label=”WHAT REALLY HAPPENED” _builder_version=”4.7.0″ _module_preset=”default”]

WHAT REALLY HAPPENED

So, did the correlated events present an actual representation of how the attack really happened?B B Letbs find out.
To create the attack, I used theB DarkCometB Remote Access Trojan (RAT) to take command and control of my bvictimb system.B B I attached the RAT in an email and sent it to my target user (Steve).
When Steve opened the attachment, the RAT detonated and established a C&C link back to the control system (msoutlookg).B B TheB DarkCometB program planted itself in Stevebs Local/Temp directory using the name MSDCSC.EXE.B B ThroughB DarkCometbsB Remote Desktop capability, I launchedB FireFoxB from the userbs desktop (Explorer.exe) and reached out to an HTTP Deception Decoy b generating the high-fidelity alert.
As you can see, all these activities were correlated and captured providing clear context to the analyst as to what happened.B B And it all started from a single high-fidelity alert.

CONCLUSION

It is not enough for organizations to keep pumping all types of security events into SIEMs and hoping they get correlated and prioritized appropriately for the Level I Analyst.B B The triage process needs to focus on Prevention Failure Detection utilizing high-fidelity alerts combined with use case focused correlations that answer the key questions accurately and efficiently.B B Knowing the user session involved in the breach, processes responsible for communications, and other network communications involving a breached system are critical to rapidly isolating and remediating the compromise.
Utilizing Deception-based alerts with endpoint logs, SIEM can deliver on its capability to correlate alerts that matter.
The Apocalypse has been averted.
Want the Full PDF with endpoint configuration and sub-parser code?B Download here.
John Bradshaw, Sr. Director, Solutions Engineering at Acalvio Technologies, has more than 25 years of experience in the Cyber Security industry focusing on advanced, targeted threats. He held senior leadership roles at Mandiant, ArcSight, Internet Security Systems, Lastline, and UUNET.[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]