security incident discovery and correlation on gov
play

Security Incident Discovery and Correlation on .Gov Networks Cory - PowerPoint PPT Presentation

Sep 11, 2022 •13 likes •353 views

Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT Surface Analysis Group Timothy Tragesser US-CERT Fusion Analysis & Development Agenda Overview Data Collection Malware Activity

  1. Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT Surface Analysis Group Timothy Tragesser US-CERT Fusion Analysis & Development

  2. Agenda  Overview  Data Collection  Malware Activity Sets:  Beaconing  Redirection  Suspicious Activity  Findings/Analysis  Samples/Examples  Recommendations  Takeaways 2 Presenter’s Name June 17, 2003

  3. Who we are…  US-CERT is the operational arm for cyber security under the Department of Homeland Security  Analysis Branch uses flow data from Einstein sensors deployed across .gov networks 3 Presenter’s Name June 17, 2003

  4. Information Correlation… Industry Military State/Local Gov Private Citizens US-CERT Federal Gov ISACs U5/International Law Enforcement Media Intel Facilitating collective analysis of cyber threats through partnerships. 4 Presenter’s Name June 17, 2003

  5. Threat Summary  Security incidents reported to/by US-CERT since 1 January  ~108,000 total incidents reported YTD  13,000 Malicious Code Incidents YTD  Malicious Logic Incidents comprise primary focus area CAT3 IP Addresses 59 106 16 22 45 17 15 173 Crimeware Kit Rogueware Spam Web Threat Koobface Rootkits Dropper Other 5 Presenter’s Name June 17, 2003

  6. Context  What we have:  Repository of federal/state/local govt, private/foreign sector security incidents  ~108K so far this year  What we needed:  Automated method to detect and identify security incidents/events using netflow  What we devised:  Queries to mine database, correlate information and positively identify security incidents 6 Presenter’s Name June 17, 2003

  7. Prep: Data Collection Initial Data Pull/RW Binary Creator  Creates bin file to prep and execute queries: #!/bin/sh perl -pi -e "s/ \|/\|/g" hosts.txt perl -pi -e "s/\| /\|/g" hosts.txt perl -pi -e "s/ //g" hosts.txt BINFILE=`date "+%Y-%m-%d-%T.bin"` day=`date +"%a"` if [ "$day" = "Mon" ]; then STARTDATE=`date -d '-4 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` elif [ "$day" = "Sun" ]; then STARTDATE=`date -d '-7 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` elif [ "$day" = "Sat" ]; then STARTDATE=`date -d '-8 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` else STARTDATE=`date -d '-3 days' +'%Y/%m/%d'` ENDDATE=`date "+%Y/%m/%d"` fi if [ -f $BINFILE ]; then echo "$BINFILE already exists !!!" echo "Please insure rwprocessor.sh is not already running and then move or remove $BINFILE" else if [ -f temphosts.txt ]; then rm -f temphosts.txt fi if [ -f temphosts.set ]; then rm -f temphosts.set fi 7 Presenter’s Name June 17, 2003

  8. Initial data pull: RW Binary Creator  Creates bin file to execute queries against (cont.) for i in `cat hosts.txt | cut -d "|" -f1 | sort | uniq` do echo $i >> temphosts.txt done rwsetbuild temphosts.txt temphosts.set echo "Einstein query from $STARTDATE to $ENDDATE" echo "Created $BINFILE" rwfilter --anyset=temphosts.set --type=all --start-date=$STARTDATE --end-date=$ENDDATE --pass=$BINFILE & if [ -f temphosts.txt ]; then rm -f temphosts.txt fi if [ -f temphosts.set ]; then rm -f temphosts.set fi Fi 8 Presenter’s Name June 17, 2003

  9. Malware Activity Patterns  Main Focus Areas:  Beaconing  Redirect  Suspicious Image from procalme.com 9 Presenter’s Name June 17, 2003

  10. Beaconing  Goal is to detect and identify beaconing activity to/from constituent systems  Regular and irregular patterns  High and low volume connections  Known malicious IPs/domains  Investigate to identify data exfiltration / low-and- slow actions  Triggers when victim IP address sends requests on the same dest port with a consistent packet size and at a specific time interval or pattern (i.e., 60 secs., 60 mins., Image from Wellroundedsquare.com etc.)  Beaconing is a symptom 10 Presenter’s Name June 17, 2003

  11. Beaconing  Personal favorite  ‘Quick and easy’ to vet true positives  Good indicator of compromise/infection Sample Output (beaconing occurring at 1 hour / 10 minute intervals): sTime| sIP| dIP| sPort| dPort| bytes| sensor| InitFlag 2010/10/04T13:06:38| 199.9.9.9| 195.161.112.6| 1315| 80| 1623| USGA| S 2010/10/04T14:16:40| 199.9.9.9| 195.161.112.6| 1366| 80| 1623| USGA| S 2010/10/04T15:26:42| 199.9.9.9| 195.161.112.6| 1418| 80| 1623| USGA| S 2010/10/04T16:36:44| 199.9.9.9| 195.161.112.6| 1515| 80| 1623| USGA| S 2010/10/04T17:46:45| 199.9.9.9| 195.161.112.6| 1600| 80| 1623| USGA| S 2010/10/04T18:56:48| 199.9.9.9| 195.161.112.6| 1721| 80| 1623| USGA| S Automated Byte Sizes Initial Flags Timestamps 11 Presenter’s Name June 17, 2003

  12. Beaconing Script  The beaconing script uses several commands, as sampled below, to filter by flows for indications of hourly/daily/weekly beaconing activity: for bytes in `rwfilter --saddress=$victimip --daddress=$badip --type=all bin/$i.bin --pass=stdout | rwuniq --fi=bytes --flows=5 --no-titles --no-final-delimiter --no-columns | cut -d "|" -f1` do daycount=`rwfilter bin/$i.bin --type=all --saddress=$victimip -- daddress=$badip --bytes=$bytes --pass=stdout | rwcut --fi=9 --no-titles | cut -d "/" -f3 | cut -d "T" -f1 | sort -u | wc -l` 12 Presenter’s Name June 17, 2003

  13. Findings Analysis: Beaconing  Using seconds/milliseconds to build timeline  Helps dispel irregularities  Common traffic obfuscation technique for FakeAV and Rootkits Sample Output (note the second count): sTime| sIP| dIP|sPort|dPort| bytes| sensor|initialF|Records| 2010/08/17T11:25:23| 199.9.9.9| 94.228.209.200| 1529| 80| 549| USGA1| S | 1| 2010/08/17T14:21:23| 199.9.9.9| 94.228.209.200| 1989| 80| 549| USGA1| S | 1| 2010/08/17T21:26:24| 199.9.9.9| 94.228.209.200| 2346| 80| 549| USGA1| S | 1| 2010/08/17T22:32:24| 199.9.9.9| 94.228.209.200| 2602| 80| 549| USGA1| S | 1| 2010/08/18T02:09:24| 199.9.9.9| 94.228.209.200| 3103| 80| 549| USGA1| S | 1| 2010/08/18T05:43:24| 199.9.9.9| 94.228.209.200| 3607| 80| 549| USGA1| S | 1| 2010/08/18T14:10:25| 199.9.9.9| 94.228.209.200| 3996| 80| 549| USGA1| S | 1| 2010/08/18T16:18:25| 199.9.9.9| 94.228.209.200| 4295| 80| 549| USGA1| S | 1| 2010/08/18T18:51:24| 199.9.9.9| 94.228.209.200| 4640| 80| 549| USGA1| S | 1| 2010/08/19T05:22:24| 199.9.9.9| 94.228.209.200| 1229| 80| 549| USGA1| S | 1| 2010/08/19T09:56:24| 199.9.9.9| 94.228.209.200| 1341| 80| 549| USGA1| S | 1| 2010/08/19T15:42:24| 199.9.9.9| 94.228.209.200| 1806| 80| 549| USGA1| S | 1| 2010/08/20T06:24:24| 199.9.9.9| 94.228.209.200| 2186| 80| 549| USGA1| S | 1| 2010/08/20T09:37:25| 199.9.9.9| 94.228.209.200| 2321| 80| 549| USGA1| S | 1| 2010/08/20T12:04:25| 199.9.9.9| 94.228.209.200| 2871| 80| 549| USGA1| S | 1| 2010/08/21T15:22:25| 199.9.9.9| 94.228.209.200| 3439| 80| 549| USGA1| S | 1| 2010/08/21T17:34:25| 199.9.9.9| 94.228.209.200| 3532| 80| 549| USGA1| S | 1| 13 Presenter’s Name June 17, 2003

  14. Findings Analysis: Beaconing  Graphical Representation  Easy-to-read synopsis of activity  Helpful handout/reference for constituency 0:00:00 21:36:00 19:12:00 16:48:00 14:24:00 12:00:00 9:36:00 7:12:00 4:48:00 2:24:00 0:00:00 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/15/2010 11/17/2010 11/17/2010 11/17/2010 11/18/2010 11/18/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 11/19/2010 - Victim IP observed beaconing every 8 minutes and 55 seconds 14 Presenter’s Name June 17, 2003

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25

Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25

Enabling Grids for E-sciencE Trouble ticket and incident correlation Veniamin Konoplev (RRC-KI) & EGEE09 21-25 September 2009 www.eu-egee.org EGEE09 V. Konoplev September 21-25 2009 Barcelona Subject history

287 views • 10 slides
Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

CORRELATION AND REGRESSION Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign > direction Magnitude > strength Correlation and Regression Near perfect correlation Correlation and

929 views • 35 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra SECURITY ENGINEER github.com/zzenonn linkedin.com/in/zzenonn t h s Module Define Elastic Load Balancing Overview Understand different ELB security

666 views • 33 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web Sites Fingerprinting OS FingerPrinting IP Stacks Share Scans Chapter 14 SNMP Vulnerabilities FingerPrinting TCP/IP Services

439 views • 8 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Does Your Employee Tree Have Bad Fruit That Could Ripen into a Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM US workers report being victims of workplace violence each year.* WV costs to

393 views • 10 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Today bivariate correlation bivariate regression multiple regression Bivariate Correlation Pearson product-moment correlation (r) assesses nature and strength of the linear relationship between two continuous variables ( X

1.03k views • 89 slides
Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

: ESTIMATES AND TESTS Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient Testing the correlation coefficient Non-linear relationships Old exam question Further study THE CORRELATION COEFFICIENT

404 views • 22 slides
Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a focus on services for specialized public service providers, finance industry and corporations with high data sensitivity. NRDCS.L T TIMETABLE FOR

612 views • 12 slides
The Value of Metadata As A Data Management & Project Management Tool Cele Morris

The Value of Metadata As A Data Management & Project Management Tool Cele Morris

The Value of Metadata As A Data Management & Project Management Tool Cele Morris Northwest Indiana Center for Data & Analysis Indiana University Northwest Federal Geographic Data Committee Funded Project Metadata Outreach and

2.14k views • 39 slides
Creativity and Innovations in Cross-cultural Context Echange students: Annika Baessler , Germany

Creativity and Innovations in Cross-cultural Context Echange students: Annika Baessler , Germany

Creativity and Innovations in Cross-cultural Context Echange students: Annika Baessler , Germany Marianka Siuhai, Ukraine UL MLBS 4th year: Inese Danovska Gatis Eevrs QUESTIONS TO THE AUDIENCE: What is creativity? What is innovation?

481 views • 32 slides
Emily Grace Important step in writing a research paper. Rather than gathering books and

Emily Grace Important step in writing a research paper. Rather than gathering books and

Chris Emily Grace Important step in writing a research paper. Rather than gathering books and copying pages upon pages of text. NOTECARDS! Note-taking seems like a tedious effort, but it really does pay off in the end. It is

659 views • 37 slides
Semantic Exploration of DNS Samuel Marchal, J er ome Fran cois, Cynthia Wagner and

Semantic Exploration of DNS Samuel Marchal, J er ome Fran cois, Cynthia Wagner and

samuel.marchal@uni.lu 23/05/12 Semantic Exploration of DNS Samuel Marchal, J er ome Fran cois, Cynthia Wagner and Thomas Engel Motivation Semantic exploration Experiments and Results Conclusion Outline 1 Motivation 2 Semantic

211 views • 18 slides
CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth

CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth

CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth Trushkowsky, Tim Kraska, Michael J. Franklin Scenario Find the birthdate of the mayor of

316 views • 15 slides
Geo Geo-refe -referen enced i ced inf nformation sy rmation syste stem f m for r im

Geo Geo-refe -referen enced i ced inf nformation sy rmation syste stem f m for r im

Reg Regional ional work workshop shop on on Ge Geo-r o-refe eferenc renced ed infor informat mation ion s syst stem f for im r improving proving disa disaster ster risk p risk prepar eparedne edness s an and man d

472 views • 13 slides
Securities & Securities & Derivative Derivative Litigation Report Litigation Report

Securities & Securities & Derivative Derivative Litigation Report Litigation Report

Securities & Securities & Derivative Derivative Litigation Report Litigation Report 2004 First Quarter Eleventh Circuit Securities Law Update To keep our clients abreast of securities law developments in the Inside This Issue:

133 views • 12 slides
WayFinder:Navigating and Sharing Information in a Decentralized World Christopher Peery, Matias

WayFinder:Navigating and Sharing Information in a Decentralized World Christopher Peery, Matias

WayFinder:Navigating and Sharing Information in a Decentralized World Christopher Peery, Matias Cuenca, Richard P. Martin, Thu D. Nguyen Department of Computer Science, Rutgers University http://www.panic-lab.rutgers.edu/Research/planetp

804 views • 41 slides

More recommend