Abstract: Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This presentation investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.
Bio: Sean is a Senior Consultant in the Wolf & Company, P.C. Information Technology (IT) Assurance Services group where he is responsible for coordinating and executing cybersecurity and IT audit services at client locations for financial, healthcare, educational and investment planning clients. Sean leads Wolfs security assessment and PCI DSS teams.
Related whitepaper: https://www.sans.org/reading-room/whitepapers/detection/attackers-walls-detecting-malicious-activity-39055
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Detecting Malicious Activity on a Budget
1. Presented to fulfill degree requirements for the SANS Technology Institute’s Master of Science
Detecting Malicious Activity on a Budget
Presented by Sean D. Goodwin
GSEC, GCIH, GCIA
Master’s Degree Candidate at the SANS Technology Institute
2. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu
Objectives
Identify a toolset that SMBs can implement to reduce resources
needed to detect malicious activity on hosts
Minimize cost and time spent analyzing event logs
Minimize time spent vetting alerts for false-positive events
3. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu
Insufficient Detection Resources
Small and Mid-sized Businesses (SMBs) typically lack detection
capabilities
Tools
Training & analyst skills
Inability to detect malicious actors
Seeking a “plug-and-play” solution for host-based detection
10. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu
Results
Data is available, but detection is not easy
All three attacks could be identified after the fact
“Living off the land” makes detection harder
17. Master’s Degree Candidate7/8/2019 ‹#›Master’s Degree Candidate www.sans.edu
Summary
SMBs continue to struggle detecting host-based attacks
Not a “plug and play” solution for detecting all attacks
Custom rules will aid in automating recurring log investigations
Additional data points (network traffic) may help
Hinweis der Redaktion
Limited resources means many SMBs cannot afford high-end commercial systems to analyze event logs and provide high quality alerts. Often, the free or low cost solutions do little analysis, leading to hours spent reviewing event logs and chasing down events that are determined to be false positives in the end. This case study sought to use no-cost software, configured with industry-accepted settings to reliably alert on malicious activity via host-based event logs. The alert dashboard should flag suspicious activity worthy of investigation, without overburdening the analyst with false-positives.
According to the 2018 Verizon Data Breach Investigations Report,
50% of breach victims were categorized as small businesses
68% of breaches took “months or longer to discover”
To make matters worse, a large percentage of small and medium-sized businesses (SMBs) identify restricted budgets as the greatest challenge to security (Untangle, n.d.). Another significant concern identified in the survey was not having enough staff to “monitor and manage security”.
Identifying a toolset that minimizes cost and complexity while providing actionable alerts will enable an SMB to reduce the time required to identify a breach.
2018 Data Breach Investigations Report (Rep.). (n.d.). Verizon.
Untangle. (n.d.). 2018 SMB It Security Report. Retrieved from https://www.untangle.com/2018-smb-it-security-report/
This research focused on using existing tools and “best-practice” configurations in the spirt of getting as close as possible to a “plug-and-play” configuration. This would allow an SMB to devote minimal resources to getting a solution implemented and operational, and hopefully providing useful detection data. Security Onion was installed with the default detection rules. To provide the event log data for analysis, Windows Audit Policy was configured following the guidance of Malware Archaeology. To support these event logs, Microsoft Sysinternals Sysmon was also installed, and the SwiftOnSecurity configuration file was used.
Security Onion. (n.d.). Retrieved from https://securityonion.net/
Sysmon-Config [Brochure]. (n.d.). Retrieved from https://github.com/SwiftOnSecurity/sysmon-config
Sysmon - Windows Sysinternals. (2019, February 18). Retrieved from
Wazuh - The Open Source Security Platform. (n.d.). Retrieved from https://wazuh.com/
WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012 [Brochure]. (n.d.). Retrieved from https://www.malwarearchaeology.com/cheat-sheets Version 1.0
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2019 [Brochure]. (n.d.). Retrieved from https://www.malwarearchaeology.com/cheat-sheets Version 2.3
Caldera was used to simulate attacks due to the automated nature and ability to test different detection capabilities without significant effort in launching each attack. Three (3) different attacks were chosen for testing, each of which represents real-world attacks as documented in the MITRE ATT&CK Framework.
Mitre. (n.d.). Mitre/caldera. Retrieved from https://github.com/mitre/caldera
PsExec MITRE ATT&CK: https://attack.mitre.org/software/S0029/
Pass-the-Hash MITRE ATT&CK: https://attack.mitre.org/techniques/T1075/
xCopy (file collection) MITRE ATT&CK: https://attack.mitre.org/techniques/T1039/
The Test Corp network was designed to be a fair representation of a “typical” SMB network. This was a Windows domain network, using Server 2016 and Windows 10 workstations.
Important Considerations:
Some users ran a low-privilege domain user account with local admin rights to their workstation
A Domain Admin had left their account logged in to the DC to simulate a user that closes an RDP connection instead of logging out
Network monitoring was not used
This Caldera campaign:
Enumerates the domain to which the initial system is connected.
Enumerates the privileged accounts of the domain to which the initial system is connected.
Checks the system for credentials stored in memory.
Executes PsExec using privileged credentials to start a RAT on another domain-joined machine.
The details of this event log show that this is classified as priority “notice” by syslog, as this event is a legitimate administration tool being used by a legitimate user.
Due to the Audit Policy, events that fall under Object Access – Detailed File Share (Success) (Event ID 5145) will be recorded. This will log any successful mapping of file shares. This can capture plenty of legitimate uses, so to filter this down, an analyst should look for instances of the inclusion of “PSEXECSVC” in the log data. This data can be parsed by user, to aid in identifying suspicious uses. An example of this would be looking for instances of an administrator (admin02) using PsExec on non-typical machines or at non-standard times.
This Caldera campaign:
Enumerates the domain to which the initial system is connected.
Enumerates the privileged accounts of the domain to which the initial system is connected.
Checks the system for credentials stored in memory.
Uses the hashed password retrieved from memory to transfer a file to a remote host.
Uses the hashed password retrieved from memory to start a Windows service to transfer a file to a remote host.
Pass-the-Hash is another example of a legitimate action taken by users that can be leveraged by attackers.
David Kennedy provides a set of data fields and values that can be used to filter a large number of authentication logs down to a manageable set for investigation (Kennedy, 2016). Specifically:
Windows Event ID 4624
Logon Type = 3
Logon Process = NtLmSsP
Key Length = 0
Security ID should be null (Security ID: S-1-0-0)
This Caldera campaign:
Enumerates the domain to which the initial system is connected.
Enumerates the privileged accounts of the domain to which the initial system is connected.
Mounts a remote network share from a second machine.
Transfers a CALDERA RAT.
Transfers a local file to the mounted network share.
This level of filtering is time-consuming, as filters must be written to only show suspicious connections, which are likely to be buried in the white noise of valid file share access on the SMB network.
All of the data needed to investigate these attacks was recorded in the Security Onion device, but alerts were not always generated. This is largely due to the fact that these attacks take advantage of legitimate administrative software, which makes detection harder by “hiding” among valid activities.
If your team does not use features/tools – remove them from your environment, and then create custom rules to trigger in the event they are used.
A custom rule can be created to reduce the number of queries needed by an analyst to detect potential incidents. An example of one such custom rule is shown to follow the detection advice for potential abuse of Pass-the-Hash events. Note: this will also flag legitimate uses of pass-the-hash, so additional steps may need to be added to this rule based on your environment.
Our initial trigger is a default rule that searches for a successful Windows logon.
Step One in our custom rule checks for our target Security ID (S-1-0-0). If this string is not found, this custom rule stops processing the log. If this string is found, the log is passed onto the next step.
Step Two searches for our string of “Logon Type: 3”. If this string is not found, this custom rule stops processing the log. If found, the log is passed on to the next step.
Step Three searches for our string of “Logon Process: NtLmSsp”. If this string is not found, this custom rule stops processing the log. If this string is found, the log is passed onto the next step.
The fourth and final step of our custom rule searches for the string “Key Length: 0”. If this string is not found, this custom rule stops processing the log. If this string is found, a level 7 alert is generated.
This project did not result in finding an easy “plug and play” solution that a SMB could implement with little effort and rely on for detection of these specific attacks. This toolset did aid in the investigation efforts after an incident, but this is not enough to satisfy the thesis of this case study, as these SMBs are already struggling with resources, which includes analyst hours.
Additional data points, such as those provided via Zeek or the newly implemented DNS logs in Sysmon may provide additional context for alert generation.
If you’re interested in discussing this more, I can be reached at: SeanGoodwin@protonmail.ch
**** Include a link to your posted research paper. ****
