1. My Bro The ELK
Obtaining Security Context from Security Events
Travis Smith
tsmith@tripwire.com
2. • What is the problem?
• Who is the Bro?
• What is an ELK?
• Beefing up the ELK
• Making Your Bro the ELK Intelligent
• Visualization w/ Kibana
• Introducing the TARDIS framework
Agenda
3. • I’m a lumberjack and I’m OK
• 10+ years in security
• Security Researcher at Tripwire
13. • Utilizing Custom Patterns
• GROK Message Filtering
• Adding Custom Fields
• Adding Geo IP Data
• Date Match
• Using Translations for Threat Intel
Logstash Filtering
25. • Threat Analysis, Reconnaissance, & Data
Intelligence System
• Historical exploit/IOC detection
• Time Lord of forensic log data
• Available at
https://github.com/tripwire/tardis
• Demo at Arsenal Thursday @ 12:45
The TARDIS Framework
As the security maturity expands, so does complexity, costs, and data volumes
-Typical logs collected are only the tip of the iceberg when it comes to analyzing threat data. Adding in session, packet string, and full packet captures is the best method to truly analyze threats against the organization.
-Using a product like bro allows you to either analyze this information in real-time or in a post-mortem manner after a potential attack has occurred
-Analyze network traffic in real-time or from packet captures
-Application Layer analysis
-Brogramming scripts to analyze protocol and application data, looking for suspicious activity
-Ability to do SIEM type correlation
-Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data.
-44 Inputs
-40 Filters
-54 Outputs
-Use Logstash (or other LM products like TLC or Splunk) to ingest, normalize, and store data.
-44 Inputs
-40 Filters
-54 Outputs
-Cool visualizations with kibana to expose key data
-Lots of information, but what does it mean
-Collection of tons of valuable data, but what do we do with it all?
-It’s not big data, it’s obese data
-Looking for a needle in a pile of needles
-Critical Stack for Bro makes starting out with Threat Intelligence incredibly easy.
-Install the agent and automatically pull data that generates bro scripts from threat intel providers
Single command to pull from 98 threat feeds which contain over 800k IoC’s
-What a basic normalization rule looks like
-Take the Oniguruma syntax out of the conf file and put it in a log file for each device in a custom patterns directory.
-Makes management of normalization/parsing rules easier
-Allows us to utilize add_field to our advantage
We’ll need to filter each message to apply the add_field
-Take the Oniguruma syntax and remove the column mappings to expose raw regex code
-Add custom fields to find relevant data quickly in Kibana
-Adding a rule ID will allow us to optimize the normalization engine in logstash by exposing the most commonly parsed logs in your environment
-Get a copy of a GeoLiteCity database file and place it on the server
-Reference an normalized IP address field in the source field
-Create a new field in the target field to place all the GEO IP data in
-Choose from a bunch of geo IP fields
Not necessary when collecting logs in real time
When you read pcap files and normalize the logs, this will take the timestamp from the log file, which bro uses from the PCAP file
Use this for tor exit node IP’s, malicious IP’s, command and control servers, file hashes, etc.
-Python scripts available to pull data and generate YAML files, only downside is it requires a restart of logstash to use the new YAML files
-Translate plugin is a community-maintainted plugin, so you need to install it before adding it to the config file.
-With the GEO IP we can now build maps with the data collected from BRO.
-We can also start generating reports on known malicious IP’s, file hashes, etc.
-Historograms can help pinpoint malicious activity, as seen here by a spike in malicious traffic around 11:25
-Take a STIX/Cybox Artifact, convert it into a supported search string, and generate evidence of exloitation/attack from those signatures.
-Can take this further, which we do internally by integrating with vulnerability management, FIM, threat intel, etc.