Detection methods and relevance to log analysis

Attacker patterns

Attacker behaviors

Abnormalities

Analyzing common application logs that generate tremendous amounts of data

DNS

Finding new domains being accessed

Pulling in addition information such as domain age

Finding randomly named domains

Discover domain shadowing techniques

Identifying recon

Find DNS C2 channels

HTTP

Use large datasets to find attacks

Identify bot traffic hiding in the clear

Discover requests that users do not make

Find ways to filter out legitimate noise

Use attacker randomness against them

Identify automated activity vs user activity

Filter approved web clients vs unauthorized

Find HTTP C2 channels

HTTPS

Alter information for large scale analysis

Analyze certificate fields to identify attack vectors

Track certificate validity

Apply techniques that overlap with standard HTTP

Find HTTPS C2 channels

SMTP

Identify where unauthorized email is coming from

Find compromised mail services

Fuzzy matching likely phishing domains

Data exfiltration detection

Apply threat intelligence to generic network logs

Active Dashboards and Visualizations

Correlate network datasets

Build frequency analysis tables

Establish network baseline activity

Security Architecture – Endpoint Protection

Anti-Malware

Host-based Firewall, Host-based IDS/IPS

Application Control, Application Virtualization

Privileged Accounts, Authentication, Monitoring, and UAC

Virtual Desktop Infrastructure

Browser Security

EMET and Defender Exploit Guard

Patching

Process

To Test or Not to Test

Microsoft

Third-Party

Centralize NIDS and HIDS alerts

Analyze endpoint security logs

Provide alternative analysis methods

Configure tagging to facilitate better reporting

Augment intrusion detection alerts

Extract CVE, OSVDB, etc for further context

Pull in rule info and other info such as geo

Analyze vulnerability information

Setup vulnerability reports

Correlate CVE, OSVDB, and other unique IDs with IDS alerts

Prioritize IDS alerts based on vulnerability context

Correlate malware sandbox logs with other systems to identify victims across enterprise

Monitor Firewall Activity

Identify scanning activity on inbound denies

Apply auto response based on alerts

Find unexpected outbound traffic

Baseline allow/denies to identify unexpected changes

Apply techniques to filter out noise in denied traffic

SIEM tripwires

Configure systems to generate early log alerts after compromise

Identify file and folder scan activity

Identify user token stealing

Operationalize virtual honeypots with central logging

Allow phone home tracking

Post mortem analysis

Re-analyze network traffic

Identify malicious domains and IPs

Look for beaconing activity

Identify unusual time-based activity

Use threat intel to reassess previous data fields such as user-agents

Utilize hashes in log to constantly re-evaluate for known bad files