Incident Response on a Shoestring Budget

DetectingAttackersonYourNetworkUsingOpenSourceTools

Who, what, when?

• AtBHISwestillrarelyseeeffectiveloggingandmonitoringfordetectingattackeractivity

• Effectiveingress/egressnetworktrafficlogstodeterminewhatwentwhereandwhen

• Consolidatedendpointloggingfordeterminingwhatranonwhatsystemandwhen

• Freeandopensourcecanprovidethisthenecessaryvisibility

Bio

• SecurityAnalystatBlackHillsInformationSecurity• PreviousBlueTeam,nowmostlyRedTeam• CitySec Meetup Organizer– TidewaterSec (Hampton,VA)• AvidOWAenthusiast

Standard Disclaimer• Enterprisedeploymentsofmonitoringandloggingsolutionshavetobesizedappropriatelyfortheamountoftraffic,logs,andanalysis

• Thisistrueforcommercialandopensourcetools• Theopensourceandfreetoolsdiscussedinthispresentationwillscaletotheenterprise

• Itstilltakesplanningandresourcesbeyondwhatcanbecoveredinanhour

• Onesizedoesnotfitall• Yourmileagemayvary

Detection vs. Prevention

• Preventionisidealbutdetectionisamust• Preventivemeasurescanbebypassed• Preventivesolutionspotentiallycostasubstantialamountofmoney• Manydetectivesolutionscanbedonefor“free”• Detectivesolutionsareessentialin identifyingthe“fullpicture”onanincident

Value of Time

• Opensourceandfreesoftwareisnotcostfreeifyouvalueyourtime• Tradeoffsforfiguringoutvs.abilitytocallthevendor

• Ifyougowithcompletelyfreeandopensourcesolutions,youmaybeonyourowntofigureitoutandmakeitwork

• ButyoursecurityKungFuwillgetbetterbecauseofthis

Core Monitoring Components

• NetworkMonitoring• HostBasedMonitoring(monitoringedgedevices)• ForensicsatScale(oneanalysttomanysystems)• CentralizedLogging• LogCorrelationandalerting(SIEM)

Threat Intelligence?CyberKillChain®(lockheedmartin.com/cyber) 1)Reconnaissance

2)Weaponization

3)Delivery

4)Exploitation

5)Installation

6)CommandandControl

7)ActionsonObjectives

Where are you now?

Network Monitoring

• Brovs.Snort- Applesandoranges• Broisnetworkprotocoldecodingatscale

• Forensicgroundtruthofwhathappensonthenetwork

• Snortmatchespacketstosignaturestodetectpotentiallybadtraffic• Theyhavedifferentusecases– usetherighttoolforthejob

Host Based Monitoring

• Withcloudandmobile,increasinglymoreimportanttogainedgedevicevisibility

• Sysmon isaneasywintodeploytoWindowsEndpoints• Processcreationwithfullcommandline• Hashofprocess(SHA1)• NetworkConnections• Filecreationtimechanges

SysmonProcessCreate:UtcTime:2017-06-0900:57:42.516ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00}ProcessId:3232Image:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCommandLine:powershell /HeLloCurrentDirectory:C:\Users\BruceL.Roy\User:WIN-OK4HSK4QBPH\BruceL.RoyLogonGuid: {3f6cf078-30ec-5938-0000-002031df1000}LogonId:0x10df31TerminalSessionId: 1IntegrityLevel:MediumHashes:SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48DParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00}ParentProcessId:3364ParentImage:C:\Windows\System32\cmd.exeParentCommandLine: "C:\Windows\system32\cmd.exe"

Log Consolidation

• Centralizelogcollectionfromalledgedevicesandboundarydevices• SyslogclientonLinuxsystems• NXLog supportssyslogshippingofWindowsEventLogs

• MicrosoftWindowsEventCollector• Boundarydevicesyslog(Firewall,proxies,etc.)

SIEM For Free

• AnyDIYSIEMsolutioncouldbetimeandlaborintensive• ElasticLogstash Kibana (ELK)/ElasticStack• Graylog• Ifyouhavebudgetandhavetochoosewheretospend,thismaybethebestplace

• Ifyouarenotcentralizinglogsnowstartsimple• Consolidatedeviceandendpointlogsintosyslogwithnxlog

Forensics at Scale

• AbilityforIRandforensicsstafftoquicklyandremotelyacquirenecessaryevidencetoanalyzeanattack

• CanbedifficultandtimeconsumingtoimageRAManddiskevidenceforeveryinvestigation

• F-Response(notfree)• PossiblewithPowerShell• GoogleGRR

• IncidentResponseFramework

Tool ConfigurationEnd Point Monitoring

nxlog

• Endpointagenttoshiplogstoasyslogcollector• SupportforWindowsEventlogshippingtoremotecollector– we’regoingtobesendingJSON

• Textbasedconf file• ApplicationlogselectingEVTIDs1102,4103,4104• SecuritylogselectingEVTIDs 1102,4624,4625• SystemlogselectingEVTIDs1102,7009,7045• AllofSysmon log(filteringdoneinSysmon config)

https://gist.github.com/deruke/20e77eaa14ad193fd6ab85a76c64cb21

Additional EVT Logs

• WindowsLoggingCheatSheetatwww.malwarearchaeology.com• NSASpottheAdversaryList

PowerShell Logging

• ModuleLogging• Recordspipelineexecutiondetails

• ScriptBlockLogging• Recordsblocksofcodeastheyareexecuted• Alsorecordsde-obfuscatedcodeexecution• PowerShell5.0automaticallylogsscriptblocksconsideredas“suspicious”

• Transcription• UniquerecordofeveryPowerShellsession• Allinputandoutput

PowerShell Logging

• AdministrativeTemplates>WindowsComponents>WindowsPowerShell

GPO Caveats

• IfrunningWindows7ObtainAdministrativeTemplatesforWindows10

• Copyboththerequisitefilesinto%systemroot%\PolicyDefinitions• PowerShellExecutionPolicy.admx• PowerShellExecutionPolicy.adml

• Copyto\\sysvol\Policies\PolicyDefinititions ifperformingthisasdomainGPO

Sysmon Config File

• InstallwithXMLbasedconfigurationto• Startwith@SwiftOnSecurity’s fileasabasethencustomizetofityourenvironment

• https://github.com/SwiftOnSecurity/sysmon-config

• FilterseventsbasedonSysmon eventtype• Foreverytype,sensibleexclusionsandinclusionstoreducenoiseorlookforspecificallysuspiciousactivity

Sysmon Config File

Collector • Ubuntu16.04LTSsystemrunningElasticStack(ELK)• Logstash ingestsincomingsyslogfromendpointsandoutputstoElasticsearch

• Kibana webfrontendtosearchandvisualizethedata

• ScalestoEnterprise,butyouwillneedtoplanaccordingly

Logstash config:https://gist.github.com/deruke/093e9fa9b666aa211cfdce81921cb3ce

Deployment via GPO

• ScriptBlockLogging• Nxlog installationand/orservicestartonstartup• Sysmon installationand/orservicestartonstartup

https://gist.github.com/deruke/743a80c89740fdedcb7f8871cdf02536

Demo Time

What about Prevention?

• Configurationchangescanbeeffectiveprevention• Strongpasswordpolicy

• 15charactersminforusers• 28charactersforserviceandadministratoraccounts

• 2FAonallexternalfacingportals• Restrictadministrativeaccess

• LAPS• MicrosoftTieredArchitectureApproach

• Restrictclient-to-clientcommunication• PrivateVLANs orWindowsFirewall

What about Prevention?

• ApplicationWhitelisting• Windows10Enterprisefeatures

• DeviceGuard– attemptstopreventmaliciouscodefromeverrunning,onlyknowngoodcodecanrun

• CredentialGuard– hardeningofkeyuserandsystemsecrets,attemptedmitigationofcredentialbasedattacks

• BothuseVirtualSecureMode(VMS)• Bothrequireplanninganddeployment

Resources• NetworkMonitoring

• www.bro.org• snort.org• molo.ch

• HostBasedMonitoring• Sysmon - technet.microsoft.com/en-

us/sysinternals/bb545021.aspx• Sysmon Config:

https://github.com/SwiftOnSecurity/sysmon-config• Nxlog:nxlog.co

• Blogonsetup:• https://www.blackhillsinfosec.com/endpoint-

monitoring-shoestring-budget-webcast-write/

• Liveresponseatscale• GoogleGRR:https://github.com/google/grr

• LogCorrelation• Elastic:https://www.elastic.co/• Graylog:https://www.graylog.org/

• MicrosoftEnvironmentConfiguration• LAPS:https://www.microsoft.com/en-

us/download/details.aspx?id=46899• ADTieredModel:

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

Conclusions

• FreeandOpenSourcesolutionscaneffectivelybeusedformonitoring,detection,andliveresponse

• Edgebasedhostmonitoringwithcentralizedloggingisapowerfulcombination

• Configurationchangesareanimportantaspectofpreventingcompromise

Conclusions

• DerekBanks- @0xderuke• @BHInfoSecurity – http://www.blackhillsinfosec.com

0x3F