際際滷

際際滷Share a Scribd company logo

Leveraging logging for threat detection.pptx

Download as PPTX, PDF
C
Christian Bassey

This document discusses leveraging logging for threat detection. It begins by defining cyber threats and cyber attacks. It then discusses threat detection and some common methodologies like threat intelligence, signatures, anomalies, and machine learning. It describes how logging records events and some common things that can be logged, like user activity and security events. The document proposes using logs for threat detection by ingesting them into a security solution to create and trigger detection rules. It acknowledges some limitations of relying solely on logs and recommends corroborating with other threat detection methods.

1 of 13
Downloaded 19 times
Leveraging logging for threat detection Chris Bassey
Overview Cyber threats Cyber attacks Threat detection Logging Threat detection using logs Demo Limitations of logging Conclusion
Cyber threats A cyber threat is the possibility that malicious activity from threat actors targeting your digital assets and infrastructure may occur. Threats may include the possibility of: Phishing. Malware infections. Data breaches, theft and damage. (Distributed) denial of service attacks.
Cyber attacks Cyber attacks are malicious and unwanted activities from actors seeking to compromise the confidentiality, integrity and availability of digital assets and infrastructure. Examples include: Ongoing phishing and impersonation campaigns. Malware actively running on your endpoints. (Ransomware, RATs, infostealers) Ongoing (D)DoS attacks. Data exfiltration. Ransomware.
Threat detection This is the process of identifying threats that are trying to attack your assets and infrastructure. It might be the detection of: Downloaded malware that has not yet been run. Running malware exfiltrating data. Running malware connecting back to a C2 server. A stager retrieving a second stage payload. An ongoing phishing campaign.
Threat detection (Methodologies) Threat intelligence (early stage, pre-attack) Signature based detection Anomaly based detection Behavioural based detections (thin line between this and ML based detections) ML based detections (early days for this?).
Threat detection (Tools) Endpoint detection and response tools. Security information and event management (SIEM) tools. IDS, IPS. MITRE ATT&CK framework.
Logging Logs are records of events that occurred on your assets. Logging is the act of keeping a record of events that occurred. These records are commonly written to a log file or in some cases stored in a DB. What assets should we be logging from? Infrastructure dependent, but rule of thumb Log from attack surfaces and possible POE. Endpoints, servers. Applications. Network devices. Cloud infrastructure.
Logging (What can we log?) Audit logs(user activity - login, logout, content modification etc). Application logs. Security logs. Operating system logs.
Threat detection using logs You have to be logging important events. (In some cases you may need enhanced logging) Ingest the logs into an analysis/security solution. EDR, SIEM. Create detection rules to detect various kinds of activity. Analyze the logs, and correlate them with other events. Generate alerts if malicious indicators are found.
Demo (Infrastructure overview) Malicious file sent to user User opens and clicks. Connection established back to the attacker User endpoint + Wazuh agent Attacker Logs SIEM + XDR
Limitations of logging Misses events generated before the logging was started. Cannot see process activities. A process creation log might look benign, but the process is executing malicious activities. Logs collected still have to be analyzed and correlated to trigger detection rules. An opportunity here? Logging consumes disk space :-(. The activity has to happen before detection can start. You are one step behind. Logs can be faked, cleared, disabled.
Conclusion Logging is super useful, enable them on your assets if you can. Do not rely solely on logging. Analyse other sources of information, investigate process, file modifications etc. Continuously tune your detection rules. Also do not rely mainly on your detection rules as some may not trigger for new attack methods, or may just be wrongly configured. Is there a possibility of analyzing user activities and predicting what the user will do next? Any deviation from that can be considered abnormal. UEBA.

More Related Content

Leveraging logging for threat detection.pptx

  • 1. Leveraging logging for threat detection Chris Bassey
  • 2. Overview Cyber threats Cyber attacks Threat detection Logging Threat detection using logs Demo Limitations of logging Conclusion
  • 3. Cyber threats A cyber threat is the possibility that malicious activity from threat actors targeting your digital assets and infrastructure may occur. Threats may include the possibility of: Phishing. Malware infections. Data breaches, theft and damage. (Distributed) denial of service attacks.
  • 4. Cyber attacks Cyber attacks are malicious and unwanted activities from actors seeking to compromise the confidentiality, integrity and availability of digital assets and infrastructure. Examples include: Ongoing phishing and impersonation campaigns. Malware actively running on your endpoints. (Ransomware, RATs, infostealers) Ongoing (D)DoS attacks. Data exfiltration. Ransomware.
  • 5. Threat detection This is the process of identifying threats that are trying to attack your assets and infrastructure. It might be the detection of: Downloaded malware that has not yet been run. Running malware exfiltrating data. Running malware connecting back to a C2 server. A stager retrieving a second stage payload. An ongoing phishing campaign.
  • 6. Threat detection (Methodologies) Threat intelligence (early stage, pre-attack) Signature based detection Anomaly based detection Behavioural based detections (thin line between this and ML based detections) ML based detections (early days for this?).
  • 7. Threat detection (Tools) Endpoint detection and response tools. Security information and event management (SIEM) tools. IDS, IPS. MITRE ATT&CK framework.
  • 8. Logging Logs are records of events that occurred on your assets. Logging is the act of keeping a record of events that occurred. These records are commonly written to a log file or in some cases stored in a DB. What assets should we be logging from? Infrastructure dependent, but rule of thumb Log from attack surfaces and possible POE. Endpoints, servers. Applications. Network devices. Cloud infrastructure.
  • 9. Logging (What can we log?) Audit logs(user activity - login, logout, content modification etc). Application logs. Security logs. Operating system logs.
  • 10. Threat detection using logs You have to be logging important events. (In some cases you may need enhanced logging) Ingest the logs into an analysis/security solution. EDR, SIEM. Create detection rules to detect various kinds of activity. Analyze the logs, and correlate them with other events. Generate alerts if malicious indicators are found.
  • 11. Demo (Infrastructure overview) Malicious file sent to user User opens and clicks. Connection established back to the attacker User endpoint + Wazuh agent Attacker Logs SIEM + XDR
  • 12. Limitations of logging Misses events generated before the logging was started. Cannot see process activities. A process creation log might look benign, but the process is executing malicious activities. Logs collected still have to be analyzed and correlated to trigger detection rules. An opportunity here? Logging consumes disk space :-(. The activity has to happen before detection can start. You are one step behind. Logs can be faked, cleared, disabled.
  • 13. Conclusion Logging is super useful, enable them on your assets if you can. Do not rely solely on logging. Analyse other sources of information, investigate process, file modifications etc. Continuously tune your detection rules. Also do not rely mainly on your detection rules as some may not trigger for new attack methods, or may just be wrongly configured. Is there a possibility of analyzing user activities and predicting what the user will do next? Any deviation from that can be considered abnormal. UEBA.

Editor's Notes

  • #4: These threat actors may include nation states, criminal gangs, competitors, disgruntled employees, hacktivists or just kids mucking around.
  • #5: You can see the guy with the fancy graduation hat. He has graduated from being a threat to an attacker. A cyber threat becomes a cyber attack when it is executed. Key difference between threats and attacks is execution.
  • #9: Collectively, the record of events are called logs