Lots
of organizations are deploying SIEM systems either to do their due diligence or
because it’s part of a regulatory requirement.  One of the misconceptions that
typically is derived from marketing material is that you plug it in, turn it on,
and voila, instant security.  This couldn’t be further from the truth.  I look
at SIEM like a meta-IDS (Intrusion Detection System).  It is attempting to find
those needles in the haystack.  Most of the deployments I’ve worked on receive
millions of events per day.  Many of the events are informational.  Sometimes it
is mandatory to send those events to the SIEM because of regulatory
requirements, so my goal is always to maximize our resources and make the best
of the situation.  When you’re getting millions of firewall events per day for
example you can either have them take up space on your SAN uselessly or you can
try to detect misuse with them. 

The
first thing you need to do is identify which systems will be forwarding events.
Typically all switches, routers, servers, application, and security systems
(Network/Host Intrusion Prevention, Firewalls, anti-malware, etc).  The number
of devices you forward events from to the SIEM will depend on how much money you
are willing to spend on event collectors that receive and normalize events, and
the storage necessary to keep all of this data around.  Deciding what events to
send to your SIEM is often challenging.  The system you are investigating is
going to have two capacity limits to be aware of.  The first is storage.  How
much space will your events take?  To get a rough estimate I would go to every
system that will be forwarding events and report on how much space they logged
in a day then multiply that by your retention policy and add them all together.
So for instance take your (firewall logs for the day * 90) + (IPS logs for the
day * 90) = required storage.  The second is events per second.  At the very
least it is recommended to go to all of the devices that will be forwarding
events and report on how many they generated in a day and divide that by 86400
(number of seconds in a day).  This will get an approximate number of total
events per second which will determine the number and size of event
collectors.

The
purpose of this post is to help develop ideas for custom correlation rule use
cases.  Maybe a SIEM sizing and requirements guide can come later.  So for now
let’s assume that you already have a SIEM in place and you want to get started
with it.

Vendor
Provided Correlation Rules

My
general methodology with SIEM (and any Intrusion Prevention System for that
matter) is to enable everything to see what happens and tune back what you are
not interested in.  In many cases you have paid for the content and what better
way to get the best bang for your buck that to see how it works in your
environment.  The idea would be to enable the correlation rules once your events
are being forwarded to see how they react.  If there is a specific firewall
event of your network monitoring system sending UDP packets on port 162 to poll
system information via SNMP triggering a port scanning detection rule for
example, you would not turn off the entire correlation rule.  The idea would be
to find the mechanism to ignore that specific traffic for that specific rule.

I
have seen rules that need to be modified slightly to become effective.  For
example a correlation rule monitoring for TCP port 31337 is going to trigger
backdoor rules.  Firewall events will trigger this occasionally accidentally
because of an outbound connection.  Not to get too detailed here but when a
computer initiates a connection to a web server on TCP port 80 it has to open a
random port between 1024-65535 which could trigger here.  Modifying the rule to
monitor for 31337 as a destination port may be a good way to tune this
rule.

Using
the same example, McAfee Rogue System Detector scans hosts for TCP 31337 during
service discovery of the network.  Even though internal firewalls/routers may be
permitting and logging this traffic the target hosts may not (hopefully not) be
running these services.  In this case you may want to ignore the Rogue System
Detectors with a destination TCP port of 31337.

Potential
Malware Calling Home

The
way malware behaves in our networks is a moving target, but it does tend to move
like cars on a highway rather than at light speed.  So today there are several
indicators we can monitor for that would allow us to infer that there is either
an infection or misuse internally by an employee or contractor.

Resolving
domain names can be important to keep stability in the malware and allow for
quick changes of IP addresses.  For example if I program my malware to connect
to a web server at pwnd.example.net it would be nice for me as the malware
administrator to change the IP of my web server in the event that someone pulls
the plug on the one I’m using.  If the malware is programmed to use a static IP
to connect to I will lose that malware network.  If I use DNS I may be able to
mitigate some of this risk by getting a new web server, setting up shop, and
changing the IP of pwnd.example.net to the new IP.  In most environments I’ve
been in, there are only a handful of DNS servers that all systems internally are
configured to use.  Part of this correlation rule would be if the following is
NOT true, source or destination port is UDP or TCP 53 and source or destination
IPs your list of approved DNS servers then trigger the alert.

Another
stanza to add to this rule could be approved proxy servers if you are using one
that is not in transparent mode.  From your border firewalls you should only see
traffic from the LAN subnet coming from the proxy server to anywhere on TCP port
80.  Anything else could be an attempt to subvert this control by an employee or
contractor or malware configured to do so.  In addition to the above rule if the
source IP is NOT your proxy and the destination is TCP port 80 trigger the
alert.  You may also want to include an AND operator for the logging device
being that of the border firewall to reduce the number of logs that need to be
investigated.

Another
stanza may be to monitor for IRC traffic.  If IRC is permitted you will see
pretty quickly how many people are using it (it won’t be many) and can hopefully
tune the rule to only trigger when a certain amount of events are found in a
certain amount of time.  They you could look for source or destination port of
TCP 6666, 6667, 7777 and a few others.  Another thing I like to do with this is
configure a rule on my Network Intrusion Prevention System to look for any
packets with IRC as the protocol and trigger an IPS event.  Then look for that
IPS event in this stanza of the rule too which should make sure you catch
anything at your egress point.

Yet
another stanza could be hosts attempting to use an SMTP server other than
yours.

Misuse
of Administration Account

Every
environment I have been in has Windows and *nix servers.  These systems have
default administration accounts, administrator and root respectively.  It is
best practice to provide actual system administrators with dedicated
administration user accounts so that there is accountability during
administration.  If someone were to login as root and shut down a service how
would you know who it was?  You may be able to track it back by IP, but not
certainly.  Typically administrators don’t want the administration team using
their regular user accounts to have administrative privileges so that they
mitigate mistakes.  Administrators typically will have a separate user account
for administration to ensure a certain level of assurance that the changes are
deliberate, for example username_a.  The default administration accounts are
then printed and locked in a fireproof box somewhere and used for emergencies
only.

That
means that if we someone logging into a system with the username administrator
or root, either an administrator is misusing the default account or it may have
been compromised.  It is important to alert specifically when the login was
successful.  This rule can easily be tested.  Most environments will have
systems and/or scripts that automate administration tasks so you will need to
filter those out of the correlation rule.  This does leave residual risk, but we
are doing the most with what we have available to us.  If you don’t like the
risk with that, then do the right thing and change the user account
;).

HTTP
Tunneling

This
rule is similar to the malware calling home rule in the sense that we are
looking for potential misuse by first looking at strange behavior.  If a network
is enforcing least privilege the user network will be able to send HTTP and
HTTPS from the inside network out to the Internet.  All of their SMTP traffic
should go to the internal mail relay.  If users are tunneling other protocols
through HTTP they are likely attempting to evade controls, or it could be
malware attempting to evade controls.  This rule requires a Network Intrusion
Detection/Prevention System or Application Layer Firewall.  You will need to
create a rule that is monitoring for TCP port 80 OR 443 traffic that is NOT HTTP
protocol.  On the SIEM you would just have to monitor for one of these events to
be received to trigger the alert.  Again when you first create this rule you may
need to tune the rule on the log generating device(s) and/or filter certain
hosts from triggering the correlation rule.

Potential
Server Compromise

This
rule can be time consuming to create for your environment, but I have to say
that this is one of my favorites.  It could be that you create this type of rule
only for critical hosts.  Here is the concept.  We will use a public facing web
server as the example but this obviously applies to any server.

A
typical web server is listening for connections on TCP port 80.  The only
connections you should see in firewall logs are random source IP addresses being
permitted to access TCP port 80 on your server as the destination.  When you
open up a web browser and connect to a website your computer opens up one of
these ports locally between 1024-65535 and makes a connection to TCP port 80 on
the web server.  So if you see a firewall log that shows your web server making
a connection on a high source port to any other system someone is initiating a
connection from that webserver.  If they are browsing websites or hoping to
other systems from here that should be frowned upon and corrected.  Maybe this
is someone who has already compromised the system and is sending information
back to their website or FTP server.  Similarly if you see someone connect to a
port other than 80 on that webserver then you have another server running.
Either someone set something new up, or maybe this is a backdoor
running.

In
conclusion these are some ideas to get you started with developing correlation
rules.  Be creative.  When building these rules you are always going to get a
lot of false positives in the beginning.  Do not get discouraged.  Create your
rule, either replay several weeks work of data through it or let it run and keep
an eye on it.

There
are many other things to consider when deploying a SIEM.  One of the things that
senior engineers should be doing with the SIEM at least a couple of times per
week is perusing the base events to look at the logs that are NOT getting
correlated.  There could be a lot of things happening that you don’t want to
have happen but just don’t have a correlation rule yet.   Importing
Vulnerability Assessment results can really help to increase effectiveness and
efficiency.  Events need to be monitored to ensure that they are getting
normalized correctly.  Perhaps we will dig into some of these issues another
time.

Strange
Bandwidth Utilization

There
are a couple of ways to look at this, Potential DDoS Detections, and Potential
Exfiltration.  The most common way to get this data would be to use switch and
router flow events.  There may be other ways depending on the environment such
as forwarding Arbor Networks events or Network Intrusion Prevention events, etc
to the SIM.  Regardless, this can take some time to benchmark and tune because
bandwidth utilization is typically somewhat sporadic.

To
detect potential DDoS attacks a good start would be to start with monitoring for
traffic ingress to the network targeted to a handful of critical system assets
that would prevent the organization from functioning should they become
inaccessible.  The rule would look something like if the bandwidth directed to
my web servers is greater than 40Mb/s for 10 minutes or more, trigger an
alert.

Exfiltration
is the act of pulling data out of the network after it has been compromised.  As
an example, bandwidth utilization may increase egress to the network from a file
share server.  The rule would look similar to the DDoS rule where if traffic
leaving an asset is greater than 3Mb/s for 10 minutes or more, trigger an
event.

The
purpose of these rules are to provide you with some guidance on how to further
leverage your SIEM solution.  Even if they do not apply to your network
specifically I hope they help you to think about some custom correlation events
you can create to fit your environment. Feel free to reach out if you want to
discuss further. Some of my favorite SIM systems are ArcSight and Q1 Labs
(QRadar)

Correlation rule tuning的更多相关文章

  1. Understanding and Selecting a SIEM/LM: Correlation and Alerting

    Continuing our discussion of core SIEM and Log Management technology, we now move into event correla ...

  2. 老李秘技:loadrunner回放脚本错误提示Error: "HTTP Status-Code 500"

    老李秘技:loadrunner回放脚本错误提示Error: "HTTP Status-Code 500"   当脚本回放的时候出现错误提示Error: "HTTP Sta ...

  3. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

  4. 转:如何在 LoadRunner 脚本中做关联 (Correlation)

    如何在 LoadRunner 脚本中做关联 (Correlation) 当录制脚本时,VuGen会拦截client端(浏览器)与server端(网站服务器)之间的对话,并且通通记录下来,产生脚本.在V ...

  5. KCF:High-Speed Tracking with Kernelized Correlation Filters 的翻译与分析(一)。分享与转发请注明出处-作者:行于此路

    High-Speed Tracking with Kernelized Correlation Filters 的翻译与分析 基于核相关滤波器的高速目标跟踪方法,简称KCF 写在前面,之所以对这篇文章 ...

  6. Coursera Deep Learning 2 Improving Deep Neural Networks: Hyperparameter tuning, Regularization and Optimization - week2, Assignment(Optimization Methods)

    声明:所有内容来自coursera,作为个人学习笔记记录在这里. 请不要ctrl+c/ctrl+v作业. Optimization Methods Until now, you've always u ...

  7. 再谈数据库优化(database tuning)的真谛和误区

    当今各行业信息量呈现爆炸式增长,因此,数据库优化也就显得弥足重要.随着数据库性能问题的出现,每位用户为了解决出现的问题,不得不满网上到处搜索优化的”灵丹妙药“和捷径,于是,就出现了各种各样的条条框框和 ...

  8. 课程二(Improving Deep Neural Networks: Hyperparameter tuning, Regularization and Optimization),第二周(Optimization algorithms) —— 2.Programming assignments:Optimization

    Optimization Welcome to the optimization's programming assignment of the hyper-parameters tuning spe ...

  9. Oracle Tuning (Oracle 性能调整)的一些总结

    Oracle Tuning (Oracle 性能调整)的一些总结 Oracle Tuning (Oracle 性能调整)的一些总结关于Oracle的性能调整,一般包括两个方面,一是指Oracle数据库 ...

随机推荐

  1. 利用CSS3特性巧妙实现漂亮的DIV箭头

    DIV箭头用于表现DIV内容的指向,是使用非常普遍的一种表现形式,例如新浪微博的消息转发: 还有傲游网站的导航条: 像傲游账户上方这种箭头更需要多幅图片以表现箭头和hover的效果. 传统的实现方式都 ...

  2. IIS7中配置脚本错误解决方案

    同一个项目, 又建另一站点(相同的物理路径,) ,结果出下上图404.0错误, 原来是win7下应用程序池默认的32应用程序属性影响,参考下图,设置为True.        同一个项目, 又建另一站 ...

  3. ORACLE恢复误删除的对象(表、存储过程等)

    1.恢复存储过程 原理就是利用了oracle里所有的存储过程的源代码都是存在dba_source里,而drop某个存储过程的时候,oracle这里肯定要去dba_source里把相关的源代码给dele ...

  4. Oracle 客户端配置笔记

    1.右击桌面的我的电脑 -> 高级 -> 环境变量,新建 1) 变量名:ORACLE_HOME 变量值:D:\app\instantclient_11_2 2) 变量名:TNS_ADMIN ...

  5. javascript中this指针的认识

    javascript中上下文环境就是this指针,即被调用函数所处的环境.这个上下文环境在大多数情况下指的是函数运行时封装这个函数的那个对象:当不通过任何对象单独调用一个函数时,上下文环境指的就是全局 ...

  6. 5.7.2.1 Math对象

    ECMAScript还为保存数学公司公式和信息提供了一个公共位置,即Math对象.与我们在JavaScript直接编写的计算功能相比,Math对象提供的计算功能执行起来要快得多.Math对象中还提供了 ...

  7. SQL 简单练习

    USE study; SELECT * FROM EMP --查询雇员姓名的最后三个字母 ) FROM EMP ; --查询10部门雇员进入公司的星期数 --1 查询部门30中的所有员工 --2 列出 ...

  8. K-means算法[聚类算法]

    聚类算法k-Means的实现 <?php /* *Kmeans法(聚类算法的实现) */ /* *求误差平方和J */ //----------------------------------- ...

  9. 在 Visual C++ 中开发自定义的绘图控件

    本文讨论的重点介于两者 之间 — 公共控件赋予您想要的大部分功能,但控件的外观并不是您想要的.例如,列表视图控件提供在许多视图风格中显示数据列表的方式 — 小图标.大图标.列表和详细列表(报告).然而 ...

  10. vb6.0 倒计时

    Dim t Dim start As Boolean Private Sub Command1_Click() If start = False Then t = Val(Text1) * 3600 ...