How To Hunt With Zeek Sigma
1y ago
55 Views
1 Downloads
6.31 MB
29 Pages
Report/dmca
Download PDF

Transcription

How to hunt with Zeek SigmaSEIZE THE HIGH GROUND1

Today’s speakersVince StofferMark OverholserEdward SmithSr. Director of ProductManagementSales EngineerSr. Product MarketingManagerSEIZE THE HIGH GROUND

What is Zeek?SEIZE THE HIGH GROUND3

Network data wasn’t made for security.SMTPHTTPFIREWALLNETFLOWFTPMAILHOSTHOST IDS4IDS/IPS/NTAPCAPSEIZE THE HIGH GROUND4

Zeek transforms raw traffic into rich security storiestsTimestamps with microsecond accuracy, synchronized across logsuidUnique ID for every connectionmd5/sha1File hash of every filefuidUnique ID for every instance of every file seen on the networkSEIZE THE HIGH GROUND5

Typical DeploymentTHREAT INTELLIGENCE FEEDSSIEM / ANALYTIC DB / DATA LAKEZEEK LOGSCloud SensorPhysical SensorALERTS OTHERS Software Sensor OTHERS PACKET BROKER(or optical TAP orSPAN port)FILE ANALYSIS TOOLSVirtual SensorENVIRONMENT SPECIFIC DATACMDB, Whitelists, Blacklists,Organizational InfoEXTRACTED FILES OTHERS SEIZE THE HIGH GROUND66

Corelight’s Threat Hunting GuideYour free guide to the essentials ofnetwork-based threat hunting In-depth guide to deepen yourknowledge of threat huntingDemonstrates the benefits of adata-centric approachGreat companion for our free SigmarulesSEIZE THE HIGH GROUND7

What is SIGMA?SEIZE THE HIGH GROUND8

What is SIGMA? An open source project which provides generic signature format for SIEMs“Sigma is for log files what Snort is for network traffic and YARA is for files.”Think of it like a “Rosetta Stone” of SIEM queriesSEIZE THE HIGH GROUND9

SIGMA and Zeek Corelight contracted with SOC Prime (Nate Guagenti - @neu5ron) tocreate Zeek data mappings for SIGMA, which we published in ools/configQuick Demo: https://twitter.com/i/status/1256558461292339200 SIGMA is pretty heavily endpoint based, but Zeek is helping tochange this!SEIZE THE HIGH GROUND10

Schema and example SIGMA querytitle: Suspicious PsExec Execution - Zeekdescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker usesa different psexec client other than sysinternal oneauthor: 'Samir Bousseaden, @neu5ron'date: 2020/04/02references:- /win susp psexec.ymltags:- attack.lateral movement- attack.t1077logsource:product: zeekservice: smb filesdetection:selection1:name: '*\IPC 'path:- '*-stdin'- '*-stdout'- '*-stderr'selection2:name: '*\IPC 'path: 'PSEXESVC*'condition: selection1 and not selection2falsepositives:- nothing observed so farlevel: highSEIZE THE HIGH GROUND11

Example output from queryElastic: (event.dataset:smb filesAND (file.name:*\\IPC ANDfile.path:(*\-stdin OR *\-stdout OR *\-stderr)) AND (NOT(file.name:*\\IPC AND file.path:PSEXESVC*)))Splunk: (sourcetype "bro:smb files:json"(name "*\\IPC "(path "*-stdin" OR path "*-stdout" OR path "*-stderr")) NOT(name "*\\IPC " path "PSEXESVC*"))SEIZE THE HIGH GROUND12

Uncoder.io and TDM TDM - Threat Detection Marketplace from SOC Prime tdm.socprime.comfree and paid rules plus bounty program Uncoder - Translator app created by SOC Prime Includes 15 SIEM and data formats including: SplunkKibanaHumioArcsightSentineland more!SEIZE THE HIGH GROUND13

The Corelight Threat HuntingSigma RulesSEIZE THE HIGH GROUND14

Over 70 new Sigma rules released by Corelight (authored by SOC Prime) Mapped to MITRE ATT&CK TTPs 26 techniques (16 unique top level)10 categories Designed around our Corelight Threat Hunting Guide v2 Free and open to contributions and improvements Currently hosted on SOC Prime’s Threat Detection Marketplace(TDM)SEIZE THE HIGH GROUND15

How do I get these rules?Visit https://tdm.socprime.com to log in or create a free accountSEIZE THE HIGH GROUND16

How do I get these rules?Search for “Corelight” in the search bar; select one of the relevant tagsSEIZE THE HIGH GROUND17

How do I get these rules?SEIZE THE HIGH GROUND18

How do I use these rules?SEIZE THE HIGH GROUND19

Rule: Possible Webshell PUT or POST to unusualextensionsSEIZE THE HIGH GROUND20

Rule: Response from External Facing Service(Overview Query)SEIZE THE HIGH GROUND21

Rule: C2 DGA Detected Via Repetitive FailuresSEIZE THE HIGH GROUND22

SEIZE THE HIGH GROUND23

Summary - Q&A1.Download the Threat Hunting ide-to-threat-hunting-with-zeekbro-logs2.Sign up for a free Threat Detection Marketplace accounttdm.socprime.com3.Get for your free Sigma rulesSearch for “Corelight” in the Threat Detection MarketplaceSEIZE THE HIGH GROUND24

SIGMA resources Main Sigma page: https://github.com/Neo23x0/sigma A overview video from SANS (free registration required, starts at39m) lerting-110010 A how-to for writing Sigma rules by Florian Roth (one of the authorsof SIGMA) igma-rules/ Zeek Sigma pull request https://github.com/Neo23x0/sigma/pull/723SEIZE THE HIGH GROUND25

Thank YouSEIZE THE HIGH GROUND26

Suricata and Zeek are often usedtogetherSURICATA SIGNATURE-BASEDDETECTIONSALERT SEVERITYSURICATA ALERTSUse best in class signaturefeeds like ET ProCPUs shared by Zeek &Suricata for betterperformanceALERT THRESHOLDNative UID linkage withZeek for faster jointinvestigations“The flashing red light”TIME27ZEEK - POLICY-NEUTRALMETADATA COLLECTIONCollects data foreverything“The security camera”SEIZE THE HIGH GROUND27

We go where your traffic goesCloud SensorVirtual SensorSoftware SensorAP 200AP 1001AP 3000Up to 8 GbpsContainer or OSNative deployment2 Gbps10 Gbps25 Gbps AWS, Azure, GCPUp to 8 Gbps /instance1U half-depth1U rack-mounted1U rack-mountedIngests trafficdirectly via nativetraffic mirroring orvia packet brokersRequires VMwareESXi 6.5 or above orHyper-V on WindowsServer 2016Lightweight ( 60MB)Supports SuricataSupports SuricataSupports SuricataSeamless scale outCore Collection &Encrypted TrafficCollectionFleet Manager VM, Manage up to 250 SensorsSEIZE THE HIGH GROUND28

Suricata ZeekINTEGRATED OUTPUTSENT TO SIEMZEEK CAPABILITIESAPPLIED TO SURICATA ALERTS5NIC14ZEEK LOGS EXTRACTED FROMNETWORK TRAFFICCORELIGHT UIDSURICATA ALERTS GENERATED23SURICATA ALERTSFED BACK INTO ZEEKEVENT PROCESSING ENGINESEIZE THE HIGH GROUND

NETFLOW HTTP FIREWALL SMTP Network data wasn't made for security. 4. 5 SEIZE THE HIGH GROUND . Splunk Kibana Humio Arcsight Sentinel and more! Uncoder.io and TDM. 14 SEIZE THE HIGH GROUND The Corelight Threat Hunting Sigma Rules. 15 SEIZE THE HIGH GROUND

Related Books

Lab 2: An Overview of Zeek Logs - University of South Carolina

Lab 2: An Overview of Zeek Logs - University of South Carolina

WDFW 2020 Special Hunt Applicant Preference Point Distribution by Hunt .

WDFW 2020 Special Hunt Applicant Preference Point Distribution by Hunt .

A Q U A R I U M SCAVENGER HUNT - Christianbook

A Q U A R I U M SCAVENGER HUNT - Christianbook

2O2O ANNUAL REPORT - Woody and Gayle Hunt Family Foundation

2O2O ANNUAL REPORT - Woody and Gayle Hunt Family Foundation

Hunt for the Secret Treasure Reader.qxp 4/1/06 15:21 Page 1 The Hunt .

Hunt for the Secret Treasure Reader.qxp 4/1/06 15:21 Page 1 The Hunt .

Making a Treasure Map The Hunt for the Secret Treasure - SATs Papers Guide

Making a Treasure Map The Hunt for the Secret Treasure - SATs Papers Guide

Treasure hunt - NatureScot

Treasure hunt - NatureScot

The world of the witcher pdf - sjhtractor

The world of the witcher pdf - sjhtractor

PurpleLabs, Training Portfolio & Services. - Defensive Security

PurpleLabs, Training Portfolio & Services. - Defensive Security

Oath Moloch Deployments - GitHub

Oath Moloch Deployments - GitHub

Security Log Analysis Training - IU

Security Log Analysis Training - IU

PopularTags

Recent Views