Transcription
How to hunt with Zeek SigmaSEIZE THE HIGH GROUND1
Today’s speakersVince StofferMark OverholserEdward SmithSr. Director of ProductManagementSales EngineerSr. Product MarketingManagerSEIZE THE HIGH GROUND
What is Zeek?SEIZE THE HIGH GROUND3
Network data wasn’t made for security.SMTPHTTPFIREWALLNETFLOWFTPMAILHOSTHOST IDS4IDS/IPS/NTAPCAPSEIZE THE HIGH GROUND4
Zeek transforms raw traffic into rich security storiestsTimestamps with microsecond accuracy, synchronized across logsuidUnique ID for every connectionmd5/sha1File hash of every filefuidUnique ID for every instance of every file seen on the networkSEIZE THE HIGH GROUND5
Typical DeploymentTHREAT INTELLIGENCE FEEDSSIEM / ANALYTIC DB / DATA LAKEZEEK LOGSCloud SensorPhysical SensorALERTS OTHERS Software Sensor OTHERS PACKET BROKER(or optical TAP orSPAN port)FILE ANALYSIS TOOLSVirtual SensorENVIRONMENT SPECIFIC DATACMDB, Whitelists, Blacklists,Organizational InfoEXTRACTED FILES OTHERS SEIZE THE HIGH GROUND66
Corelight’s Threat Hunting GuideYour free guide to the essentials ofnetwork-based threat hunting In-depth guide to deepen yourknowledge of threat huntingDemonstrates the benefits of adata-centric approachGreat companion for our free SigmarulesSEIZE THE HIGH GROUND7
What is SIGMA?SEIZE THE HIGH GROUND8
What is SIGMA? An open source project which provides generic signature format for SIEMs“Sigma is for log files what Snort is for network traffic and YARA is for files.”Think of it like a “Rosetta Stone” of SIEM queriesSEIZE THE HIGH GROUND9
SIGMA and Zeek Corelight contracted with SOC Prime (Nate Guagenti - @neu5ron) tocreate Zeek data mappings for SIGMA, which we published in ools/configQuick Demo: https://twitter.com/i/status/1256558461292339200 SIGMA is pretty heavily endpoint based, but Zeek is helping tochange this!SEIZE THE HIGH GROUND10
Schema and example SIGMA querytitle: Suspicious PsExec Execution - Zeekdescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker usesa different psexec client other than sysinternal oneauthor: 'Samir Bousseaden, @neu5ron'date: 2020/04/02references:- /win susp psexec.ymltags:- attack.lateral movement- attack.t1077logsource:product: zeekservice: smb filesdetection:selection1:name: '*\IPC 'path:- '*-stdin'- '*-stdout'- '*-stderr'selection2:name: '*\IPC 'path: 'PSEXESVC*'condition: selection1 and not selection2falsepositives:- nothing observed so farlevel: highSEIZE THE HIGH GROUND11
Example output from queryElastic: (event.dataset:smb filesAND (file.name:*\\IPC ANDfile.path:(*\-stdin OR *\-stdout OR *\-stderr)) AND (NOT(file.name:*\\IPC AND file.path:PSEXESVC*)))Splunk: (sourcetype "bro:smb files:json"(name "*\\IPC "(path "*-stdin" OR path "*-stdout" OR path "*-stderr")) NOT(name "*\\IPC " path "PSEXESVC*"))SEIZE THE HIGH GROUND12
Uncoder.io and TDM TDM - Threat Detection Marketplace from SOC Prime tdm.socprime.comfree and paid rules plus bounty program Uncoder - Translator app created by SOC Prime Includes 15 SIEM and data formats including: SplunkKibanaHumioArcsightSentineland more!SEIZE THE HIGH GROUND13
The Corelight Threat HuntingSigma RulesSEIZE THE HIGH GROUND14
Over 70 new Sigma rules released by Corelight (authored by SOC Prime) Mapped to MITRE ATT&CK TTPs 26 techniques (16 unique top level)10 categories Designed around our Corelight Threat Hunting Guide v2 Free and open to contributions and improvements Currently hosted on SOC Prime’s Threat Detection Marketplace(TDM)SEIZE THE HIGH GROUND15
How do I get these rules?Visit https://tdm.socprime.com to log in or create a free accountSEIZE THE HIGH GROUND16
How do I get these rules?Search for “Corelight” in the search bar; select one of the relevant tagsSEIZE THE HIGH GROUND17
How do I get these rules?SEIZE THE HIGH GROUND18
How do I use these rules?SEIZE THE HIGH GROUND19
Rule: Possible Webshell PUT or POST to unusualextensionsSEIZE THE HIGH GROUND20
Rule: Response from External Facing Service(Overview Query)SEIZE THE HIGH GROUND21
Rule: C2 DGA Detected Via Repetitive FailuresSEIZE THE HIGH GROUND22
SEIZE THE HIGH GROUND23
Summary - Q&A1.Download the Threat Hunting ide-to-threat-hunting-with-zeekbro-logs2.Sign up for a free Threat Detection Marketplace accounttdm.socprime.com3.Get for your free Sigma rulesSearch for “Corelight” in the Threat Detection MarketplaceSEIZE THE HIGH GROUND24
SIGMA resources Main Sigma page: https://github.com/Neo23x0/sigma A overview video from SANS (free registration required, starts at39m) lerting-110010 A how-to for writing Sigma rules by Florian Roth (one of the authorsof SIGMA) igma-rules/ Zeek Sigma pull request https://github.com/Neo23x0/sigma/pull/723SEIZE THE HIGH GROUND25
Thank YouSEIZE THE HIGH GROUND26
Suricata and Zeek are often usedtogetherSURICATA SIGNATURE-BASEDDETECTIONSALERT SEVERITYSURICATA ALERTSUse best in class signaturefeeds like ET ProCPUs shared by Zeek &Suricata for betterperformanceALERT THRESHOLDNative UID linkage withZeek for faster jointinvestigations“The flashing red light”TIME27ZEEK - POLICY-NEUTRALMETADATA COLLECTIONCollects data foreverything“The security camera”SEIZE THE HIGH GROUND27
We go where your traffic goesCloud SensorVirtual SensorSoftware SensorAP 200AP 1001AP 3000Up to 8 GbpsContainer or OSNative deployment2 Gbps10 Gbps25 Gbps AWS, Azure, GCPUp to 8 Gbps /instance1U half-depth1U rack-mounted1U rack-mountedIngests trafficdirectly via nativetraffic mirroring orvia packet brokersRequires VMwareESXi 6.5 or above orHyper-V on WindowsServer 2016Lightweight ( 60MB)Supports SuricataSupports SuricataSupports SuricataSeamless scale outCore Collection &Encrypted TrafficCollectionFleet Manager VM, Manage up to 250 SensorsSEIZE THE HIGH GROUND28
Suricata ZeekINTEGRATED OUTPUTSENT TO SIEMZEEK CAPABILITIESAPPLIED TO SURICATA ALERTS5NIC14ZEEK LOGS EXTRACTED FROMNETWORK TRAFFICCORELIGHT UIDSURICATA ALERTS GENERATED23SURICATA ALERTSFED BACK INTO ZEEKEVENT PROCESSING ENGINESEIZE THE HIGH GROUND
NETFLOW HTTP FIREWALL SMTP Network data wasn't made for security. 4. 5 SEIZE THE HIGH GROUND . Splunk Kibana Humio Arcsight Sentinel and more! Uncoder.io and TDM. 14 SEIZE THE HIGH GROUND The Corelight Threat Hunting Sigma Rules. 15 SEIZE THE HIGH GROUND