Presentation is loading. Please wait.

Presentation is loading. Please wait.

From the life of a SOC Analyst... Case studies Jacek Grymuza [CISSP, CEH, CIHE, OSCP] 5/19/2016.

Published byShanon Powell Modified over 8 years ago

Similar presentations

Presentation on theme: "From the life of a SOC Analyst... Case studies Jacek Grymuza [CISSP, CEH, CIHE, OSCP] 5/19/2016."— Presentation transcript:

1 From the life of a SOC Analyst... Case studies Jacek Grymuza [CISSP, CEH, CIHE, OSCP] jacek.grymuza@isc2chapter-poland.com 5/19/2016

2 Agenda What is SOC? Log correlation IOC Splunk threat detection examples Incident examples (ISC) 2 Poland Chapter Quiz Q&A

3 What is SOC? Source: http://solutionsreservoir.com/resources/introduction-to-cybersecurity/part-1-cybersecurity-overview/ A security operation center (SOC) is a centralized unit that deals with security issues on an organizational and technical level.

4 Log correlation Log analysis allows Detection of anomalies Tracking of network communications in many systems based on log information, such as IP address, host name, account name and user ID Using SIEM in log analysis Correlates between multiple systems (e.g. AD & VPN, AV & IPS, AD & Application) Helps to specify context of security incident Answers questions: Who, What, When, Where, Why and How… Regex, pattern functions (e.g. like, startswith, endswith, include, contains, whitelist/blacklist) are very useful during event correlations.

5 IOC (Indicator of compromise)

6 The kill chain Defensible Actions Matrix Source: https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/

7 Splunk threat detection examples (1/3) Incident name: Identification of temporary permission added to highly privileged group Description: Scenario identifies actions of adding and removing account from Domain Admins group within 8 hours Splunk SIEM incident detection method: sourcetype="WinEventLog:Security" GroupName="Domain Admins" | transaction Member_Security_ID eventcode startswith="4728" endswith="4729| where duration <=28800

8 Splunk threat detection examples (2/3) Incident name: Identification of brute force attacks Description: Scenario identifies brute force attacks based on multiple failed login events for the same account Splunk SIEM incident detection method: sourcetype="WinEventLog:Security" EventCode="4625" Keywords="Audit Failure" NOT (Account_Name="*$") | transaction Acount_Name maxspan=5s | stats count by Account_Name | where count > 4

9 Splunk threat detection examples (3/3) Incident name: Identification of suspicious processes in Windows Description: Identification of suspicious processes in short time based on activities in OS Splunk SIEM incident detection method: Komputer=„PC-1" | transaction Uzytkownik, Nazwa_pliku_obrazu, Identyfikator_procesu startswith="(Zdarzenie=592)" endswith="(Zdarzenie=593)"| where duration <=1 | stats values(U_xBFytkownik) AS "User", values(Nazwa_pliku_obrazu) AS "Image File Name", values(Identyfikator_procesu) AS "Process Id"

10 If you want to play with Splunk… Software can be tested for free, e.g. https://www.splunk.com/page/sign_up/cloudtrial?redirecturl=/ getsplunk/onlinesandbox Many free documents, e.g. https://docs.splunk.com/Documentation

11 Incidents - Security systems Connections to malware domains (C&C) Identification of tunnel traffic (method CONNECT) Downloading potentially dangerous files (.exe,.gz,.zip) Data leakage through suspicious data storage websites (e.g. https://gist.github.com/, http://codepad.org/) Malware outbreak Identification of hosts without enabled/installed AV system Identification of out-of-date AV signatures Repeated re-infections Multiple attacks against same host Usage of non-standard ports or protocol/port mismatches

12 Incidents - Network Monitoring unauthorized scans of network infrastructure IP spoofing attacks Reboot of FW Deviations from standards; abnormal activities Abuse on remote access Identification of unauthorized configuration changes Identification of policy changes (e.g. suddenly unblocked services) Transfer DNS zones (normal DNS queries and responses use UDP port 53; zone transfers use TCP port 53)

13 Incidents - OS, DB, App Sharing accounts Multiple passwords changing to bypass password policy Access to OS/DB/APP using high-privileged accounts (superuser, root, admin, SYSTEM) Anonymous activity Unscheduled Initial Program Loads (aka rebooting) Large number of error codes 4xx Using hacker tools (e.g. netcat, wireshark) Repeated authentication failures Multiple login attempts from/to different regions within few minutes

14 Additional materials Incident handling http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdfhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdf Blue Team Handbook: Incident Response Edition GCIH - GIAC Certified Incident Handler C)IHE - Certified Incident Handling Engineer [Mile2] Digital forensics https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf http://digital-forensics.sans.org/media/poster-windows-forensics- 2016.pdfhttp://digital-forensics.sans.org/media/poster-windows-forensics- 2016.pdf Log correlation/analysis http://www.sans.org/reading-room/whitepapers/logging/detecting- security-incidents-windows-workstation-event-logs-34262http://www.sans.org/reading-room/whitepapers/logging/detecting- security-incidents-windows-workstation-event-logs-34262 http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

15 Useful links

16 (ISC) 2 = International Information System Security Certification Consortium About (ISC) 2 Leader in educating and certifying cyber, information, software and infrastructure security professionals Vendor-neutral Added value of certification (for employers) Years of experience and valuable knowledge Engage in continuing professional education Appropriate skill sets To remain in good standing, members must Abide by the (ISC)² Code of Ethics Submit annual maintenance fees Obtain required Continuing Professional Education (CPE) credits

17 CISSP member counts Europe Czech Rep 118 Denmark 339 Poland 401 Belgium 430 Spain 547 Switzerland 774 France 804 Germany 1516 Netherland 1852 UK 5402 Source: https://www.isc2.org/member-counts.aspx Rest of the world China 1183 Australia 1857 Canada 4577 United States 69127

18 Member counts in Poland Source: https://www.isc2.org/member-counts.aspx 4011 10 16 3 20

19 (ISC) 2 Poland Chapter Founded in 2013 Regular monthly meetings Active community (40+ members) In progress Establishing the association in accordance with Polish law Future plans Safe and Secure Online program Contact info www: isc2chapter-poland.com linkedin: https://www.linkedin.com/groups/4865474 e-mail: zarzad@isc2chapter-poland.com

20 Quiz 1. How many CISSP certifications are there in Poland? a) < 200 [506] b) > 400 [579] c) > 600 [728] 2. What does the abbreviation (ISC) 2 mean? a) International Independent System Security Certification Consortium [125] b) International Information System Security Certification Consortium [260] c) International Information System Security Cyber Consortium [669] 3. How often are (ISC) 2 Poland Chapter meetings? a)Weekly [875] b) Monthly [547] c) Quarterly [590]

21 Source: https://i.ytimg.com/vi/wXJjM9ppHtA/maxresdefault.jpg Q&A ???

Download ppt "From the life of a SOC Analyst... Case studies Jacek Grymuza [CISSP, CEH, CIHE, OSCP] 5/19/2016."

Similar presentations

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.

SIEMs - Decoding The Mayhem Bill Dean Director of Computer Forensics Sword & Shield Enterprise Security Inc.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management

Security Guidelines and Management
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google