Security events correlation with - ZeroNights2015.zeronights.org › assets › files ›...
Transcript of Security events correlation with - ZeroNights2015.zeronights.org › assets › files ›...
![Page 1: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/1.jpg)
Security events correlation with
Nikolay Klendar bsploit gmail.com
![Page 2: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/2.jpg)
ComplexEventProcessing(correla5on)*-iseventprocessingthatcombinesdatafrommul6plesourcestoinfereventsorpa7ernsthatsuggestmorecomplicatedcircumstances.
INTRO
*Wikipedia
![Page 3: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/3.jpg)
LibraryusedfordevelopmentJava,.NET
ProcesseseventSTREAMSofpredefinedtypes.Esperdoesnotparseevents!
Processingrules(correla6onrules)aredefinedwithEventProcessingLanguage(EPL)similartoSQL
![Page 4: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/4.jpg)
Network scan detection
Typeevent:5mestamp:stringtype:stringsrc_ip:stringdst_ip:stringsrc_port:intdst_port:intbytes_sent:intbytes_recieved:intlogin:string
Allowedmonitoringsystmes
Annota5on
Alldst_ipwithin30sec
@Name('Scan')SELECTsrc_ip,window(dst_ip)FROMevent(type='firewall'
ANDsrc_ipNOTIN('10.0.0.1','10.0.0.2')).win:5me(30sec)/*sliding5mewindow*/GROUPBYsrc_ipHAVINGcount(dis5nctdst_ip)>50outputfirstevery1hour/*1eventperhour*/
![Page 5: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/5.jpg)
Worm spreading detection
INSERTINTOscanningSELECTsrc_ip,window(dst_ip)targetsFROMevent().win:5me(10min).std:unique(dst_ip)GROUPBYsrc_ipHAVINGcount(dis5nctdst_ip)>50;
{src_ip='10.0.0.1',targets=['192.168.0.1','192.168.0.2',…,'192.168.0.254']}{src_ip='192.168.0.2',targets=['192.167.0.1','192.167.0.2',…,'192.167.0.254']}
@Name('warm_spreading')SELECTa.src_ip,b.src_ip,b.targetsFROMpaaern[everya=scanning->b=scanning(
b.src_ip!=a.src_ipANDArrays.asList(a.targets).contains(b.src_ip)
)WHERE5mer:within(1min)];
{a.src_ip='10.0.0.1',b.src_ip='192.168.0.2',b.targets=['192.167.0.2',…,'192.167.0.2','192.167.0.2']}
![Page 6: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/6.jpg)
Moneylaunderingdetec5on
@Name('obnal')SELECTa.transac5on,a.clien5d,a.amountincome,c.sumOf(i=>i.amount)+b.amounttotalFROMPATTERN[EVERYa=event(transac5onlike'card_income')-> b=event(b.clien5d=a.clien5dANDtransac5on='card_outcome')WHERE5mer:within(3hour)->([3:]c=event(c.clien5d=a.clien5dANDtransac5on='card_outcome')un5l5mer:interval(20min))]
Totalmoneytransferredtocard
Totaloutcome
![Page 7: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/7.jpg)
Join & enrichment
SELECTS.src_ip,S.targets,L.login,L.last_seenFROMscanning.std:lastevent()asSLEFTOUTERJOINLoginsIPLonL.ip=S.src_ipGROUPBYS.src_ipoutputfirstevery1hour;
CREATEWINDOWLoginsIP.std:unique(ip)as(ipstring,loginstring,last_seenstring);INSRTINTOLoginsIPSELECTsrc_ipasip,login.toLowerCase()aslogin,5mestampaslast_seenFROMEvent(type='windows'ANDeven5d='4624'ANDsrc_ipISNOTNULLANDloginISNOTNULLANDlogin!='ANONYMOUSLOGON'ANDloginNOTLIKE'%$');
{S.src_ip='10.0.0.1',L.login='ivanov',L.last_seen='17.11.201512:00:00'S.targets=['192.167.0.2',…,'192.167.0.2','192.167.0.2']}
![Page 8: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/8.jpg)
Integration with external sources
SELECTsrc_ipfromevent(type='firewall')asfw,SQL:mysql['selecttornode_ipfromtor_nodes']astorwherefw.src_ip=tor.tornode_ip
![Page 9: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/9.jpg)
Users profiling
![Page 10: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/10.jpg)
Building user profile createwindowloginProfileASN.win:keepall()(loginstring,paramstring,valuestring,v_countlong)
createwindowloginProfileTotal.win:keepall()(loginstring,paramstring,totallong)
ONEVENT()eMERGEloginProfileASNpwherep.login=e.loginandp.value=(e.geoip('number')).toString()whennotmatchedtheninsertselectlogin,'ASN'param,geoip('number')value,1Lv_countwhenmatchedthenupdatesetp.v_count=p.v_count+1
ONEVENT()eMERGEloginProfileTotalpwherep.login=e.loginwhennotmatchedtheninsertselectlogin,'ASN'param,1Ltotalwhenmatchedthenupdatesetp.total=p.total+1
![Page 11: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/11.jpg)
Deviation from profile
SELECTe.login,e.geoip('asn')asn,e.geoip('number'),e.src_ip,v.v_countcount,t.total,cast((100-100*v.v_count/t.total),int)scoreFROMevent().std:lastevent()e,loginProfileASNv,loginProfileTotaltwherev.login=e.loginandv.value=(e.geoip('number')).toString()andt.login=e.loginand(100-100*v.v_count/t.total)>97
![Page 12: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/12.jpg)
CorReactive and integration with ELK Logstashconfigoutput{redis{host=>"127.0.0.1"db=>0data_type=>"list"batch=>truebatch_events=>500key=>"events”codec=>json }}
CorReac5veconfigCollectevents"inputs":[{"type":"redis","config":{"host":"localhost","port":6379,"db":0,"queue":"events","batch_count":500,"reconnect_6meout":60}}]
CorReac5veconfigReturnalerts"outputs":[{"type":"redis","id":1,"config":{"host":"localhost","queue":"alerts","port":6379,"db":0,"reconnect_6meout":60,"batch_count":1}}]
![Page 13: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/13.jpg)
CorReactive configuration steps
1. conf/types:Extendbaseeventtype“event”,addnewfields
2. conf/modules:AddnewEPLmodules(correla6onrules)Ifonemoduledependsonanotherusespecialdirec6ve:usesdependent_module;h7p://goo.gl/9pvlIj
3. Configureinputsandoutputs
![Page 14: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/14.jpg)
CorReactive special annotations
Alertgenera6ontooutputchannel@Alert(name='newalert',outID=1)
Savedatafromnamedwindowtodiskevery5minutes.Saveddataisautoma6callyrestoredtonamedwindowduringloadingstage@Persist
Namedwindowdatareloadingevery5minutesfromcsvfilelocatedinvar/winload@Load(file="data.csv",format="csv",delim=";")
Dynamicallyalertenrichmentwithdatafromexternalcommandoutputorondemandquery.Enrichmentofenrichmentissupported.@Enrich(dst="eLogin",type="window",param="selectsrc_ipfromloginipwhere
login='%{login}'")@Enrich(dst="nsresult",type="cmd",param="nslookup%{eLogin}")
![Page 15: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/15.jpg)
Alert example in Kibana
![Page 16: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/16.jpg)
REST API
SendeventinJSONformatPOST/api/eventsViewallregisteredmodulesGET/api/modules/registered
ViewallregisteredEsperstatementsorqueriesGETapi/modules/statementsReloaddatainnamedwindowPOST/api/window/reload/{moduleName}/{winName}
DeployallmodulesPOSTapi/modules/deployModuledele6onDELETE/api/modulesModulesyntaxvalida6onPOSTapi/modules/validateDoondemandqueryPOST/api/query
![Page 17: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/17.jpg)
Links
Esperdocsh7p://www.espertech.com/esper/documenta6on.phpSolu6onpa7ernswithdescrip6onh7p://www.espertech.com/esper/solu6on_pa7erns.phpEPLeditoranddebuggerh7p://esper-epl-tryout.appspot.com/epltryout/mainform.htmlCorReac6veengine(specialforZeroNights2015)h7p://correac6ve.sourceforge.net/
![Page 18: Security events correlation with - ZeroNights2015.zeronights.org › assets › files › 25-Klendar.pdfExtend base event type “event”, add new fields 2. conf/modules: Add new](https://reader033.fdocuments.in/reader033/viewer/2022042400/5f0f2e637e708231d442e3be/html5/thumbnails/18.jpg)
Thank you!
Questions?