Wednesday, December 21, 2011

SIEM Attack considerations

Working on a wonderful Security incident and event management (SIEM) tool called Splunk. Splunk is a cool tool for indexing the log file and presenting it to the investigator for identifying the misbehaviours. Within a short period of time I was able to run search queries and investigate on the events and the alerts produced.
But looking at the logs and any particular alert won’t be helpful in finding or investigating the determined hacker attempt. Investigator’s need to keep in mind on the following
What are the actions someone could take?
What would be his target?
How can he/she attack?
What are the vulnerabilities?
And what need to be considered.

Access a target in order to determine its characteristics
access a set of targets sequentially in order to identify which targets have a specific characteristic
Access a target repeatedly in order to overload the target’s capacity.
present an identity of someone to a process and, if required, verify that identity, in order to access a target
avoid a process by using an alternative method to access a target
masquerade by assuming the appearance of a different entity in network communications
obtain the content of data in a storage device, or other data medium
reproduce a target leaving the original target unchanged
take possession of a target without leaving a copy in the original location
change the content or characteristics of a target
remove a target, or render it irretrievable
A domain of user access on a computer or network which is controlled according to a record of information which contains the user’s account name, password and use restrictions.
A program in execution, consisting of the executable program, the program’s data and stack, its program counter, stack pointer and other registers, and all other information needed to execute the program
Representations of facts, concepts, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automatic means. Data can be in the form of files in a computer’s volatile or non-volatile memory, or in a data storage device, or in the form of data in transit across a transmission medium.
one of the parts that make up a computer or network
A device that consists of one or more associated components, including processing units and peripheral units, that is controlled by internally stored programs, and that can perform substantial computations, including numerous arithmetic operations, or logic operations, without human intervention during execution. Note: May be stand alone, or may consist of several interconnected units
an interconnected or interrelated group of host computers, switching elements, and interconnecting branches
A network of networks
A means of exploiting a computer or network vulnerability
physical attack
A means of physically stealing or damaging a computer, network, its components, or its supporting systems
information exchange
A means of obtaining information either from other attackers (such as through an electronic bulletin board), or from the people being attacked (commonly called social engineering).
user command
A means of exploiting vulnerability by entering commands to a process through direct user input at the process interface. An example is entering Unix commands through a telnet connection, or commands at an SMTP port
script or program
A means of exploiting vulnerability by entering commands to a process through the execution of a file of commands (script) or a program at the process interface. Examples are a shell script to exploit a software bug, a Trojan horse login program, or a password cracking program.
autonomous agent
a means of exploiting a vulnerability by using a program, or program fragment, which operates independently from the user. Examples are computer viruses or worms.
a software package which contains scripts, programs, or autonomous agents that exploit vulnerabilities. An example is the widely available toolkit called rootkit
distributed tool
A tool that can be distributed to multiple hosts, which can then be coordinated to anonymously perform an attack on the target host simultaneously after some time delay.
data tap
A means of monitoring the electromagnetic radiation emanating from a computer or network using an external device
A weakness in a system allowing unauthorized action
design vulnerability
Vulnerability inherent in the design or specification of hardware or software whereby even a perfect implementation will result in vulnerability.
implementation vulnerability
A vulnerability resulting from an error made in the software or hardware implementation of a satisfactory design.
configuration vulnerability
a vulnerability resulting from an error in the configuration of a system, such as having system accounts with default passwords, having “world write” permission for new files, or having vulnerable services enabled
unauthorized result
an unauthorized consequence of an event
increased access
Unauthorized increase in the domain of access on a computer or network.
disclosure of information
Dissemination of information to anyone who is not authorized to access that information.
corruption of information
Unauthorized alteration of data on a computer or network.
denial of service
Intentional degradation or blocking of computer or network resources.
theft of resources
unauthorized use of computer or network resources
What need to be considered for Linux logs
Successful user login
“Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
“authentication failure”,
“failed password”
User log-off
“session closed”
User account change or deletion
“password changed”,
“new user”,
“delete user”
Sudo actions
“sudo: … COMMAND=…”
Service failure
“failed” or “failure”
What need to be considered for  Windows
User logon/logoff events
Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
To self: 628; to others: 627
Service started or stopped
7035, 7036, etc.
Object access denied (if auditing enabled)
560, 567, etc
What need to be considered for Network Devices
Traffic allowed on firewall
“Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
“access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
“Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
“limit … exceeded”,
“CPU utilization”
Detected attack activity
“attack from”
User account changes
“user added”,
Administrator access
“AAA user …”,
“User … locked out”,
“login failed”
What need to be considered for Web Servers
Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication
Error code 401, 403
Invalid request
Error code 400
Internal server error
Error code 500