{"id":3398,"date":"2015-12-08T15:19:47","date_gmt":"2015-12-08T15:19:47","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3398"},"modified":"2016-02-18T15:09:50","modified_gmt":"2016-02-18T15:09:50","slug":"the-comprehensive-list-of-ir-sources-and-alerts-work-in-progress","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/08\/the-comprehensive-list-of-ir-sources-and-alerts-work-in-progress\/","title":{"rendered":"The comprehensive list of IR sources and alerts (work in progress)"},"content":{"rendered":"<p>Having security controls in place is a win only if we can leverage these controls to deliver alerts to us. Once delivered we can classify them as noise, events, near-misses and incidents, and &#8230; take it from there.<\/p>\n<p>In today&#8217;s post I am making an attempt to create a comprehensive list of alerts that one can retrieve from the various security controls.<\/p>\n<p>This is work in progress. If you find something stupid or missing please send comments via email\/twitter and I will amend the list. Thanks.<\/p>\n<p>Note: these are potential sources of alerts; classification, prioritization, severity, etc. is not the scope of this list although I add a lot of examples\/hints (all these that are specifically named).<\/p>\n<p>This is because:<\/p>\n<ul>\n<li>you need to know which controls are available first<\/li>\n<li>then you need to look at the raw data they collect i.e. take a snapshot and analyze it<\/li>\n<li>and only then use logic applicable to your organization to determine how to work this huge amount of data<\/li>\n<\/ul>\n<p>I also do not mention how these alerts need to be set up &#8211; whether it is via SIEM, Splunk, manual analysis &#8211; it doesn&#8217;t matter. Treat is more as a bunch of ideas to cherry-pick from than an ultimate guideline how to secure your org. It&#8217;s your job after all \ud83d\ude42<\/p>\n<p>Here it goes&#8230;<\/p>\n<ul>\n<li>Antivirus software\n<ul>\n<li>this is IMHO still one of the most important security controls to look at<\/li>\n<li>if you don&#8217;t handle these as a minimum, you are doing it wrong<\/li>\n<li>what helps is analysis of all threats ever detected by creating a matrix representing threat taxonomy and then defining priorities f.ex.\n<ul>\n<li>alerts from C-level, Senior Management, sysadmins, CERT group, internal pentesting team, and other privileged groups<\/li>\n<li>rootkits, known infostealers, hacking tools, etc.,<\/li>\n<li>plus alerts from drive C: (indicating infection)<br \/>\n&#8211; all of these are top priority<\/li>\n<li>PUA\/PUP\/adware, stuff on removable devices go at the end, but <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/11\/09\/why-puapup-are-bad-for-you-a-k-a-the-evil-of-environment-fingerprinting\/\">should not be discarded<\/a><\/li>\n<li>you can create exclusions\/filters for eicar, etc.<\/li>\n<\/ul>\n<\/li>\n<li>doing analysis of historical data of AV alerts is very useful; you can immediately spot heavy offenders and try to work with their managers to change the employees&#8217; habits, or business process (f.ex. someone bringing CD\/USB from the vendor and sticking it into a production box w\/o checking for malware)<\/li>\n<li>get to know the AV names that your AV vendor uses for threats of primary interest (even though these will often be very inconsistent)<\/li>\n<li>recurring infections on the same system<\/li>\n<li>same infections on various systems (potential worm, spam campaign\/carpet bombing, outbreak of any sort)<\/li>\n<li>prioritize systems where malware was detected, but not removed, especially on C: drive<\/li>\n<li>do not forget that detected and removed malware is not equal eradication; imagine a dropper that drops 2 files &#8211; one detected and removed by AV, one unknown piece and happily running on the system<\/li>\n<\/ul>\n<\/li>\n<li>EDR software\n<ul>\n<li>this is emerging class of alerts, this pretty much tells you sth is wrong immediately<\/li>\n<\/ul>\n<\/li>\n<li>Other HIPS software<\/li>\n<li>Whitelisting software<\/li>\n<li>Data loss prevention software<\/li>\n<li>DNS requests\n<ul>\n<li>log all of these and keep the history<\/li>\n<\/ul>\n<\/li>\n<li>Honeypots<\/li>\n<li>FIM (File Integrity Monitors) &#8211; tools that ensure no unauthorized file is created or executed on the system (f.ex. Bit9, Solidcore)<\/li>\n<li>Network Intrusion Detection systems\n<ul>\n<li>&#8216;First Time Seen&#8217; logic bubbles uncommon events up (any signature seen in the previous day but not seen for the n days prior)<\/li>\n<\/ul>\n<\/li>\n<li>Firewall logs<\/li>\n<li>DHCP logs<\/li>\n<li>Unix logs\n<ul>\n<li>syslog<\/li>\n<li>auth<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Proxy logs\n<ul>\n<li>since this is a huge amount of data, review categorization used by vendors; look at all malicious, suspicious traffic<\/li>\n<li>do not forget questionable traffic f.ex. porn, warez sites, access to public proxies that may indicate the user wants to bypass controls, etc.<\/li>\n<li>also include access to web sites that provide code snippets and programming modules; this is a tough one, especially in a development environment and with &#8216;stack overflow&#8217; effect where people download and execute quite blindly lots of snippets of code<\/li>\n<li>traffic related to IMs; many ppl install unapproved IM clients<\/li>\n<li>Tor traffic<\/li>\n<li>pay special attention to (often abused) dynamic dns domains (find or build a list; it will never be complete, but it will be worthwhile)<\/li>\n<li>pay special attention to &#8220;uncategorized&#8221; sites if your vendor offers categorization<\/li>\n<li>proxy-bypass traffic f.ex. <a href=\"https:\/\/www.glype.com\/\">glype<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Web Application Firewall (WAF) logs<\/li>\n<li>Content Filtering software<\/li>\n<li>Server logs\n<ul>\n<li>From various servers\n<ul>\n<li>IIS<\/li>\n<li>Apache<\/li>\n<li>Nginx<\/li>\n<\/ul>\n<\/li>\n<li>Server Web Requests\n<ul>\n<li>can prioritize file uploads, keywords detected in queries, unusual IPs<\/li>\n<li>can whitelist internal pentesting teams boxes, known external vulnerability scanners [external vendors running scans on your systems]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Client Web Requests [mainly browser requests, but can be also self-updates, etc.]\n<ul>\n<li>GET on .exe files (it may sound overwhelming at first, but worth at least analysing it)<\/li>\n<li>GET on all archive file types (f.ex. zip, rar, 7z, tar.gz, bzip2, etc.)<\/li>\n<li>GET on .pdf files<\/li>\n<li>GET on .swf files<\/li>\n<li>GET on .jar files<\/li>\n<li>GET on .class files<\/li>\n<li>Large POST requests (suggesting uploads\/exfiltration)<\/li>\n<li>Long duration POST requests<\/li>\n<li>Large number of requests to the same address<\/li>\n<li>Frequent POST requests (f.ex. 1\/hour) to the same address<\/li>\n<li>Requests that end up with HTTP errors (these may help to find new drive-by patterns, phishing campaigns)<\/li>\n<li>Unusual User Agents<\/li>\n<li>Access to file hosting portals\n<ul>\n<li>Dropbox<\/li>\n<li>Box<\/li>\n<li>Google Drive<\/li>\n<li>OneDrive<\/li>\n<li>Internal \/ External solutions for sharing data with customers\/internally<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Access to sensitive systems\n<ul>\n<li>HR<\/li>\n<li>Payroll<\/li>\n<li>Databases<\/li>\n<li>Backups<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Business-specific systems\n<ul>\n<li>Ticketing systems<\/li>\n<li>Systems within the scope of PCI DSS<\/li>\n<li>Systems processing regular data dump exchanges (f.ex. between client and vendor, conversion of data between two different database systems, etc.)<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Logs from Custom applications\n<ul>\n<li>May require enabling of logging\/debug logs<\/li>\n<\/ul>\n<\/li>\n<li>Successful and unsuccessful logon attempts from any system offering logs really\n<ul>\n<li>SSH<\/li>\n<li>VPN<\/li>\n<li>(S)FTP<\/li>\n<li>Remote access tools\n<ul>\n<li>RDP<\/li>\n<li>pcAnywhere<\/li>\n<li>LogMeIn<\/li>\n<li>gotomypc<\/li>\n<li>TeamViewer<\/li>\n<li>vnc (including various clones)<\/li>\n<\/ul>\n<\/li>\n<li>Databases\n<ul>\n<li>MSSQL<\/li>\n<li>Oracle<\/li>\n<li>etc.<\/li>\n<\/ul>\n<\/li>\n<li>Outlook Web Access<\/li>\n<li>Employee Support Pages<\/li>\n<\/ul>\n<\/li>\n<li>Email server\n<ul>\n<li>Emails with subjects including commonly used social engineering keywords\n<ul>\n<li>dhl<\/li>\n<li>fedex<\/li>\n<li>paypal<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>All URLs extracted from emails<\/li>\n<li>Potentially other metadata<\/li>\n<\/ul>\n<\/li>\n<li>Domain Controllers\/Windows Event Logs\n<ul>\n<li>AppLocker logs (in a comment I received the adviser suggested that it is even better malware detector than AV &#8211; provided it is configured properly)<\/li>\n<li>Creation of user accounts<\/li>\n<li>Adding systems to the domain<\/li>\n<li>Creation of services associated with remote execution\n<ul>\n<li>psexec (psexesvc.exe)<\/li>\n<\/ul>\n<\/li>\n<li>Creation of all services (analysis may help to whitelist most)<\/li>\n<li>Execution of programs (requires <a href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/sysmon\">sysmon<\/a> installed)<\/li>\n<li>Successful and Unsuccessful Logons<\/li>\n<\/ul>\n<\/li>\n<li>Physical controls\n<ul>\n<li>any access controls (proximity cards, etc.)<\/li>\n<\/ul>\n<\/li>\n<li>Systems used for issuing security tokens<\/li>\n<li>Local wi-fi access points<\/li>\n<li>Mobile phones<\/li>\n<li>Other security controls and asset inventory tools\n<ul>\n<li>SCCM\n<ul>\n<li>Regular &#8216;sweeps&#8217; for presence of\n<ul>\n<li>single-character and two-character executable file names (p.exe, cc.exe, etc.)<\/li>\n<li>executable files including keywords:\n<ul>\n<li>crack<\/li>\n<li>warez<\/li>\n<li>keygen<\/li>\n<li>hack<\/li>\n<li>porn<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Tor\n<ul>\n<li>tor.exe<\/li>\n<li>vidalia.exe<\/li>\n<\/ul>\n<\/li>\n<li>Portable applications\n<ul>\n<li>typically used to bypass\/hide installation<\/li>\n<\/ul>\n<\/li>\n<li>Commonly used command line versions of archivers\n<ul>\n<li>rar.exe<\/li>\n<li>7z.exe<\/li>\n<li>pkzip.exe<\/li>\n<li>winrar.exe<\/li>\n<\/ul>\n<\/li>\n<li>Commonly used tools for hacking\n<ul>\n<li>nmap.exe<\/li>\n<li>psexec.exe<\/li>\n<li>mimikatz.exe<\/li>\n<li>pwdump.exe<\/li>\n<\/ul>\n<\/li>\n<li>P2P applications\n<ul>\n<li>utorrent.exe<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>LanDesk instances<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Thank you to everyone who helped to expand this list. Much appreciated!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having security controls in place is a win only if we can leverage these controls to deliver alerts to us. Once delivered we can classify them as noise, events, near-misses and incidents, and &#8230; take it from there. In today&#8217;s &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/08\/the-comprehensive-list-of-ir-sources-and-alerts-work-in-progress\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3398"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3398"}],"version-history":[{"count":15,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3398\/revisions"}],"predecessor-version":[{"id":3511,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3398\/revisions\/3511"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}