Event Detection

Intro

Event detection is the bread and butter of the security analyst. Whether you are a blue teamer building automated alerting or a threat hunter looking deeper at the data, it is essential to understand what you are looking for, how to look for it, and what tools can make it easier to find it. One of the best new resources for starting your detection strategy is https://d3fend.mitre.org/. This is a fantastic resource that allows you to create a per task approach to creating detection use cases.
For proper event detection, we usually need 3 elements: A device/application that can generate a log relevant to what we are looking for, the log itself, and a collection tool. The device/application that generates the log does not have to be a security device in order to give us security relevant logs. One thing you will find however, is that security relevant devices send us significantly less volume of data, as they are only sending alerts and the information surrounding a detection. When we are looking at logs from non-security related devices, we must develop our own detection logic to pull out what events we deem suspicious from those logs.
For parsing through logs and organizing them into an easy format, there is a wonderful set of tools called the SIEM: Security Incident and Event Management. With many tools you can look at their data and events directly, but a SIEM allows you to gather all of your logs in one place and parse through them. With them all in one place, you can even correlate activities across your logs. One other big thing that SIEMs can do is help normalize your data. Every type of log is different even if it is the same type if device/application. Example: McAfee AV logs are in a completely different format that MS Defender logs. Well what if your environment has both? Is there an easy way to look at them both at the same time? Yes! Many SIEMs have plugins or apps that can normalize the data into CIM: Common Information Model format. This makes them parsable by your SIEM tools, and much easier to create detection rules around.

SIEM and Enrichment

IDS/IPS

NSM: Network Security Monitoring

For Netflow logs and Packet Capture, please see the following:
  • ​ZEEK - A departure from traditional signature based detection, ZEEK is a network traffic analysis engine that allows network security monitoring at the application layer event in large networks. This tool was formerly called BRO.
  • ​Corelight - The premium, Enterprise grade, Zeek Alternative.
  • ​arpwatch - Arpwatch maintains a database of Ethernet MAC addresses seen on the network, with their associated IP pairs. Alerts the system administrator via e-mail if any change happens, such as new station/activity, flip-flops, changed and re-used old addresses.
  • ​maltrail - Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Endpoint

Open Source EDR: Endpoint Detection and Response

  • ​OSSEC - a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS)
  • ​Wazuh - Starting as a fork of OSSEC, it was built with more reliability and scalability in mind . It differs from OSSEC in its ability to be integrated with Elastic Stack, a better rule set, and it can use a restful API. File integrity Monitoring, Vulnerability Management, Config Management, Enhances Incident Response, and even an easy to use UI. Wazuh has it all.
  • ​BlueSpawn - EDR + Active Defense tool. Has the ability to interact with OS APIs to actively respond to certain detections in the platform.
  • ​OpenEDR - Comodo security's open source EDR platform. Great community and solid product.
  • ​whids - Open Source EDR for Windows

​OSQuery ​

Other Tools

  • ​Sysdig: Linux system exploration and visibility tool
  • ​ZEEK-agent - An endpoint monitoring agent that provides host activity to ZEEK
  • ​Veliciraptor - a tool for collecting host based state information.

Sysmon

Fingerprinting

Attack Surface Monitoring and Asset Discovery

​Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Collection of open source tools for attack surface management or Bug Bounties.
  • ​nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
  • ​subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • ​naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
  • ​httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • ​proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.
  • ​dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Other tools

  • ​Intrigue - Intrigue Core is a framework for discovering attack surface. It discovers security-relevant assets and exposures within the context of projects and can be used with a human-in-the-loop running individual tasks, and/or automated through the use of workflows.
  • ​Odin - ODIN is Python tool for automating intelligence gathering, asset discovery, and reporting.
  • ​AttackSurfaceMapper - AttackSurfaceMapper (ASM) is a reconnaissance tool that uses a mixture of open source intelligence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets.
  • ​Goby - Goby is a new generation network security assessment tool. It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise.
  • ​Asnip - Asnip retrieves all IPs of a target organizationβ€”used for attack surface mapping in reconnaissance phases.
  • ​Microsoft Attack Surface Analyzer - Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
  • ​https://securitytrails.com/ - Powerful tools for third-party risk, attack surface management, and total intel
  • ​https://www.whoisxmlapi.com/ - Domain & IP Data Intelligence for Greater Enterprise Security
  • ​https://www.riskiq.com/ - RiskIQ Digital Footprint gives complete visibility beyond the firewall. Unlike scanners and IP-dependent data vendors, RiskIQ Digital Footprint is the only solution with composite intelligence, code-level discovery and automated threat detection and exposure monitoringβ€”security intelligence mapped to your attack surface.
  • ​https://dehashed.com/ - Scan domain for indicators found in breaches

Network Diffing

A simple but effective monitoring method, where regular port scans are run and then compared to previous scan results. This can be handy for detecting newly open ports on scanned devices. This action can be easily and quickly performed by Masscan.
  • The Hacker Playbook 3: Monitoring an Environment - pg.24

User Behavior Analytics

  • ​OpenUBA - A robust, and flexible open source User & Entity Behavior Analytics (UEBA) framework used for Security Analytics. Developed with luv by Data Scientists & Security Analysts from the Cyber Security Industry.

File Integrity Monitoring

The actions needed to setup persistence typically require the attacker to interact with the target machine like creating or modifying a file. This gives defenders the opportunity to catch them if we are able to lookout for file creation or modification related to special files of directories.

Misc Tools

  • ​SAGAN - An open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that can be used with popular IDS tools and rules sets like Surricata and SNORT.
  • ​RITA - A tool that scans ZEEK logs for beaconing detection and DNS tunneling.
  • ​Flare - Not to be confused with the malware reverse engineering VM, This Flare is a network analysis tool by Austin Taylor that can take logs from Elastic stack and Surricate and perform various types of nework analysis and detection, including beaconing detection.
  • ​Revoke-Obfuscation - Powershell obfuscation detection tool
  • ​dnstwist - Tool for creation of potential typo-squatting domains by use of multi-character permutation and checking for registration of those domains.

Detection Use Cases