SlideShare a Scribd company logo

Leveraging logging for threat detection.pptx

Download as PPTX, PDF
C
Christian Bassey

This document discusses leveraging logging for threat detection. It begins by defining cyber threats and cyber attacks. It then discusses threat detection and some common methodologies like threat intelligence, signatures, anomalies, and machine learning. It describes how logging records events and some common things that can be logged, like user activity and security events. The document proposes using logs for threat detection by ingesting them into a security solution to create and trigger detection rules. It acknowledges some limitations of relying solely on logs and recommends corroborating with other threat detection methods.

Technology
Related topics:
Information Security
1 of 13
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Leveraging logging for threat detection Chris Bassey
Overview ● Cyber threats ● Cyber attacks ● Threat detection ● Logging ● Threat detection using logs ● Demo ● Limitations of logging ● Conclusion
Cyber threats A cyber threat is the possibility that malicious activity from threat actors targeting your digital assets and infrastructure may occur. Threats may include the possibility of: ● Phishing. ● Malware infections. ● Data breaches, theft and damage. ● (Distributed) denial of service attacks.
Cyber attacks Cyber attacks are malicious and unwanted activities from actors seeking to compromise the confidentiality, integrity and availability of digital assets and infrastructure. Examples include: ● Ongoing phishing and impersonation campaigns. ● Malware actively running on your endpoints. (Ransomware, RATs, infostealers) ● Ongoing (D)DoS attacks. ● Data exfiltration. ● Ransomware.
Threat detection This is the process of identifying threats that are trying to attack your assets and infrastructure. It might be the detection of: ● Downloaded malware that has not yet been run. ● Running malware exfiltrating data. ● Running malware connecting back to a C2 server. ● A stager retrieving a second stage payload. ● An ongoing phishing campaign.
Threat detection (Methodologies) ● Threat intelligence (early stage, pre-attack) ● Signature based detection ● Anomaly based detection ● Behavioural based detections (thin line between this and ML based detections) ● ML based detections (early days for this?).
Threat detection (Tools) ● Endpoint detection and response tools. ● Security information and event management (SIEM) tools. ● IDS, IPS. ● MITRE ATT&CK framework.
Logging ● Logs are records of events that occurred on your assets. ● Logging is the act of keeping a record of events that occurred. ● These records are commonly written to a log file or in some cases stored in a DB. What assets should we be logging from? Infrastructure dependent, but rule of thumb “Log from attack surfaces and possible POE”. ● Endpoints, servers. ● Applications. ● Network devices. ● Cloud infrastructure.
Logging (What can we log?) ● Audit logs(user activity - login, logout, content modification etc). ● Application logs. ● Security logs. ● Operating system logs.
Threat detection using logs ● You have to be logging important events. (In some cases you may need enhanced logging) ● Ingest the logs into an analysis/security solution. EDR, SIEM. ● Create detection rules to detect various kinds of activity. ● Analyze the logs, and correlate them with other events. ● Generate alerts if malicious indicators are found.
Demo (Infrastructure overview) Malicious file sent to user User opens and clicks. Connection established back to the attacker User endpoint + Wazuh agent Attacker Logs SIEM + XDR
Limitations of logging ● Misses events generated before the logging was started. ● Cannot see process activities. A process creation log might look benign, but the process is executing malicious activities. ● Logs collected still have to be analyzed and correlated to trigger detection rules. An opportunity here? ● Logging consumes disk space :-(. ● The activity has to happen before detection can start. You are one step behind. ● Logs can be faked, cleared, disabled.
Conclusion ● Logging is super useful, enable them on your assets if you can. ● Do not rely solely on logging. Analyse other sources of information, investigate process, file modifications etc. ● Continuously tune your detection rules. Also do not rely mainly on your detection rules as some may not trigger for new attack methods, or may just be wrongly configured. ● Is there a possibility of analyzing user activities and predicting what the user will do next? Any deviation from that can be considered abnormal. UEBA.

More Related Content

PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
E-governance Models
Karishma Gawate
 
PPTX
27001.pptx
AvniJain836319
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
Cours Audit et sécurité V3.pptx
JeanyvesNdjanzouaSam
 
PPT
isms-presentation.ppt
HasnolAhmad2
 
PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
PDF
NIST cybersecurity framework
Shriya Rai
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
E-governance Models
Karishma Gawate
 
27001.pptx
AvniJain836319
 
Logging, monitoring and auditing
Piyush Jain
 
Cours Audit et sécurité V3.pptx
JeanyvesNdjanzouaSam
 
isms-presentation.ppt
HasnolAhmad2
 
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
NIST cybersecurity framework
Shriya Rai
 

Similar to Leveraging logging for threat detection.pptx (20)

PPTX
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PPTX
Cryptography and system security
Gary Mendonca
 
PPTX
Introduction to cyber security
Geevarghese Titus
 
PPTX
Cassandra Lunch #90: Securing Apache Cassandra
Anant Corporation
 
PDF
M1-02-HowCriminalsPlan.pdf
Shylesh BC
 
PPTX
Intrusion detection system IDS
MAURICE NTAHOBARI
 
PDF
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
PPTX
Cyber warfare introduction
jagadeesh katla
 
PDF
Ak03402100217
ijceronline
 
ODP
CISSP Week 14
jemtallon
 
PDF
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
PDF
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
PDF
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
PPTX
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
PDF
Introduction to Ethical Hacking pdf file
debmajumder741249
 
PDF
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
srtwgwfwwgw
 
PPTX
FALCON.pptx
AvinashRanjan80
 
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Windows Threat Hunting
GIBIN JOHN
 
Cryptography and system security
Gary Mendonca
 
Introduction to cyber security
Geevarghese Titus
 
Cassandra Lunch #90: Securing Apache Cassandra
Anant Corporation
 
M1-02-HowCriminalsPlan.pdf
Shylesh BC
 
Intrusion detection system IDS
MAURICE NTAHOBARI
 
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
Cyber warfare introduction
jagadeesh katla
 
Ak03402100217
ijceronline
 
CISSP Week 14
jemtallon
 
HITB2013AMS Defenting the enterprise, a russian way!
F _
 
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
Introduction to Ethical Hacking pdf file
debmajumder741249
 
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
srtwgwfwwgw
 
FALCON.pptx
AvinashRanjan80
 
Ad

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Encapsulation theory and applications.pdf
gurumoop
 
August Patch Tuesday
Ivanti
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Ad

Leveraging logging for threat detection.pptx

  • 1. Leveraging logging for threat detection Chris Bassey
  • 2. Overview ● Cyber threats ● Cyber attacks ● Threat detection ● Logging ● Threat detection using logs ● Demo ● Limitations of logging ● Conclusion
  • 3. Cyber threats A cyber threat is the possibility that malicious activity from threat actors targeting your digital assets and infrastructure may occur. Threats may include the possibility of: ● Phishing. ● Malware infections. ● Data breaches, theft and damage. ● (Distributed) denial of service attacks.
  • 4. Cyber attacks Cyber attacks are malicious and unwanted activities from actors seeking to compromise the confidentiality, integrity and availability of digital assets and infrastructure. Examples include: ● Ongoing phishing and impersonation campaigns. ● Malware actively running on your endpoints. (Ransomware, RATs, infostealers) ● Ongoing (D)DoS attacks. ● Data exfiltration. ● Ransomware.
  • 5. Threat detection This is the process of identifying threats that are trying to attack your assets and infrastructure. It might be the detection of: ● Downloaded malware that has not yet been run. ● Running malware exfiltrating data. ● Running malware connecting back to a C2 server. ● A stager retrieving a second stage payload. ● An ongoing phishing campaign.
  • 6. Threat detection (Methodologies) ● Threat intelligence (early stage, pre-attack) ● Signature based detection ● Anomaly based detection ● Behavioural based detections (thin line between this and ML based detections) ● ML based detections (early days for this?).
  • 7. Threat detection (Tools) ● Endpoint detection and response tools. ● Security information and event management (SIEM) tools. ● IDS, IPS. ● MITRE ATT&CK framework.
  • 8. Logging ● Logs are records of events that occurred on your assets. ● Logging is the act of keeping a record of events that occurred. ● These records are commonly written to a log file or in some cases stored in a DB. What assets should we be logging from? Infrastructure dependent, but rule of thumb “Log from attack surfaces and possible POE”. ● Endpoints, servers. ● Applications. ● Network devices. ● Cloud infrastructure.
  • 9. Logging (What can we log?) ● Audit logs(user activity - login, logout, content modification etc). ● Application logs. ● Security logs. ● Operating system logs.
  • 10. Threat detection using logs ● You have to be logging important events. (In some cases you may need enhanced logging) ● Ingest the logs into an analysis/security solution. EDR, SIEM. ● Create detection rules to detect various kinds of activity. ● Analyze the logs, and correlate them with other events. ● Generate alerts if malicious indicators are found.
  • 11. Demo (Infrastructure overview) Malicious file sent to user User opens and clicks. Connection established back to the attacker User endpoint + Wazuh agent Attacker Logs SIEM + XDR
  • 12. Limitations of logging ● Misses events generated before the logging was started. ● Cannot see process activities. A process creation log might look benign, but the process is executing malicious activities. ● Logs collected still have to be analyzed and correlated to trigger detection rules. An opportunity here? ● Logging consumes disk space :-(. ● The activity has to happen before detection can start. You are one step behind. ● Logs can be faked, cleared, disabled.
  • 13. Conclusion ● Logging is super useful, enable them on your assets if you can. ● Do not rely solely on logging. Analyse other sources of information, investigate process, file modifications etc. ● Continuously tune your detection rules. Also do not rely mainly on your detection rules as some may not trigger for new attack methods, or may just be wrongly configured. ● Is there a possibility of analyzing user activities and predicting what the user will do next? Any deviation from that can be considered abnormal. UEBA.

Editor's Notes

  • #4: These threat actors may include nation states, criminal gangs, competitors, disgruntled employees, hacktivists or just kids mucking around.
  • #5: You can see the guy with the fancy graduation hat. He has graduated from being a threat to an attacker. A cyber threat becomes a cyber attack when it is executed. Key difference between threats and attacks is execution.
  • #9: Collectively, the record of events are called logs