How to create correlation rule for threat detection in RuSIEM
Download as PPTX, PDF0 likes437 views
The document outlines the process for creating a correlation rule for threat detection, specifically for ransomware threats like win32/diskcoder.petya.c. It emphasizes the importance of automatic and real-time detection, as well as the need to understand attack vectors and distribution methods. Scenarios are provided to illustrate the SIEM's role in prioritizing threats and reducing false positives through correlation rules.
How to create correlation rule for threat detection in RuSIEM
- 1. HOW TO CREATE CORRELATION RULE FOR THREAT DETECTION IN RUSIEM CEO RuSIEM Olesya Shelestova https://rusiem.com support@rusiem.com In case - detection ransomware Win32/Diskcoder.Petya.C
- 2. EXAMPLE THREAT • Consider as an example a real threat: Ransomware Win32/Diskcoder.Petya.C
- 3. • You can not rely on patches that cover a vulnerability when creating a correlation rule. • At any time, a host may appear on which the patch is not installed. And you will not know about it at the most inopportune moment
- 4. WHAT ARE YOU NEED? • Discover. Even if at the moment you do not have a threat. • Automatic detection • Real time detection • Notifications (email/incident in workflow)
- 5. WHAT YOU NEED TO UNDERSTAND FIRST Threat: • Attack vectors (vulnerability, local/network, exploited software versions, …) • Distribution method (email/attachments/network/banners/sites) • Explore news for threat definition/signature How to detect: • Process/network/hash • Event logs/Cyber security systems (IDS/DPI/Network Analyzers/Antivirus/etc)
- 6. SCENARIO #1 1. You have an information security tool that detects a threat 2. SIEM receives a ready-made threat decision event 3. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
- 7. SCENARIO #2 1. You have a number of different software or hardware tools that provide information about processes, email, network connections, hashes. 2. It can be: windows event logs, firewalls, syslog, IDS, flow, network analyzers and other. 3. SIEM will receive simple events from these sources, check for correlations and detect incidents. 4. SIEM prioritizes the threat by the rule of correlation, reduce the number of false positives and records the fact of the incident. Notifies send to you (or remediation group) by mail.
- 8. DIFFERENCE BETWEEN SCENARIO 1. In fact: you are faster than IDS / AV vendors can create a signature yourself. 2. The difference between the #1 and #2 scenarios is that in the case of correlation rules in SIEM, you get a more manageable centralized system. 3. There is no need to write rules for many different systems and monitor their deploy. 4. In practice, SIEM receives much more information for guaranteed threat detection. 5. In SIEM correlation rules it is possible to reduce the number of false positives. 6. In any case, processes of incident management and real-time response are needed. This does not have a classic protection
- 9. LOOK GOOGLE FOR THREAT Win32/Diskcoder.Pety a.C Process Remote WMI, “process call create "C:WindowsSystem32rundll32.exe "C:Windowsperfc.dat" #1” Email src/dst Connect to hosts mshta.exe %WINDIR%System32ms hta.exe" "C:myguy.xls.hta" 185.165.29.78 84.200.16.242 111.90.139.247 95.141.115.108 wowsmith123456@posteo.net iva76y3pr@outlook.com carmellar4hegp@outlook.com amanda44i8sq@outlook.com
- 10. OUR PATH • We will detect Win32/Diskcoder.Petya in this case by dst.ip (C&C) and sha1/sha256 hashes • Arrays of values put in the lists to be able to quickly change and add new values • When IDSs are updated - we will record incidents and by their warnings • If you have enabled audit on file servers – we also may create common rule. Example, “changes 100 or more files in 60 seconds”
- 11. CREATE LIST FOR IP ADDRESSES
- 12. CREATE LIST FOR SHA1 AND SHA256 HASHES
- 13. CREATE CORRELATION RULE FOR DETECT BY HASH
- 14. CREATE RULE FOR DETECTION BY DST.IP
- 15. ATTENTION ! • Be sure to test the created rule in a real infrastructure ! • You can always create or emulate the connection, the test process, the other symptom of the threat for verification • If an incident happens - it will be too late.
- 16. TEST THE CREATED RULE, CHECK THE INCIDENT
- 17. THANK YOU support@rusiem.com https://rusiem.com https://t.me/rusiem https://facebook.com/rvsiem Tags: #rvsiem #rusiem Software: RuSIEM, free RvSIEM