You’ve hardened all you could on your servers or computers, you have a strong password with MFA, you update regularly or automatically everything and are wondering what can be done next?

Like you probably know, you can never be 100% protected and there is always a way criminals can find to access private information. For those who tells me they are 100% secure, here is an example:

You have a secure WordPress website at www.mysite.com which has nice plugins to secure it, you maintain it up to date and you have MFA. You then go in a public cafe to make some changes to your website. You enter your WordPress URL in your browser, get the login window, enter your password + your MFA and get access to your website. You then make some changes and everything works as normal. Then a few days later your site gets defaced, or worse. What happened?

What you missed here is that an attacker in the same cafe as you was able to change the IP returned when you did a DNS query for your domain (either through MITM or by changing the DNS Server in the router config). He then redirected you to a new domain: www.rnysite.com. This new domain is owned by the attacker and directs you to a sever that runs Modlishka. This attacking tool essentially proxies all your traffic to your real website www.mysite.com, even validating your password + MFA and making the changes you ask for, but he also makes a copy of all the traffic, taking your cookies and password. Although he doesn’t have your MFA, he now has your cookies. Oh and if that’s not enough, it’s possible now to brute-force the TOTP seed with Hashcat with only 2 TOTP token. (Here is a definition of Brute-force attack)

So now what?

Well, here comes logging, aggregating, correlating and alerting — also known as a Security Information and Event Management, or SIEM.

But what is a SIEM? As Varonis puts it:

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.

SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.

Source: https://www.varonis.com/blog/what-is-siem/

…

Now that we established what is a SIEM and why it is needed, how to we get started with this?

Well, to get started using a SIEM, you can read my blog posts on the subject! My goal is to make it easy to understand and accessible to anyone with some IT experience.

Next post: SIEM 101 — Introduction

Feel free to leave your comment down here for any questions or comments.

Donation

If you like my blog and my posts, please consider donating! Imagine this: each minute of reading a post takes about 1-2 hours to create!

In the following days, I’ll write a few blog posts explaining how to easily learn to use a Security Information and Event Management, or SIEM.

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

But what is a SIEM? As Varonis puts it:

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.

SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.

Source: https://www.varonis.com/blog/what-is-siem/

To do this, I wrote the post SIEM 101 — Initial setup where I explain how to create an account on Logz.io; they offer a free account where you can send up to 1 GB / day of logs to try their platform. Time needed: around 2 minutes.

Still in the post SIEM 101 — Initial setup, I then explain how to send your logs there, whether you’re on Windows or on Linux. Time needed: around 5–10 minutes.

After that, I’ll explain the basic usage of Logz.io, how to search logs, how to create an alarm, etc. Time needed: around 30 minutes.

When all this is done, the scene will be in place to start writing blogs on detection cases, for example: receive an alert if Windows is brute forced, receive an alert if a failed logon happened on your WordPress server, etc.

I’ll eventually talk about the scripts I developed that uses Logz.io to automatically block bad IPs on my servers.

For the most advanced users, you’ll then be able to discover some useful tools the community provides, like the Sigma rules.

Follow me in my next post: SIEM 101 — Initial setup

Feel free to leave your comment down here for any questions or comments.

Donation

If you like my blog and my posts, please consider donating! Imagine this: each minute of reading a post takes about 1-2 hours to create!

A few years ago, I was on the defense team when a pentest was ongoing on one of our website. This website, coded in C#, was hosted on Windows and had Windows Defender activated.

During the pentest, the attacker had access to the CMS. He discovered that he could upload his own plugins, giving him Remote Code Execution (RCE) on the server. Happy with this discovery, he started his C&C server (it was PowerShell Empire 2 at the time), crafted a payload and launched the result in a C# wrapped plugin and then… nothing.

As some of you may know, C#, PowerShell and Defender all love to work together. That’s because the .NET framework is now tightly integrated with Windows Defender. When sending the payload, Defender could see and block the attack.

So all the attacker had to do was to modify his payload until it passed all the checks Defender does. After a few hours, he had a complete reverse shell (although restricted to the IIS user).

From the defense point of view, the fact that Defender did his job is perfect. But the fact that we didn’t know Defender blocked a file-less attack and we only learned it when we receive the report should be considered a disaster. It means your AV is useless because an attacker has all the time he needs to craft his attack.

From this point, the next steps where clear, we needed to receive an alert when a virus was detected. And maybe on other suspicious behavior? That’s when I discovered what is a SIEM!

If you wan’t to know more about what is a SIEM and how to use it, you can read my blog posts on the subject starting with: SIEM 101 — Introduction

Feel free to leave your comment down here for any questions or comments.

Donation

If you like my blog and my posts, please consider donating! Imagine this: each minute of reading a post takes about 1-2 hours to create!

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

This is the second post of the series “SIEM 101″ where I explain the basics of a SIEM, from installation to simple usage. You can see the previous post SIEM 101 — Introduction.

I decided to write the series using Logz.io because they offer an easy to use platform with a free 1GB/day trial with a smooth learning curve. Of course they don’t offer all the features in the free version and some crucial features for a SIEM are missing, but this is perfect to get started with a SIEM! For the Splunk fans, I’ll probably write a blog post about why I don’t recommend it often and why I recommend an Elasticsearch based SIEM most of the time.

Read more

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

For this post, I assume you’ve read my SIEM 100 series where I explain the basics of Logz.io. I’ll be using the stack I created in this series to demonstrate what to do.

PsExec is a tool provided by Microsoft in the Sysinternals suite: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Like they explain:
 

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

PsExec can be use as an adversary to pivot between computers and/or elevate privileges. It is rather easy to detect when executed on a monitored endpoint, but what happens when a remote computer not monitored use it to connect to a monitored endpoint?

It turns out it can be detected by looking for a chain of 3 events, distinctive of PsExec behavior when remote connecting.

Read more

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

For this post, I assume you’ve read my SIEM 100 series where I explain the basics of Logz.io. I’ll be using the stack I created in this series to demonstrate what to do.

Why we need to detect Windows bruteforce

When we have a lot of Windows machine in our environment, it can be useful to be able to detect a bruteforce on a machine, be it over RDP or not. For example, with this Use Case, we could detect an attacker trying to login on a sensitive computer or trying to pivot between machine.

This Use Case is really simple so it’s rather easy to develop and test. But it’s also prone to false positive, so it’s a good Use Case to learn to reduce the false positives.

How

Read more

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

For this post, I assume you’ve read my SIEM 100 series where I explain the basics of Logz.io. I’ll be using the stack I created in this series to demonstate what to do.

Sysmon is a tool provided by Microsoft in the Sysinternals suite: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.  

Like they explain:

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Read more

Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/

This is the third post of the series “SIEM 101” where I explain the basics of a SIEM, from installation to simple usage. You can see the previous post SIEM 101 — Initial setup.

Read more

Information Security, Cybersecurity, IT security. We’ve all heard and read them in interchangeable ways, these synonyms all aim to define what is security. But most of them imply assumptions harmful for the Information Security domain. Let me explain.

What we try to do

Generally, when we, or often the media, use the term “Cybersecurity”, we want to describe the idea that we want to be secure against some kind of “hacker”. Most people who use this term imagine a “hacker”, in a black hoodie, in front of a screen full of green scribble. But this idea misses the point of what really is Security, or as I prefer to say, Information Security, or InfoSec.

What a bad actor, often named “hacker”, really want to do is to gain access to information that he/she wouldn’t normally have access otherwise to reach a goal.

In a ransomware attack, the goal is to keep you from having access to this information and extort money from you. In a phishing attack, the goal could be to steal credentials, which is a kind of information, to use them or sell them.

So once we understand what the bad actor wants, we understand what we need to protect. At the highest level, the goal is Information. Hence the word “information” in “Information Security”. The security part imply the idea that we want to protect this information against all kind of attacks.

Why it’s a problem

The problem with the words “Cybersecurity”, “IT security” and other similar terms is that they imply that the security must be done at the technology level: the computers, the servers, the firewalls, the switches, etc. While it is important to secure these technologies, the global strategy needs to be way larger.

For example, no technology can help us against the CEO fraud if an untrain employee falls for it. The problem in this specific case is the lack of training. Training is not a technological solution but it is one of the most effective strategy to protect the business.

If we try to reduce the security problem to only the technology, we’ll fail miserably.

The reason these terms are harmful to the domain is that they create this idea in the mind of the leaders that security is an IT problem. So it often falls in the hands of an IT officer, like the CTO. Most businesses don’t have a CISO, and those who do have him/her under the IT department. I could write a complete post on why this is a bad idea.

What should we do

This is a business culture problem and this is where we need to start the work. Businesses that invest in a Security culture often thrives even more than the ones that put millions on technologies.

So it is more than time that we start talking about this domain by naming it “Information Security“!

Note: I wrote “hacker” between quotes when talking about bad actors because this term became pejorative. Initially, a hacker is only someone who finds a way around some limitations, with good or bad intentions; mostly goods. For example, my reading light is too bright and I can’t dim it enough; so I put black tape on it to cover about 80% so I get just enough light. That’s hacking applied to something else than technology. It’s a ridiculous example to demonstrate my idea.

As explained in wikipedia:

The controversy is usually based on the assertion that the term originally meant someone messing about with something in a positive sense, that is, using playful cleverness to achieve a goal. But then, it is supposed, the meaning of the term shifted over the decades and came to refer to computer criminals

Source: https://en.wikipedia.org/wiki/Hacker

Note 2: because of the way SEO works, I’ll hack my way to the top results by placing terms like “Cybersecurity” in my blog from time to time 😉

Feel free to leave your comment down here for any questions or comments.

Donation

If you like my blog and my posts, please consider donating! Imagine this: each minute of reading a post takes about 1-2 hours to create!

WordPress is one of the most popular CMS and website server in the world. It handles “more than 30%” of the websites on the internet. Because of this, bad actors are really interested in finding ways to get control of them.

One of the most easy way for them to achieve this is by bruteforcing the login for common username and password combinaisons, including from past leaks. This is a working strategy because by default WordPress doesn’t protect against bruteforce attacks.

How do we detect a WordPress bruteforce attack

In the WordPress world, there are many ways to handle bruteforce attacks, as this is rather simple to detect. But because we are in the SIEM series, I’ll talk about how to detect the attack using a SIEM.

Read more

This post is a follow up of the post SIEM 102 — Detect Windows bruteforce where I explained how to create a detection Use Case to detect a Windows bruteforce.

In this post I will explain how we can enhance the original detection logic by having a lower False Positive rate.

As I explained in the last section of the initial post, it is important to manage False Positives (FP). In the past few months, I spent some time to look for ways to reduce FP and this post will summarize them.

Read more

Here are the posts I did using Logz.io for my examples:

• https://www.tristandostaler.com/siem-101-introduction/

• https://www.tristand…

Read more