How do folks use Security Onion for hunting

[namobud...@gmail.com]

Hello Group,

I wanted to query the group for the top ways folks use Security Onion on a daily basis to hunt for IOC's and other events of interest. I'm trying to come up with a daily check list that's more detailed then the obvious (i.e.: look at Squil, run through included ELSA query's).

And as always thanks to Doug and his helpers for an incredible project.

[Wes]

Doug has some online training classes coming up in the next few weeks that could help you out--more specifically, "Security Onion 202 - Case Studies", in which Doug goes over various use cases and walks through the process of pivoting between different interfaces and data types. This would be an excellent resource--I'm hoping to attend myself.

https://attendee.gototraining.com/9z73w/catalog/8119062504158470144?tz=America/New_York

[Kevin Branch]

In addition to the good stuff directly built into Security Onion, I also lean heavily on daily connect-graph reports that express the past 24 hours of events in the Sguil database.  For hunting, I find it essential to be able to visualize the relationships of hosts and events to each other at a high level.  My scripts presently pull Squil events from MySQL, do a variety of filtering and aggregation steps, and feed the final results to afterglow and graphviz to generate the visualization.  The results look somewhat like a dense version of this:

http://secviz.org/content/ipv6-multicast-dns-traffic

but where the ellipses contain IP addresses with hostnames, and the rectangles contain event names (like a Snort/Suricata signature name most commonly).  It takes tuning to ones environment to get enough noise out that actionable patterns are readily discernible, but it is worth the work to me.  

Kevin

On Tue, Sep 22, 2015 at 3:31 PM, Wes <wlam...@taxslayercorp.com> wrote:

Doug has some online training classes coming up in the next few weeks that could help you out--more specifically, "Security Onion 202 - Case Studies", in which Doug goes over various use cases and walks through the process of pivoting between different interfaces and data types.  This would be an excellent resource--I'm hoping to attend myself.

https://attendee.gototraining.com/9z73w/catalog/8119062504158470144?tz=America/New_York

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Brian Kellogg]

Kevin,

Would you be willing to share your scripts basic framework for doing this visualization on Github? Sorry for putting you on the spot but this is something I've been wanting to do and I haven't had the time and I've never worked with afterglow or graphviz. So, yes, its an utterly selfish request looking to save time.

thanks,
Brian

[Karolis]

+1

[namobud...@gmail.com]

+3

[Kevin Branch]

Yes, I'd be happy to share that.  Let me try to extricate it from my wider set of addons to Security Onion and see what I can get up on Github.  I'll post an announcement when I've got something ready.  

Kevin

[Brian Kellogg]

Thank you so much Kevin, really appreciate it.

[tomm...@gmail.com]

I highly recommend Applied Networking Security Monitoring by Chris Sanders and Jason Smith: http://www.appliednsm.com/about-the-book/

Applied NSM has basically been my NSM guide book as it uses Security Onion. From the book, I learned how to use SiLK/NetFlows and Bro IDS for intrusion/anomaly detection.

[Brian Kellogg]

That is an excellent book. I've read through it but haven't had time to get into the SiLK portions of it yet. Good reminder to revisit it, thanks.

Another excellent and very practical book is: Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan.

http://www.amazon.com/gp/product/B00XB1P4RO?psc=1&redirect=true&ref_=oh_aui_d_detailpage_o02_

[Wes]

I second the Applied NSM comment--I'm going through it right now. Richard Bejtlich's book, The Practice of Network Security Monitoring is excellent as well.

[Channing Jones]

Looking for IOCs is all about separating the needles from the haystack, isolating the unusual from the usual. You're always going to see events, but much of it is normal.

To me, a crucial part of security monitoring is spending time watching and learning your traffic: keep daily visibility into events on your network and learn what events and traffic patterns are normal. That way when something abnormal pops up you can more easily spot it.

It's helpful to filter out normal events based on event ID and source or destination IP address so that they don't even show up and you can better focus in on stuff that is possibly anomalous. There's a very useful section on tuning in the wiki. Tuning must be a daily task.

Also, while security onion is a really great collection of tools, your SIEM/IDS shouldn't be your only tool for gaining visibility. If you have enough tripwires out there, like anti-virus software, performance/availability monitoring, various forms of threat intelligence, and so on. You'll start to see more red flags coming from multiple sources, and trends will emerge more readily.

We have found OpenDNS Umbrella service to be a very effective tool for adding to both protection and increasing visibility into our network activity. The service blocks malicious names from resolving, greatly reducing the impact of drive-by malware and phishing. It also provides daily reports from each of our sites detailing DNS activity volume, top lookups, and top blocks.

In general, I like to look at activity on weekends and at night in netflow, IDS, Umbrella/DNS and all the other sources of info because the event volume is greatly reduced and you can better zero in on possible IOCs and other anomalies.

When something suspicious pops up, that's when the fun begins. There are so many cool tools in security onion for digging into the data to find out what actually caused an event.

Doug has some good videos on youtube that demonstrate some of the tools in action.

[DefensiveDepth]

This sounds like a possible talk at the Security Onion Con next year...

Any takers?

-Josh

[namobud...@gmail.com]

Awesome post Channing,

I agree on all points. I'm wondering if you can share how you use OpenDNS Umbrella, do you use the web interface and/or how do you integrate it into your overall security program? I tried one time downloading a months worth of data and using a badDNS Python script I found to compare against it. I've also found a lot of the sites that OpenDNS flags as problems come up clean in Virustotal for some reason.

Thanks,

On Thursday, September 24, 2015 at 10:48:21 AM UTC-4, Channing Jones wrote:

[Channing Jones]

First of all, we hardly spend any time dealing with malware any more since implementing Umbrella. It is extremely effective in that regard. It also lets you block other stuff easily across the board for whatever reason. We typically block crap like double-click and other high-volume trackers. (Do an sostat on your SO box and check out the top 50 URLs report it generates)

In general, with Umbrella, it's again about getting a sense of what normal is so that unusual is easier to spot. I look at the daily (emailed) reports from each site to get a sense of overall volume and what normal good and blocked lookups are happening.

If there is an abnormally large amount of DNS activity at night or weekend, that could be a red flag.

Obviously domain name generation algorithms will stand out like a sore thumb and are typically heavy hitters, wether blocked or allowed.

We block all DNS at the network border except for DNS from our DCs. Our our DC's forward all unknown requests to Umbrella servers and log all their activity locally. The DC logs give us another tool to track down anything we need more info on.