Preface
This is a short post on my one of my latest training from SANS. The class is advertised as a SIEM class that’s not vendor specific, and teaches you detection methodologies. The class was held online and it ran from 9am-7pm. There is a bootcamp Netwars for each day, and a final CTF on the last day - so you won’t even get a chance to get bored!
This class relied a lot on open source toolings such as Logstash, Elasticsearch, Elastalert, Kibana, Cerebro, RabbitMQ, Sysinternals, Security Onion, Osquery, Moloch, Wazuh, Snort, Suricata…etc. I’ve used many of these tools before, but it’s great to learn how to build it from the ground up and see how others utilize these tools in their environment.
Takeaways
The 4 main components of the logging pipelines are:
- Log collectors - agents, scripts (auditd, sysmon)
- Log aggregator - accept data, ingest raw logs and have ability to parse and add context to logs
- Log Broker - store data temporary - ES
- Storage - once logs are finished being processed
There was a lot of good detection techniques that was touched on in class spanning from network, endpoint, to user behavior baseline & detections that I will be adding to my playbooks. Some example includes identifying web scans, account brute force, DNS sink hole, connection from a TOR nodes, host compromise, lateral movements… etc.
It’s important to identify goals before you start logging. You don’t want to store a tons of logs that you aren’t going to use, so it’s important to trim out the fields you don’t need, and identify where the intersection of different logs are so you can correlate them for detection in the future. Also, regex is super useful if you ever work with logs and write rules!
First SANS Mini Netwars
A week after my training, I signed up for the first ever mini Netwars by SANS. It was pretty awesome because it’s completely free to the public, and is open from 11am-6pm PST to allow different people with different work schedule to participate in. There was 4 levels, with about 4-5 questions in each level. The Netwars was themed and was very, VERY well designed. The different levels went from basic Unix command lines usage, to looking at manuals (man page) and be able to search for specific topics, then how to use jq and use tools such as ltrace/strace to interact with a program, gdb is used to edit a value in memory, to utilizing LD_PRELOAD to bypass sleep timer. I was able to finish all 4 levels, and had a tons of fun doing it! Would 100% recommend everyone to participate no matter your skill levels!
Resources
Some good recommended articles/posts to read: