Instructor Materials

Chapter 12: Intrusion Data

Analysis

Cybersecurity Operations

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
 Chapter 12: Intrusion Data
Analysis

Cybersecurity Operations

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Chapter 12 - Sections & Objectives
 12.1 Evaluating Alerts
• Explain the process of evaluating alerts.

 12.2 Working with Network Security Data

• Interpret data to determine the source of an alert.

 12.3 Digital Forensics

• Explain how the cybersecurity analyst handles digital forensics and
evidence to ensure proper attack attribution.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
 12.1 Evaluating Alerts

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Evaluating Alerts
Source of Alerts
 Security Onion is an open-source suite of Network Security
Monitoring (NSM) tools that run on an Ubuntu Linux
distribution.
 Security Onion detection tools include CapMe, Snort, Bro,
OSSEC, and Suricata.
 Security Onion analysis tools include Sguil, ELSA, and
Wireshark.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Evaluating Alerts
Source of Alerts (Cont.)
 Alerts are generated in Security Onion by many sources
including Snort, Bro, Suricata, and OSSEC, among others.
 Snort rules are applied to network traffic. Rules that are matched
generate alerts.
 Snort rules consist of the rule header and rule options.
 Snort rules come from a variety of sources including Emerging
Threats (ET), SourceFire, and Cisco Talos.
 PulledPork is a Security
Onion component that
can download new rules
automatically from
snort.org.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Evaluating Alerts
Overview of Alert Evaluation
 Exploits will inevitably evade protection measures, no matter
how sophisticated they may be.
 It is necessary to have skilled cybersecurity analysts investigate
alerts to determine if an exploit has actually occurred.
 Alerts can be classified as follows:
• True Positive: The alert has been verified to be an actual security
incident.
• False Positive: The alert does not indicate an actual security incident.
• True Negative: No security incident has occurred.
• False Negative: An undetected incident has occurred.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Evaluating Alerts
Overview of Alert Evaluation (Cont.)
 Statistical techniques can be used to evaluate the risk that
exploits will be successful in a given network.
• Deterministic Analysis - For an exploit to be successful, all prior steps
in the exploit must also be successful. The cybersecurity analyst
knows the steps for a successful exploit.
• Probabilistic Analysis - Statistical techniques predict the probability
that an exploit will occur based on the likelihood that each step in the
exploit will succeed.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
 12.2 Working with Network
Security Data

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Working with Network Security Data
A Common Data Platform
 Enterprise Log Search and Archive (ELSA) is an enterprise-level
tool for searching and archiving NSM data that originates from
multiple sources.
 Data reduction is the identification of data that should be gathered
and stored to reduce the burden on systems.
 Data normalization is the process of combining data from a
number of sources into a common format for indexing and
searching.
 Retaining NSM data indefinitely is not
feasible due to storage and access
issues. Default retention periods vary,
however compliance frameworks
may require storage of data for a
specified period of time.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Working with Network Security Data
Investigating Network Data
 In Security Onion, the first place that a cybersecurity analyst will
go to verify alerts is Sguil.
 Sguil automatically correlates similar alerts into a single line and
provides a way to view correlated events represented by that line.
 Queries can be constructed in Sguil using the Query Builder,
which simplifies constructing queries to a certain degree.
 Sguil provides the ability to
“pivot” the investigation to
other tools such as ELSA,
Wireshark, or Bro.
 Security events can be retired,
classified when proved as true
positives, or escalated to a Tier
2 analyst.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Working with Network Security Data
Investigating Network Data (Cont.)
 If malware can fool an OS kernel into allowing it to make system
calls, many exploits are possible.
 OSSEC rules detect changes in host-based parameters like the
execution of software processes, changes in user privileges, and
registry modifications, among others.
 File details, such as the file size, sending and receiving hosts,
and protocol used to download the file can be displayed in ELSA.
 MD5 and SHA-1 hashes for
downloaded files are available in
ELSA.
 File hash values can be
submitted to online sites to
determine if the file is known
malware.
 Wireshark allows extraction of
binaries from pcaps.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Working with Network Security Data
Enhancing the Work of the Cybersecurity
Analyst
 Dashboards provide an interactive combination of data and
visualizations designed to improve the value of large amounts of
information.
 Runbook automation, or a workflow management system,
streamlines and controls processes of cybersecurity operations.

 Automated queries, known

as plays or playbooks,
automatically search for
complex security incidents
that may evade other tools.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
 12.3 Digital Forensics

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Digital Forensics
Evidence Handling and Attack Attribution
 The cybersecurity analyst will inevitably uncover evidence of criminal
activity.
 It is necessary to identify threat actors, report them to the appropriate
authorities, and provide evidence to support prosecution.
 Digital forensics is the recovery and investigation of information found on
digital devices as it relates to criminal activity.
 NIST describes the digital forensics process as involving four steps:
1. Collection
2. Examination
3. Analysis
4. Reporting

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Digital Forensics
Evidence Handling and Attack Attribution (Cont.)
 In legal proceedings, evidence is broadly classified:
• Direct evidence was indisputably in the possession of the accused, or is
eyewitness evidence from someone who observed criminal behavior.
• Best evidence is evidence that is in its original state.
• Corroborating evidence supports an assertion that is developed from
best evidence.
• Indirect evidence, in combination with other facts, establishes a
hypothesis.

 Collection of digital evidence should begin

in order from the most volatile evidence
and proceed to the least volatile.
 Chain of custody involves keeping
detailed records regarding the collection,
handling, and storage of evidence.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Digital Forensics
Evidence Handling and Attack Attribution (Cont.)
 Digital evidence should be preserved in its original condition.
Original evidence should be copied, and analysis should
only be conducted on copies.
 Threat attribution is the act of determining the individual,
organization, or nation responsible for a successful intrusion
or attack incident.
 Identification of threat actors should occur through principled
and systematic investigation of evidence.
 In an evidence-based investigation, the incident response
team correlates the tactics, techniques, and procedures
(TPP) that were used in the incident with other known
exploits to identify threat actors.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
12.4 Chapter Summary

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Chapter Summary
Summary
 Security Onion provides an integrated NSM environment for
investigating security events that are created by diverse systems.
 A Tier 1 cybersecurity analyst evaluates security alerts to verify
whether actual security incidents have occurred.
 ELSA provides a common data platform for the aggregation of log
files from many sources.
 Sguil provides an analyst’s console that enables the investigation
of alerts through pivots to other tools.
 Tier 1 analysts may discover illegal activity on the network and be
required to handle, preserve, and analyze digital forensic
evidence.
 Digital forensic evidence can lead to the attribution of
cybersecurity events to threat actors.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28