Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
Been playing around SmartView to generate a customized view for an report to bring value to the business.
Right now just working with containers and infografic.
This is my result until now, and still working on it, changing the filters and what to look after.
I have been asking the questions of how many of our public hosts have been scanned by attackers which either been prevented or detected, and how many of these hosts have the attackers used advanced exploits against each hosts and again prevented or detected.
I am not sure if the advanced attacks view is configured the right way.
Not sure if I should exclude the SSL and Scanner and Web Server Enforcement Violations attempt but to my knowledge it is only scanners like Shodan or Nessus etc.
My query is:
Fieldname is Source (attackers ip)
Blade = IPS
Action = Prevent
Severity = Medium OR High OR Critical
Confidence Level = Medium OR High OR Critical
Protection type NOT Engine Settings
Type NOT Control
Attack name NOT "SSL Enforcement Violation" NOT "Scanner Enforcement Violation" NOT "Web Server Enforcement Violation"
Destination: "ip address a.b.d.*"
What are your though about this view? Would it provide any value for you, or what kind of questions do you ask to get intelligence from your logs?
Which answers are you asking for while trying to extract threat intelligence?
Any suggestions or ideas?
Note! I can recommend this webinar Security Visibility Best Practices with SmartEvent
lets start from the protections them self's(in your query) :
NOT on SSL Enforcement Violation -
look at CVE-2014-3566 - i believe that you would like to see this kind of attacks - maybe you want "NOT scanner" instead?(in most of the scanners signatures you will have it written in the name so it will deduce most of them).
NOT "Web Server Enforcement Violation"
look at "GNU Bash Remote Code Execution" (a part of this violation) - i believe that you want to see this kind of information. and its the same for like the first 'Violation', a general 'not scanner' will present the need in your case(in most cases).
so - change the query for "NOT scanner"
now - the intelligence part is very interesting and lets take 'CVE-2014-6271' (a part of Web Server Enforcement Violation' for example:
when we prevent/Detect this kind of attack, we write for you \interesting things inside the log : you will see on 'Ser Agent Kid' & 'resource' fields a relevant data that will present what the attacker was trying to do (depends on the attack type ofcorse).
i will advice you to collect this intelligence data for:
now - what should you do from now?
the green is: Web servers PHPMyAdmin Misconfiguration Code Injection
Thank you for explaining why I am missing out some very important incident if I filter out "SSL Enforcement Violations" and "Web Server Enforcement Violations". I get the point, and I will adjust my view to get a better understanding.
I am also afraid of filtering too much out which could be important.
I will try out your suggestions.
I really liked your presentation on getting the numbers right. And I see first IPS logs, Anti-bot and Anti-virus logs that one needs to look into to get a better understanding.
For the 107.881 Threat Prevention logs, I would like to narrow down to real advanced attacks which have been going on for the week.
You have told in other settings that one needs to focus on the important logs. With the below SmartEvent Report with 30 advanced attack, I would like to focus on advanced exploits used for an attacks but prevented by the IPS blade, and I guess the 4 logs that needs action would be those that have been detected and possible provided access to the attacker. Like the attempt to use of using the apache struts vulnerability attack that have been used against many public Apache installation. That one is a nasty one, that gain remote access to execute commands on the apache servers
Have I misunderstood any thing here?
Those advanced attacks, while looking into the the following fields in SmartEvent logs.
Severity level: Medium OR High OR Critical
Confidence Level = Medium OR High OR Critical
Suppressed logs = more than 1 incident
I have tried to filter our attacks that is not generated internally to externally.
Here you see that last 7 days with different kinds of attacks from outside in.
For example I do not have any IoT presented public but still an advanced exploit other than a normal scanner like Shodan etc.
These I want to present in my SmartEvent Report. 42 advanced attack last 7 days but prevented, and none detected by IPS. But after a drill down on the report, I could see how advanced the attack have been? But will it then be the real view of reality?
I would like to generate a company threat report, without to much explanation, but still being able to see the real picture of reality.
i want to start from the following flow:
now lets ask our-self what are the important flows(order based):
*i can think about lots of others relevant & important flows but we need to start from something not so overwhelming.
by looking on those events and aggregate them - you will have a VERY SMALL numbers of incidents to look on.
(in your case and based on what you wrote - 0 incident to look on)
i had a work-shop with a customer few days ago (2000~ hosts in the network) and we sew the same thing.
0 security events that need to have action because of them.
if you are interested to see ALL of the attacks==Detected+Prevented in your network (and you have the time for it) - you can look on the other flows and query based on business questions.
intelligence part - you should take ones a month a time to look on the intelligence you have in your logs. we prevented/detected according to policy but see the real 'attack line' and deep-dive to the actual attack line that the attacker was trying to run will make us all a better security experts.
reporting - you can create a report like you create a View (same thing for you) - the best thing is to create the view and play with it, then create the report and generate it automatically.
one last thing - there are lots of technics to find cyber security incidents in a network based on Check Point logs (high ports connections, timing of connection, amount of data sent/received, applications, logins, etc...) you should start from Threat Prevention blades logs and understand them. then create the relevant views for your questions.
after that (and if you have the time for it) - dive in to 'behavioral analysis'.
i hope my answer will help you.