///Threat, Malware and Vulnerability detection

Threat, Malware and Vulnerability detection

Advanced cyber threats are highly sophisticated and often targeted cybersecurity threats focusing on a certain industry, sector or geographical area and sometimes even individual organizations. Standard anti-malware controls and endpoint solutions often fail to block or prevent these attacks as detecting them requires a powerful tool such as a SIEM combined with Threat Intelligence and behavioral analytics. Keep in mind that cybercriminals only need to find a single vulnerability to carry out an attack; therefore, being proactive is the key to successfully prevent data leakages.

Identifying threat indicators while working with large volumes of logs

Analysts can use queries with generic commands for threat intelligence to filter out only critical threat indicators. In LogPoint, filtering can be generic, giving you all matches to the threat intelligence database or based on a certain threat category or threat score. With this approach, we enable your analysts to simplify the investigation process and focus on the actual threat.

Example

Threat indicators by categories

LogPoint SIEM use cases: Threats in higher privilege systems

Log sources: Firewall, Proxy, Threat Intelligence

Query

| process ti(source_address)|search et_ip_address=* | rename et_category as category | chart count() by ip_address, category order by count() desc

Defining correct cybersecurity risk posture

Based on LogPoint’s unique taxonomy for threat indicator scores, analysts can benefit from fully automated incident response mechanisms using queries for numerical comparison. Furthermore, they can understand the geographical distribution of the attack sources. Alert queries can be defined based on the scores for threat indicators, risk values/functions, and also based on the country of origination for each of these alerts. By this, we empower your security team to make better-informed strategic choices leading to more effective than ever incident response and remediation.

Log sources: Firewall, Proxy, Threat Intelligence, Dynamic List

Historical analysis

In LogPoint Threat Intelligence, the risk is always explained by a number of enriched key-value pairs such as category and risk score. These key-value pairs will be then indexed and stored on the disks until cleared by the retention policy. Threat sources cannot always be detected near real-time, leading to serious attacks going undetected. To avoid similar scenarios, dynamic enrichment in LogPoint enables analysts to retrospectively investigate attacks and uncover hard-to-spot indicators.

The same approach can be followed by a dynamic list, where analysts can create a dynamic list for extremely risky IOCs and update the list for every new match to a threat indicator from the threat intel database. This way, the dynamic list can be used as a blacklist of IOCs and checked against historical logs, to identify if something was missed out by the threat intelligence in the past.

Examples

Critical threat entities appended to dynamic list

LogPoint SIEM use cases: Critical threat entities appended to dynamic list

Log sources: Firewall, Proxy, Dynamic List

Query

ip_address=* score>90 | process toList(IOCS,ip_address)

Entities observed in list of threat indicators

LogPoint SIEM use cases: Entities observed in list of threat indicators

Log sources: Firewall, Proxy, Dynamic List

Query

source_address IN IOCS | chart count() by source_address order by count() desc

Advanced analytics correlation and pattern recognition

By default, LogPoint can perform advanced correlation of any number of data sources – internal, external, or structured. Whether it is something as simple as aggregation between two or more groups of entities such as user and source address for failed logins or combining records in multiple log messages across multiple data sources using join and followed by queries, we will provide you with real-time alerts on risky behavior, and anomalous activities.

In LogPoint, Dynamic lists can also be used to perform advanced correlations in a number of ways such as creating a dynamic list with IP addresses or hostnames for vulnerable workstations to identify any potential exploitation of a vulnerability by a threat source. Effective log analysis requires the extraction of hidden information using a powerful combination of multiple data analysis capabilities. We employ agents on ERP, databases, and HR systems to gather data from all around your network and security devices, servers, and applications. Analytics is then supported by our powerful built-in query language, threat intelligence, enrichment, and other advanced mathematical functions and process commands.

Example

Unexpired session durations

LogPoint SIEM use cases: Unexpired session durations Screen K

Log sources: Windows Server, any other source

Query

[label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | process current_time(a) as time | process diff(time,log_ts) as duration | chart sum(duration)as duration by log_ts, user order by duration desc

Monitoring of password aging

It is important to monitor if there are any aging passwords in an organization. To achieve this, LogPoint consumes LDAP entries from your directory servers or Domain Controllers. LogPoint queries, with powerful mathematical functions, can be used to analyze the password’s last set attribute to identify the exact number of days when the password was last reset. To give an example, the following query uses an LDAP table to check for passwords which are older than 365 days.

Example

Password ageing users

LogPoint SIEM use cases: Password ageing users

Log sources: LDAP

Query

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>365

Detect brute-force attack attempts

As any system with an X amount of failed attempts before a successful login hints a possible brute-force attempt, checking for failed logins is of paramount importance. In LogPoint, you can use the following query as an easy mean to check for 100 failed attempts before a successful login.

Example

Potential brute-force attack attempts

LogPoint SIEM use cases: Potential brute-force attack attempts

Log sources: Windows Server, Authentication sources

Query

[20 label=Login label=Fail having same user] as s1 followed by [label=Login label=Successful] as s2 on s1.user=s2.user | chart count() by user order by count() desc