Threat, Malware and Vulnerability detectionMorten Dalgaard2020-10-29T10:28:45+01:00
Threat, Malware and Vulnerability detection
Advanced cyber threats are highly sophisticated and often targeted cybersecurity threats focusing on a certain industry, sector or geographical area and sometimes even individual organizations. Standard anti-malware controls and endpoint solutions often fail to block or prevent these attacks as detecting them requires a powerful tool such as a SIEM combined with Threat Intelligence and behavioral analytics. Keep in mind that cybercriminals only need to find a single vulnerability to carry out an attack; therefore, being proactive is the key to successfully prevent data leakages.
Identifying threat indicators while working with large volumes of logs
Analysts can use queries with generic commands for threat intelligence to filter out only critical threat indicators. In LogPoint, filtering can be generic, giving you all matches to the threat intelligence database or based on a certain threat category or threat score. With this approach, we enable your analysts to simplify the investigation process and focus on the actual threat.
Threat indicators by categories
Log sources: Firewall, Proxy, Threat Intelligence
| process ti(source_address)|search et_ip_address=* | rename et_category as category | chart count() by ip_address, category order by count() desc
Defining correct cybersecurity risk posture
Based on LogPoint’s unique taxonomy for threat indicator scores, analysts can benefit from fully automated incident response mechanisms using queries for numerical comparison. Furthermore, they can understand the geographical distribution of the attack sources. Alert queries can be defined based on the scores for threat indicators, risk values/functions, and also based on the country of origination for each of these alerts. By this, we empower your security team to make better-informed strategic choices leading to more effective than ever incident response and remediation.
Log sources: Firewall, Proxy, Threat Intelligence, Dynamic List
In LogPoint Threat Intelligence, the risk is always explained by a number of enriched key-value pairs such as category and risk score. These key-value pairs will be then indexed and stored on the disks until cleared by the retention policy. Threat sources cannot always be detected near real-time, leading to serious attacks going undetected. To avoid similar scenarios, dynamic enrichment in LogPoint enables analysts to retrospectively investigate attacks and uncover hard-to-spot indicators.
The same approach can be followed by a dynamic list, where analysts can create a dynamic list for extremely risky IOCs and update the list for every new match to a threat indicator from the threat intel database. This way, the dynamic list can be used as a blacklist of IOCs and checked against historical logs, to identify if something was missed out by the threat intelligence in the past.
Critical threat entities appended to dynamic list
Log sources: Firewall, Proxy, Dynamic List
ip_address=* score>90 | process toList(IOCS,ip_address)
Entities observed in list of threat indicators
Log sources: Firewall, Proxy, Dynamic List
source_address IN IOCS | chart count() by source_address order by count() desc
Advanced analytics correlation and pattern recognition
By default, LogPoint can perform advanced correlation of any number of data sources – internal, external, or structured. Whether it is something as simple as aggregation between two or more groups of entities such as user and source address for failed logins or combining records in multiple log messages across multiple data sources using join and followed by queries, we will provide you with real-time alerts on risky behavior, and anomalous activities.
In LogPoint, Dynamic lists can also be used to perform advanced correlations in a number of ways such as creating a dynamic list with IP addresses or hostnames for vulnerable workstations to identify any potential exploitation of a vulnerability by a threat source. Effective log analysis requires the extraction of hidden information using a powerful combination of multiple data analysis capabilities. We employ agents on ERP, databases, and HR systems to gather data from all around your network and security devices, servers, and applications. Analytics is then supported by our powerful built-in query language, threat intelligence, enrichment, and other advanced mathematical functions and process commands.
Unexpired session durations
Log sources: Windows Server, any other source
[label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | process current_time(a) as time | process diff(time,log_ts) as duration | chart sum(duration)as duration by log_ts, user order by duration desc
Monitoring of password aging
It is important to monitor if there are any aging passwords in an organization. To achieve this, LogPoint consumes LDAP entries from your directory servers or Domain Controllers. LogPoint queries, with powerful mathematical functions, can be used to analyze the password’s last set attribute to identify the exact number of days when the password was last reset. To give an example, the following query uses an LDAP table to check for passwords which are older than 365 days.
Password ageing users
Log sources: LDAP
Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>365
Detect brute-force attack attempts
As any system with an X amount of failed attempts before a successful login hints a possible brute-force attempt, checking for failed logins is of paramount importance. In LogPoint, you can use the following query as an easy mean to check for 100 failed attempts before a successful login.
Potential brute-force attack attempts
Log sources: Windows Server, Authentication sources
[20 label=Login label=Fail having same user] as s1 followed by [label=Login label=Successful] as s2 on s1.user=s2.user | chart count() by user order by count() desc