siem

All posts tagged siem

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Malicious Excel Document

Quite often, users in different departments receive external emails with attachments containing client data or other information. By the time the email lands in the recipients’ email account, it has gone through different gateways, filters, virus checks, but still there can be ambiquous data in it. Adversaries can attempt to obscure malicious code by abusing how rundll32.exe loads DLL function names. This is what can happen when from an Excel or Word document when a supposedly harmless button or macro invokes a function that could start a connection back to the attacking machine.

What needs to be done

In a situation like this immediate action must be taken. First, the user must confirm through a separate channel if they have interacted with that specific document. Second, according to the responses, the machine needs to be quarantined and re-imaged, user sessions need to be forced offline with password reset.

Thanks for reading and as always, any feedback is most welcome.

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Third Party Alerts

Many times SIEM solution tools can integrate with third party vendors in order to generate alerts. This could be important if the organization is on a tighter budget, so with a more robust library of third-party integrations all the alerts from endpoints, networks and users can be channelled into a single platform, facilitating easier surveillance and analysis. The obvious drawback of this is having even more  un-prioritized alerts.

We can see that there was a moderately high number of login attempts.

This is why it’s important to keep fine-tuning new and existing rules to effectively draw attention to only the more relevant threat vectors.

What next

Well, there are usually two main groups of tasks after attacks like this. First, it is clear that immediate remediation by the third party is critical. It could mean the blocking of source IP-address for at least 24 hours, password changes, whitelist adjustements etc. However from the point of view of our SIEM the alert should also be treated as per our needs, prioritized, suppressed etc. to reduce the number of alerts or to make it more prosilient in the future.

Thanks for reading and as always, any feedback is most welcome.

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Some pros and cons of cloud security

Cloud security companies offer a great range of cyber security solutions. One of the core products of these enterprises is access control through their numerous web gateways. This is great in general as loads of potential attack vectors can be blocked in this way, but what if other security related systems are in place as well. If these screening tools are not fully aligned or are in the baselining phase, they may work against each other increasing the level of noise.

User authenticates from different geolocations

If a user’s location is close to a number of gateways of the applied cloud security tool, a case might occur when the tool would try to authenticate the user via different gateways in a short period of time. There might be several reason for this like load balancing, the user’s personal VPN or other routing issues. In a situation like this screening tools would start clamouring as the timeframe is just too narrow for a real life journey for the user to travel between these geographical locations hence, this is suspicious.

After the confirmation of the circumstances with even potentially with the user as well, there is nothing else to do is just noting up the alert and potentially fine-tuning the workflow automation for such an alerts. The most important data to identify in these alerts is the “organization”. If it is matches with the name of the cloud security tool hopefully there is not much to worry about.

Thanks for reading and as always, any feedback is most welcome.