Versions Compared

Version Old Version 6 New Version 7
Changes made by

Steve Challans

Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Threat Activity Menu contains the following dashboards

Insider Threat Activity

...

Insider Threat Activity screen covers many windows based threats covering activity from man windows event log types.  The page uses status blocks to show the number of events for the specific date/time filter as selected from the top right corner with trending value as a percentage showing the trend either increasing, decreasing or neutral. under each status block is a line graph showing the last 24 hours of activity with the rate per hour of those events. There are some pie charts lower down on the screen showing which systems are affected, which windows accounts and the source IP of the activity causing the events. All of the screens can be clicked on and then view the raw data in the drill through at the bottom of the screen where data can be searched on and additional filtering can be performed in one or more of the data fields. 

  • Rubber Ducky Events - using correlation of USB and windows events collected from the Snare for Windows Enterprise agent Snare correlates the Human Interface Device (HID) events that helps to detect when such devices are inserted into a system.  The status block correlates these HID events with other USB events and process execution activity that allows the security team to detect and quickly drill down on where this activity occurred from. 
  • Windows USB Events - This status block covers all USB events collected from the Snare Windows Enterprise agent. These events include the device type and serial number where the vendor supplies it. All inserts and removals are collected and can be tracked. 
  • Windows Failed Logins - This status block shows all Windows failed login attempts for the systems collected. High rates of failed logins could present as a risk of system attempted compromise, especially when the same account is used over multiple systems. 
  • Windows Login Activity - This status block shows all Successful Windows logins
  • Windows Account Changes - This status block covers all Windows Account changes. 
  • Windows Group Changes - This status block covers all Windows Group Member Changes for any accounts added to removed from specific groups.
  • Windows Audit Logs Cleared - These show the number of events of actions taken to clear the windows event logs, these could be for any of the Security, Application, or System event logs. 
  • Windows Audit Policy Changes - These show the events related to to system or group policy audit policy changes.  
  • Local Accounts Added to Administrators - All events associated with adding users to the local administrators user group will be alerted on. As part of any privilege escalation on a system a user would be added to the local administrators group to gain a food hold on systems.
  • Windows Privilege Escalation - These events relate to users that have gained higher level of access via additional user rights
  • Windows Application Crash - These events relate to applications that are crashing which can be a symptom of malicious activity from buffer overruns or other memory manipulation to either gain access or cause a denial of service. 
  • Windows Protection Disabled - When services are stopped or disabled it could be a result of a user stopping the service or the service crashing for some reason.  This activity should be investigated as part of the incident management processes. 
  • Windows Events By System - This pie chart will show all systems affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
  • Windows Accounts Affected - This pie chart shows all of the user accounts affected by the date/time range search and any filtering as applied by the above status blocks and graphs. 
  • Windows Source IP Activity - This pie chart shows all of the events based on the source IP of the user that caused the event as generated and filtered by the date/time range search and any filtering as applied by the above status blocks and graphs. 

Network Activity

Image Removed

The current network activity screen provides an overview of common activity from a Cisco ASA firewall.The page provides an overview of many aspects of a firewall network usage including traffic flows over time, data allowed and blocked, IDS activity in this case Snort alerting, Firewall change activity with and admin access, source and destination IPs and ports and protocols. mapping of potential risky protocols and a drill through to see the raw data for the selected time. As with the other dashboards there is a date and time picker on the top right of the screen. The drill through at the bottom of the screen will show the details of the dashboards as the user clicks on either the status block or the dashboard element. 

Key indicators are:

  • Firewall general activity - spikes in usage can indicate abnormal activity which could be the result of a denial of service, data downloads or data be ex filtrated from the network. What is normal for one company may not be normal for another so threshold settings should be adjusted to suit the reporting needs for your company. 
  • Firewall accepted activity - this is activity allowed through the firewall.  Anything allowed in or out maybe normal or unauthorised activity depending if data is leaking out using approved protocols.  Many variations of malware and hackers link onto DNS, HTTP, HTTPS, SMTP protocols as they are allowed in most cases as staff need to access the internet. So spikes in activity can be an indicator of compromise.
  • Snort Events - if you have an IDS then you can adjust to report on your IDS syslog events.  in this example we can see variations of event types and the number of events per hour. Specific events like Web Application Attacks can mean that systems are under attack as the traffic is allowed through the firewall and is attacking the hosting web server. Spikes in activity may also indicate problems or someone probing your systems.
  • Cisco ASA Privileged Activity, Configuration Cleared, System Errors - these reports are all detailing the nature of any system access, with who was logging in and changing the configuration of the Cisco firewall. If these changes were not part of any approved change control then they should be investigated as part of incident management. 
  • Source and Destination Port Activity and Address Activity - these charts allow analysis of high usage systems ports and protocols.   Low usage ones that are trying to be hidden can also be highlighted by filtering out the busy systems. These charts allow the analyst to review and understand what is normal activity and traffic that may be unauthorised with information leakage or high volumes of traffic of data being ex filtrated out of the company. 
  • Risky Protocols by Port and Source and destination addresses - these charts report on firewall traffic that could be a potential risk.  As mentioned above hackers and malware often piggy pack traffic on known approved ports or us their own port. Depending on the firewall rules this traffic may be allowed in or out.  High usage on known malware ports or common ports should be reviewed to determine if this was approved traffic or unauthorised. 

Image RemovedImage Removed

Image RemovedImage Removed