Assuming your breached, what do you look for?

Building on my earlier post, "Questioning your security data", I thought I would share some details on how I'm querying my SIEM. Right now, I'm using ELK to correlate security event data from a variety of sources (firewalls, IDS, HIDS, antivirus, load balancers).

The first question that I care most about is "Have I been pwned?", calling back to the title of this blog.   So here's what one of my dashboards looks like:

The big donut chart on the left is a breakdown of all malicious activity with the inner pie-chart showing country of origin and the outer spoke giving me what port the alert was detected on.  A few interesting tidbits here:  China likes to send a lot of attacks via email, Australia is tracerouting us... but I want more about what's really going on inside my network.  So let's dig deeper.


Here's another pie-chart just showing virus alarms and what port they were detected coming in on. 



















Hmmm.. lots of email malware, but a fair bit of drive-by and possible botnet cnc activity.  Good to know.

Meanwhile, the graphs on the dashboard are serving up visualizations on network incidents detected by internal firewalls and IDS  (You do segregate your internal network with firewalls don't you?)  Here's a blow up of one of those:

The query driving these graphs is in the form of  "Show all IDS-alarms and firewall blocks where the Source-IP is an RFC1918 address"


The big spike on the left is damned suspicous... but on closer inspection, I see it's my vulnerability scanning box.  Ah, that's cool.  The next highest box is an IT inventory tool, which also does some active discovery.   Nice to know I can quickly spot who's scanning on my inside network.

If this is useful or interesting (or way off), let me know.  I can share more of theses as I build out my dashboards and queries.