NIST 800-61 – Detection

Detecting cybersecurity incidents effectively involves multiple layers of detection, which can vary based on the tools and configurations you have in place. This includes intrusion detection systems (IDS), intrusion prevention systems (IPS), next-gen firewalls, EDR and native capabilities like the Windows logfiles. The capabilities and costs associated with these tools can differ significantly depending on your environment, whether it’s a local setup or a cloud-based system like Office 365, AWS,GCP or Azure.

This post is aligned to TLP – The Digital Forensics Podcast Episode 3.

Detection Capabilities: Local vs. Cloud

When dealing with cloud systems, such as Office 365, the level of logging available often depends on the type of license you hold. Upgrading licenses to enhance logging capabilities can be costly and might not fit within the current budget cycle. Conversely, for local systems, you have more control over logging configurations without incurring additional costs, but you will need to spend time.

Office 365 is just mail and file storage you say! Yes, you’re right. Lets include some useful tools for AWS cyber incident detection as well.

AWS GuardDuty. GuardDuty uses machine learning to look for malicious activity in your AWS environments. It gathers your CloudTrail event logs, VPC Flow Logs, S3 event logs, and DNS logs to continuously monitor and all activity and put it into an interface that makes reviewing for incidents easy. The caveat to this is you must have a good understanding of your AWS architecture. Good incident detection comes down to building a good baseline of your environment and that takes time and experience with incidents and talking with your sysadmins.

Sysmon for Enhanced Windows Logging

In the Windows environment, enabling Sysmon (System Monitor) is a powerful way to enhance logging capabilities. Sysmon is a Windows system service and device driver that logs system activity to the Windows Event Log. It provides detailed information about process creations, network connections, and changes to file creation time. Sysmon was created by SysInternals and is a huge asset to DFIR analysts.

Here’s why and how you should consider using Sysmon:

Benefits of Sysmon:

Detailed Logging: Sysmon enables a comprehensive set of logs that are essential during incident response.
Customisable Profiles: You can customize the Sysmon configuration to match your environment, ensuring that you capture relevant data without overwhelming your storage with unnecessary logs. Some logs generate excessive noise, and might not be suitable to run all the time. In the Swift on Security Sysmon answer file, it’s commented in a way that highlights what might overwhelm your system or SIEM.

Implementing Sysmon:

Deploying Sysmon: To deploy Sysmon, you run the Sysmon executable with a specific XML configuration file. This file contains the rules and settings for what Sysmon should capture.
Configuring Sysmon: You can find initial configurations and regularly updated files from sources like @SwiftOnSecurity on X https://github.com/SwiftOnSecurity/sysmon-config and the Australian Cyber Security Centre (ACSC) https://github.com/AustralianCyberSecurityCentre/windows_event_logging/tree/master/events/sysmon.

Practical Use of Sysmon:

Incident Response: When an incident occurs, the detailed logs provided by Sysmon offer invaluable insights, making it easier to track down malicious activity and understand what happened.
Cost-Effective Solution: Sysmon is free and relatively easy to use, making it an excellent option for security teams that are outside the budget cycle,or don’t have budget at all.

Configuring Sysmon

To configure Sysmon:

Run the Sysmon Executable: Use the Sysmon executable with the appropriate XML file.
Use Configuration Files: You can find comprehensive configuration files from reputable sources like SwiftOnSecurity, who regularly update their Sysmon config files. The ACSC also provides configuration files tailored for different environments. See the links above.

Example Configuration Steps:

Download Sysmon from the official Microsoft Sysinternals site.
Obtain a configuration file from SwiftOnSecurity or ACSC.
Run the Sysmon command:

sysmon -accepteula -i config.xml (the config.xml file is not named config.xml in the above repositories. You will replace the name here what you get from ACSC or Swift’s github.

This command installs Sysmon with the specified configuration.

Once installed, you may need to reboot to see the logs appear in the Windows Event Viewer under ‘Sysmon’.

Leave a Reply

Discover more from DFIR Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading