Recognizing Attack Patterns

After this detailed overview of the origins of the various log data, it is important for data analysts to know tools with which they can work in the future. Although some of the data providers already listed offer their own web interfaces, Security Onion sets out to consolidate them and provide a common interface. To this end, the data submitted to Logstash is collected in a central Elasticsearch instance. In distributed setups, the data from Logstash reaches the central instance from a Redis database.

The main interface to Security Onion is in the Security Onion Console (SOC) HTTP web page, which bundles access to the other tools and supports automated alerts and manual hunts for IoCs on the monitored systems. In addition to the interfaces for cases, hunts, and alerts included in Security Onion, the console again uses established tools for processing and analyzing the acquired data and potential incidents (Figure 1). Alternatively, you can access the shell and the tools and data available there over SSH.

Figure 1: The menu in the web interface gives access to the central functions and available tools.

Kibana and Grafana are probably the best known tools in the SOC collection. The properties queried with Elasticsearch are organized on different dashboards by Kibana. The various Beats mentioned earlier can be used to prepare data directly for visualization in Kibana. Grafana generates performance information and notes on the status of your overall system. Grafana's high-resolution data is deleted after 30 days; only aggregated data is retained longer.

FleetDM (device management) gives you access to an interface for osquery. You can use it both to create and manage queries and to configure appropriate packages for clients to facilitate queries and define your own tables, which you then deploy to your clients. Fleet then primarily supports you by processing the regularly executed queries and aggregating and visualizing the results.

To make your requests to systems more systematic, Security Onion comes with what it refers to as a Playbook. With its help, you can create Plays, which map out specific detection strategies. You define what you want to detect, and for what purpose, and then describe the steps needed to validate the results or fix any problems identified. The Play definitions you can use for automatic analysis are based on the Sigma format [2], a generic signature for log data.

The goal is primarily to identify rules and patterns in the log data and then generate alarms or events from the corresponding data for further processing by analysts. Security Onion comes with more than 500 of these Plays, which you can use as-is or customize to best suit your needs. You can also pick up additional signatures for your searches from the Sigma community, if needed. All results and alerts can also be viewed simultaneously on the dashboards, in the Hunt interface, and in Kibana.

You might already be familiar with CyberChef [3], which is also installed. This tool, widely referred to as the Swiss Army Knife of cybersecurity, lets you drag and drop a wide range of "cyber operations" for different inputs in the browser. Armed with this, and without too much prior knowledge, you can use hashes or crypto functionality, convert image data into different formats, use prepared regular expressions for searching, run programming-language-specific functions like PHP's serialize, and use many other small functions, for which you may have already built small scripts to make your everyday life as an analyst easier. Even if you do not use Security Onion, you will probably add CyberChef to your bookmarks bar.

Installation and Configuration

The installation of Security Onion is basically very simple. It is a good idea to stick to the guidelines as much as possible when it comes to hardware requirements. For an initial test on a virtual machine (VM), for example, you are at the lower limits of the recommended setup with 200GB of disk space, 12GB of RAM, and four cores.

For the installation, download the ISO file mentioned earlier [4] to your virtualization environment and deploy it; then, create a machine with sufficient resources. The installation is basically automatic; you just need to create a user and choose a password. After the install, log in to the console with your credentials and the Security Onion setup starts automatically.

The first dialog prompts you to define the type of installation you want to carry out. You can choose between a trial version, a standalone or distributed variant, or an import installation, which mainly lets you perform forensic analysis on recorded data. As an analyst, first select the other option and then install the analyst version on your workstation.

I chose the standalone variant for this article. Make sure you assign two network cards to your VM; note that they may not be hidden behind a network address translation (NAT) host but on an actual network. Your best option is to provide real network interface cards to the VM and connect one of the cards to your switch's monitoring port. In this way, you can quickly acquire a mass of genuine data from your network for later testing.

Now select the interface you want to use for management access in the dialog. Assign static IP addresses or ignore the warning that using DHCP can cause problems – you should not have any trouble if you use an IP address reservation. If your server has Internet access, you can simply select that in the next step; otherwise, Security Onion will create the installation with the data from the ISO. In this case you will want to use the Airgap installation on all the nodes of your network.

Now, choose to install the Basic manager; the recommended settings are useful for a first test and can be adjusted later, for the most part. In each of the following dialogs, keep the options selected by default. Of course, you can change the defaults if you really want to. After you have created the user for the web interface and assigned a password for the soremote user account, the system is updated directly if an Internet connection is available, and the setup is complete. Now you can enter the IP addresses in your browser and log in to the management console. If you see a 401 error, you might need to unlock your IP address first. To do this, go into the SSH session again and run so-allow as root. Select analyst access and enter the IP address of your computer.

Quick Access to Tools

The web interface gives you direct access to your own functions from the menu on the left, and you can access the installed tools a bit further down. If you can log data packets with the network interface at this point, you will see, for example, the metadata generated by Suricata or Zeek. Security Onion provides predefined queries in the different views; you can use these to get started.

For example, in Dashboards , click on the arrow next to the magnifying glass to open a menu for selection. In this case, simply select Connections ; data should already be available in this area as a result of monitoring. Figure 2 shows the upper area of this connection overview, where you will find the data for the last 24 hours; you can change the period at top right.

Figure 2: The connection overview contains the data for the last 24 hours.

If you now run Security Onion on your network for some time, you will see more and more data accumulate for evaluation. For practice, create an incident for one of the alerts and edit it. To do this, simply left-click on one of the lines in the alerts and select Escalate or click on the plus (+) symbol after selecting the Cases menu item. You can add more sensors to your instance, such as more hosts for osquery or additional system logs on other servers. The Security Onion documentation available online provides you with more examples of different use cases.