Gorka Sadowski

We'll see below some examples of security attack scenario that many people will put forth as a perfect example of how powerful, valuable and simple correlation is. As you can see, the overall approach of using static rule-based correlation on these is simply flawed. Attack Scenario Example 1: Identity Theft There are numerous ways to perform an Identity Theft attack, but let's focus on just one of them, recognizing that somebody cannot be in two places at the same time and hence that a user cannot log in your infrastructure from VPN and locally from the office "at the same time." Furthermore, if he connects through VPN, then disconnects and then "shortly thereafter" he reconnects locally, then it is probably Identity Theft. A scenario might be: If one of my users is logging in my infrastructure from the Internet through my VPN, then logs out. And then some time late... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea... Part 4

We saw what typically happens when trying to use static rule-based log correlation to perform real-time incident management... combinatory explosion and lack of scalability. How do you automate non-deterministic attacks in a few discrete steps??? Today, we'll look at more scenarios for which static rule-based log correlation doesn't make sense. Attack Scenario Example 2: Brute Force Attack Let's look at another example scenario. Brute Force Attack. - A user tries to log in to his account - He fails many times in a row and then finally succeeds - Then "probably" a successful Brute ... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea - Part 2

Rule-based log correlation is based on modeling attack scenarios Back to the visibility aspect. "By managing all your logs you get universal visibility in everything that is happening in your IT infrastructure." Yes, this is a true statement. But to tell that you can easily flag security attacks using rule-based correlation is a major overstatement. Rule-based correlation essentially automates the "If this is happening here" and "That is happening there" then "We have a problem." More precisely, "If this precise event is taking place at this particular time in this specific device... (more)

Conclusion: Why Rule-Based Log Correlation Is Almost a Good Idea...

During these past few weeks, we have looked at several reasons why a static rule based correlation is not the "SOC in a Box", end-all be all that many thought it was. Indeed what to think about a "solution" that: Can only address a very limited set of attack scenarios Requires meticulous consideration on how to map out the few selected attack scenarios Doesn't guarantee you to catch attacks in progress even when one of the few selected scenario is taking place Obliges you to think of minute details to slightly reduce false positives Yields hundreds and thousands of basic correlat... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea... (Part 6 - APTs)

APTs, Advanced Persistent Threats, are the anti-script-kiddies approach to penetrating an environment. Can static rule-based correlation catch these? APT Attackers Love Correlation Environments You remember that "False Sense of Security," the feeling that you are secure, but in fact you're not...? Attackers know that an attack is a process, it is not an event. And they use this - and they use time - to their advantage. They use time scales that static rule-based correlation simply cannot cope with. If you want to correlate disparate events, you need to keep state information on th... (more)