Written by: Sean D. Goodwin, GSE
Small and medium-sized businesses (SMBs) do not always have the budget for advanced intrusion detection system (IDS) technology. Although open-source software can fill this gap, these free solutions may not provide malicious activity protection—especially once the attacker is inside the perimeter.
This predicament led to the insightful research and whitepaper recently published in the SANS Reading Room. This study investigated the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment, and its ability to detect malicious activity on an internal network.
Reliance on existing configurations—in this case, logging scope and alerting rules—is critical for SMBs. There is a distinct divide between having zero alerts (no configuration or tuning in place) and a customized ruleset designed for your environment. While the configuration mentioned in the paragraph above may not be perfect for your environment, it will address a large number of concerns more efficiently than starting from scratch, and can be fine-tuned over time to close that gap. It is also crucial for organizations to understand the scope of the existing configuration. This particular research focused on malicious use of legitimate administrative tools, which will be difficult to detect using a generic baseline for logging and alerting.
The technologies examined in this paper contain much of the information needed to investigate potential threats, but do not provide a plug-and-play alerting mechanism with the default configurations. This is due in part to the custom activity representing common traffic in each environment, and is also due to the selected attacks that leverage legitimate Windows utilities. SMBs may benefit from disabling some of these utilities outright if they are not being used for system administration. Other risk mitigation steps, such as performing daily tasks with a non-administrative user account, can reduce the likelihood of malicious activity success and increase the visibility of attempted attacks.
Analysts or custom rules are needed to determine if the usage of tools such as PsExec or “net use” should be considered legitimate or potentially malicious. The data provided through Windows Event Logs’, Sysmon rules’, and Security Onion’s analyzation of the results aids in efficient parsing of large event log volumes. SMBs can rely on this toolset to identify some common attack techniques, but should not see this as a “set it and forget it” solution to trigger alerts for all attackers.
Constant vigilance is required to properly block malicious activity and protect your company from malicious attempts to infiltrate your system. The research conducted and published in the SANS Reading Room has induced productive conversations surrounding possible solutions for SMBs looking to bridge the gap between budget and security.
