If you are an MSME and are looking at complying to the CERT-Indirectives on logs, then, a sensor we’ve built for generating and storing logs of the entire network, might just be what you are looking for.
All service providers, intermediaries, data centres, body corporate and Government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.
Challenges faced in incident response environments (MSME) with no logs
The idea of building a sensor stemmed from our experiences of incident response in environments with zero security posture.
The same sensor can capture network packets and generate logs per the CERT-In directives.
At the btNOG-9 Conference on the 14th October 2022, I’ll be presenting Incident Response on a shoestring budget
In the presentation, I’ll share the challenges we faced in incident response environments with zero security posture, i.e. lacking logs, etc. The presentation will then focus on the solution – a sensor we built using open-source software such as Suricata and Zeek, logging DNS queries etc.
By deploying a sensor in the network, MSMEs can comply with the CERT-In directives and also facilitate incident responders to investigate security incidents.
Incident responders can leverage the rich logs by intercepting and ingesting packets into tools such as Zeek. If you are new to Zeek, check the blog post, Packets don’t lie – Threat Hunting with Zeek and the APNIC Academy page where a recording of the webinar will be available soon.
Thanks to the kind folks at APNIC for initiating the request and starting the email thread.
The gist of the presentation was about using Zeek to look for anomalies. Before jumping into Zeek, I introduced Network Security Monitoring. Spoke about conn.log and dns.log and used PCAPs from Stratosphere IPS Project to demonstrate threat hunting with Zeek.
Zeek logs are a great source in the context of threat hunting and Incident Response.
A total of 203 folks had registered for the webinar, and around 55-60 attended. That’s been my experience with online webinars and workshops – many folks will register, but a small fraction attend.
While one hour webinar is a brief period to talk about all-things-zeek, I hope the webinar gives a quick introduction to getting started.
But the most important thing was the interactive Q&A session at the end.
The webinar was recorded and should be available in a few days. I will update the blog post with a link to the recording and the slides.
Also, since I am on the topic of Zeek, ZeekWeek 2022 is an in-person event on October 12th – 14th in Austin, TX.
An excellent line-up of speakers, and the schedule is packed with goodness.
Measuring ping and DNS from different vantage points using RIPE Atlas has been something that I have been using for some time now. You can read about installing a RIPE Atlas software probe here
A few weeks ago, I came across Shodan’s geoping and geodns API, which provides ping and DNS lookup from a few locations and other details such as RTT. This is great because you can quickly check ping and DNS resolution on systems where you only have curl running.
You always have the RIPE Atlas project for more detailed and sophisticated use-cases. To get started with the RIPE Atlas project, check the webinar I delivered some time ago for APNIC.