How to Craft Effective Prompts for Threat Detection and Log Analysis

 

Introduction

As cybersecurity professionals, log analysis is one of our most powerful tools in the fight against threats. By sifting through the vast troves of data generated by our systems, we can uncover the telltale signs of malicious activity. But with so much information to process, where do we even begin?

The key is to arm ourselves with well-crafted prompts that guide our investigations and help us zero in on the threats that matter most. In this post, we’ll explore three sample prompts you can use to supercharge your threat detection and log analysis efforts. So grab your magnifying glass, and let’s dive in!

Prompt 1: Detecting Unusual Login Activity

One common indicator of potential compromise is unusual login activity. Attackers frequently attempt to brute force their way into accounts or use stolen credentials. To spot this, try a prompt like:

Show me all failed login attempts from IP addresses that have not previously authenticated successfully to this system within the past 30 days. Include the source IP, account name, and timestamp.

This will bubble up login attempts coming from new and unfamiliar locations, which could represent an attacker trying to gain a foothold. You can further refine this by looking for excessive failed attempts to a single account or many failed attempts across numerous accounts from the same IP.

Prompt 2: Identifying Suspicious Process Execution

Attackers will often attempt to run malicious tools or scripts after compromising a system. You can find evidence of this by analyzing process execution logs with a prompt such as:

Show me all processes launched from temporary directories or user profile AppData directories. Include the process name, associated username, full command line, and timestamp.

Legitimate programs rarely run from these locations, so this can quickly spotlight suspicious activity. Pay special attention to scripting engines like PowerShell or command line utilities like PsExec being launched from unusual paths. Examine the full command line to understand what the process was attempting to do.

Prompt 3: Spotting Anomalous Network Traffic

Compromised systems frequently communicate with external command and control (C2) servers to receive instructions or exfiltrate data. To detect this, try running the following prompt against network connection logs:

Show me all outbound network connections to IP addresses outside of our organization’s controlled address space. Exclude known good IPs like software update servers. Include source and destination IPs, destination port, connection duration, and total bytes transferred.

Look for long-duration connections or large data transfers to previously unseen IP addresses, especially on non-standard ports. Correlating this with the associated process can help determine if the traffic is malicious or benign.

Conclusion

Effective prompts like these are the key to unlocking the full potential of your log data for threat detection. You can quickly identify the needle in the haystack by thoughtfully constructing queries that target common attack behaviors.

But this is just the beginning. As you dig into your findings, let each answer guide you to the next question. Pivot from one data point to the next to paint a complete picture and scope the full extent of any potential compromise.

Mastering the art of prompt crafting takes practice, but the effort pays dividends. Over time, you’ll develop a robust library of questions that can be reused and adapted to fit evolving needs. So stay curious, keep honing your skills, and happy hunting!

More Help?

Ready to take your threat detection and log analysis skills to the next level? The experts at MicroSolved are here to help. With decades of experience on the front lines of cybersecurity, we can work with you to develop custom prompts tailored to your unique environment and risk profile. We’ll also show you how to integrate these prompts into a comprehensive threat-hunting program that proactively identifies and mitigates risks before they impact your business. Be sure to start asking the right questions before an attack succeeds. Contact us today at info@microsolved.com to schedule a consultation and build your defenses for tomorrow’s threats.

 

* AI tools were used as a research assistant for this content.

 

3 Quick Thoughts for Small Utilities and Co-Ops

Recently I was asked to help some very small utilities and co-ops come up with some low cost/free ideas around detection. The group was very nice about explaining their issues, and here is a quick summary of some of the ideas we discussed.

1) Dump external router, firewall, AD and any remote access logs weekly to text and use simple parsers in python/perl or shell script to identify any high risk issues. Sure, this isn’t the same as having robust log monitoring tools (which none of these folks had), but even if you detect something really awful a week after it happens, you will still be ahead of the average curve of attackers having access for a month or more. You can build your scripts using some basis analytics, they will get better over time, and here are some ideas to get you started. You don’t need a lot of money to quickly handle dumped logs. Do the basics and improve.

2) Take advantage of cheap hardware, like the Raspberry Pi for easy to learn/use Linux boxes for scripting, log parsing or setting up cron jobs to automate tasks. For less than 50 bucks, you can have a powerful machine to do a lot of work for you and serve as a monitoring platform for a variety of tools. The group was all tied up in getting budget to buy server and workstation hardware – but had never taken the Pi seriously as a work platform. It’s mature enough to do a lot of non-mission critical (and some very important) work. It’s fantastic if you’re looking for a quick and dirty way to gain some Linux capabilities in confined Windows world.

3) One of the best bang for the buck services we have at MSI is device configuration reviews. For significantly less money than a penetration test, we can review your external routers, firewall and VPN for configuration issues, improper rules/ACLs and insecure settings. If you combine this with an exercise like attack surface mapping and threat modeling, you can get a significant amount of insight without resorting to (and paying for) vulnerability assessments and penetration testing. Sure, the data might not be as granular, and we still have to do some level of port scanning and service ID, but we have a variety of safe ways to do that work – and you get some great information. You can then make risk-based decisions about the data and decide what you want to act on and pay attention to. If your budget is tight – get in touch and discuss this approach with us.

I love to talk with utilities and especially smaller organizations that want to do the right thing, but might face budget constraints. If they’re willing to have an open, honest conversation, I am more than willing to get creative and engage to help them solve problems within their needs. We’d rather get creative and solve an issue to protect the infrastructure than have them get compromised by threat actors looking to do harm.

If you want to discuss this or any security or risk management issue, get in touch here.  

3 Things You Should Be Reading About

Just a quick post today to point to 3 things infosec pros should be watching from the last few days. While there will be a lot of news coming out of Derbycon, keep your eyes on these issues too:

1. Chinese PLA Hacking Unit with a SE Asia Focus Emerges – This is an excellent article about a new focused hacking unit that has emerged from shared threat intelligence. 

2. Free Tool to Hunt Down SYNful Knock – If you aren’t aware of the issues in Cisco Routers, check out the SYNful Knock details here. This has already been widely observed in the wild.

3. Microsoft Revokes Leaked D-Link Certs – This is what happens when certificates get leaked into the public. Very dangerous situation, since it could allow signing of malicious code/firmware, etc.

Happy reading! 

ATM Attacks are WEIRD

So this week, while doing some TigerTrax research for a client, I ran into something that was “new to me”, but apparently is old hat for the folks focused on ATM security. The attacks against ATMs run from the comical, like when would-be thieves leave behind cell phones, license plates or get knocked out by their own sledge hammers during their capers to the extremely violent – attacks with explosives, firearms and dangerous chemicals. But, this week, my attention caught on an attack called “Plofkraak”. 

In this attack, which is apparently spreading around the world from its birth in Eastern Europe, an ATM is injected with high levels of flammable gas. The attackers basically tape up all of the areas where the gas could easily leak out, and then fill the empty spaces inside the ATM with a common flammable gas. Once the injection is completed, the gas is fired by the attacker, causing an explosion that emanates from INSIDE the ATM.

The force of the explosion tears the ATM apart, and if the attackers are lucky, cracks open the safe that holds the money, allowing them to make off with the cash and deposits. Not all attackers are lucky though, and some get injured in the blast, fail to open the safe and even torch the money they were seeking. However, the attack is cheap, fast, and if the ATM doesn’t have adequate safeguards, effective.

The collateral damage from an attack of this type can be pretty dangerous. Fires, other explosions and structural damages have been linked to the attack. Here is an example of what one instance looked like upon discovery. 

Some ATM vendors have developed counter measures for the attack, including gas sensors/neutralizing chemical systems, additional controls to prevent injection into the core of the machine, hardening techniques for the safe against explosions and other tricks of the trade. However, given the age of ATM machines in the field and their widespread international deployment, it is obvious that a number of vulnerable systems are likely to be available for the criminals to exploit.

While this is a weird and interesting technique, it did give me some reminders about just how creative and ambitious criminals can be. Even extending that into Information Security, it never ceases to amaze me how creative people will get to steal. Spend some time today thinking about that. What areas of your organization might be vulnerable to novel attacks? Where are the areas that a single failure of a security control could cause immense harm? Make a note of those, and include them in your next risk assessment, pen-test or threat modeling exercise.

Don’t forget, that just like the inventors of Plofkraa”, attackers around the world are working on the odd, novel and unexpected attack vector. Vigilance is a necessary skill, and one we need more of, in infosec. As always, thanks for reading, and stay safe out there! 

MSI Launches New Threat Modeling Offering & Process

Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.

Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.

Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!

Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.

Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!

We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:

Threat Modeling Slides

Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.