Learn how to detect, investigate, and remediate cybersecurity threats in real-time.
Panther is an open-source, cloud-native platform for security information and event management (SIEM). In this post, well discuss its platform architecture and walk through a typical attacker scenario to demonstrate how Panther can be used to detect and remediate threats in real-time.
Architecture
Panther is a Cloud-Native SIEM that leverages a Serverless architecture and is built fully on top of cloud-native services offered by AWS such as Lambda, ECS, DynamoDB, S3, Cognito, and more.
How Panthers Cloud-Native SIEM Works
At a high level:
Panther receives security logs from clouds, networks, endpoints, and more
Panther also baseline scans cloud infrastructure to understand the state of your world
All of this data is received, parsed, analyzed, and saved to the data warehouse
Alerts are generated and dispatched to your team
Optional remediations are applied to misconfigured infrastructure
Panthers design provides a holistic approach to SIEM, where logs are contextually joined with standardized fields, and infrastructure context can be gained by looking up cloud resource attributes in a single pane.
Example Use Case
To better understand how Panthers Cloud-Native SIEM can be helpful, lets walk through a typical attacker scenario:
SSH credentials are stolen providing access into a production machine. Once the attacker connects to the host, they begin to enumerate access and establish their foothold.
How can we detect, investigate, and remediate these behaviors?
Step 1: Preparation
The first step is to collect the proper data to power detections. In most cloud-focused organizations, this involves a combination of logs across various layers:
Cloud: AWS CloudTrail, S3 Access, GuardDuty
Network: VPC Flow, Switches/Firewalls, NIDS
Endpoint: Osquery, Syslog, Auditd, CrowdStrike
Application: SSO, Productivity Tools, Sales Applications
For this exercise, lets assume we are collecting logs from AWS CloudTrail, VPC Flow, and Osquery.
To find the suspicious login, well write a rule that analyzes osquery data from the logged_in_users table:
The above information provides context about how users are logging into our systems. Using the osquery aws_firehose logger plugin, these results can be sent to S3 and analyzed by Panther.
In the example rule below, lets ensure users are only logging in from centralized egress points, such as offices or VPNs:
Panther rules contain metadata to assist with triage, such as severity, log types, unit tests, runbooks, and more. This rule can be written directly in the Panther UI or uploaded programmatically with a CLI.
Step 2: Detect
After our rules are uploaded, Panther will start analyzing new logs in real time.
When the following suspicious login activity occurs:
Well see the following messages in Slack (or via any other supported Alert Destination):
Following the link in the alert to the Panther UI, we can now begin reviewing context and event details for the notification:
From this alert, we know:
Time of the first event (2020-03-14 00:47:47)
The IP the attacker used to connect (136.24.229.194)
The host that was logged into (ip-172-31-84-73)
This is the starting point for our investigation. Using Panthers standardized data fields, we can begin to pivot through all of our data to answer additional questions.
Lets dive deeper.
Step 3: Investigate
After Panther parses and analyzes logs, it stores them in a data warehouse for long-term storage. During this process, common indicators (IPs, domains, etc) are extracted to allow for fast queries and quick searches across the log corpus.
In the Panther database (at the time of writing: Athena or Snowflake), we can use SQL to query all related logs to this IP:
From here, we can find all possible instance IDs connected to the timeframe:
We can then look at this instance in Panthers resource search, which provides all attributes and associated policy successes and failures that could indicate security vulnerabilities.
Looking into the attributes, we find the following:
With this public IP, we can query CloudTrail to find related API calls from this host:
And the commands run with osquery containing the private DNS name of ip-172-31-84-73:
Step 4: Remediate and Post-Incident
Now that weve answered all of our investigation questions, its safe to terminate the instance, rotate credentials, and fix ACLs related to the root cause. Panther makes this easy by also offering auto remediation capabilities.
Navigating to the associated security-group for the instance will show the following policies:
As illustrated above, Panther detected an ACL failure, which had not been fixed, and was one of the causes of the compromise. Simply clicking REMEDIATE will correct the resource in the affected account. This functionality is generally used during incident response for containment.
Finally, your team can update and push new rules and policies to prevent this from happening again. Your infrastructure will be hardened, and the monitoring cycle will restart.
Recap
In this scenario, we established how Panther can be used to:
Detect attacks in real-time
Alert the security team about a potential incident
Investigate activity across all collected log data
Improve and inspect cloud security posture
Run Panthers Cloud-Native SIEM!
Panther is open source, enterprise-ready, and ships with support for:
All AWS logs such as CloudTrail, VPC Flow, S3 Access, GuardDuty, ALB
Logs from popular open source security tools like Osquery, Suricata, OSSEC
150+ Built-in detections based on CIS and security best practices
Fast queries across your data warehouse to power investigations
Real-time AWS configuration monitoring
Alerting support for Slack, PagerDuty, MS Teams, and more
Follow our quick start guide to run Panther today.
