conf2015 sami final 150908 - splunkconf · agenda iad*top*10*mi=gaons*...
TRANSCRIPT
![Page 1: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/1.jpg)
Copyright © 2015 Splunk Inc.
NSA Informa=on Assurance Directorate Cyber Defense R&T Team
SAMI -‐ Splunk Assessment of Mi=ga=on Implementa=ons
![Page 2: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/2.jpg)
Disclaimer
2
During the course of this presenta=on, we may make forward looking statements regarding future events or the expected performance of the company. We cau=on you that such statements reflect our current expecta=ons and es=mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta=on are being made as of the =me and date of its live presenta=on. If reviewed aRer its live presenta=on, this presenta=on may not contain current or
accurate informa=on. We do not assume any obliga=on to update any forward looking statements we may make.
In addi=on, any informa=on about our roadmap outlines our general product direc=on and is subject to change at any =me without no=ce. It is for informa=onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga=on either to develop the features
or func=onality described or to include any such feature or func=onality in a future release.
![Page 3: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/3.jpg)
Agenda
IAD Top 10 Mi=ga=ons SAMI – Using Splunk to measure mi=ga=ons Network vulnerability scoring
3
![Page 4: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/4.jpg)
Na=onal Security Agency Informa=on Assurance Directorate
4
“Confidence in Cyberspace” “Protect Informa7on – Outmaneuver Cyber Adversaries”
Enable informed risk decisions through analysis and fusion of cyber baXlespace awareness, threat, technology vulnerabili=es, and deployed mi=ga=ons.
Cyber Defense Research & Technology – Focus on assessing and priori=zing mi=ga=on
![Page 5: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/5.jpg)
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
5
![Page 6: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/6.jpg)
Drive Down Adversary’s Impact
Time
Impa
ct/D
epth of A
ccess
Enterprise Root
None 6
months 0 day 1
day 1
week 2
weeks 1
month 2
months
Cri3cal IP Accounts
Domain Root
Ownership of the Enterprise
Worksta3on
All Worksta3ons
6
![Page 7: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/7.jpg)
Time
Impa
ct/D
epth of A
ccess
Enterprise Root
None 6
months 0 day 1
day 1
week 2
weeks 1
month 2
months
Worksta3on
All Worksta3ons
Cri3cal IP Accounts
Domain Root
Prevent ability to maintain access – minimize impact
Detected, access eliminated
Held to worksta3on access/user privileges
Held at domain level
Drive Down Adversary’s Impact
![Page 8: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/8.jpg)
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
✗
✗
✗ ✗ ✗
✗
✗ ✗
8
![Page 9: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/9.jpg)
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
✗
✗
✗ ✗ ✗
✗
✗
Device Integrity
Defense of Accounts
Secure avail transport
Damage containment
Secure avail transport
IAD Mi=ga=on Goals
9
![Page 10: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/10.jpg)
IAD Top 10 Mi=ga=ons
10
1) Applica3on Whitelis3ng – A proac=ve security technique that allows a limited set of approved programs to run
2) Control Administra3ve Privileges – Network owners should only grant Administrator privileges when absolutely necessary and should take steps to ensure Administrator accounts are not exposed to the Internet and other sources of increased risk.
3) Limit Worksta3on-‐to-‐Worksta3on Communica3on – One scalable and highly effec=ve mi=ga=on involves limi=ng worksta=on-‐to-‐worksta=on communica=on, thereby thwar=ng an aXacker’s ability to leverage PtH to move laterally within the network.
4) Use An3-‐Virus File Reputa3on Services – Most of today’s host security products augment their product’s core host controls with intelligence from cloud-‐hosted threat databases.
5) Enable An3-‐Exploita3on Features – Many opera=ng systems and applica=ons have advanced an=-‐exploita=on and sandboxing features that should be harnessed to defend against common aXacks.
![Page 11: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/11.jpg)
IAD Top 10 Mi=ga=ons
11
6) Implement Host Intrusion Preven3on System (HIPS) rules – For an enterprise with a well configured and managed network, HIPS can be tuned to learn and allow normal network func=onality while flagging anomalies characteris=c of intrusions.
7) Set a Secure Baseline Configura3on – This includes genera=on of standard images which provide approved and secured applica=on and opera=ng system configura=ons with layered security containing best prac=ce mi=ga=on strategies to counter cyber threats.
8) Use Web Domain Name System (DNS) Reputa3on – Enterprises can protect their hosts by screening web accesses against such services and redirec=ng dangerous web requests to a warning page.
9) Take Advantage of So_ware Improvements – Opera=ng systems and applica=on soRware rou=nely have security upgrades through new versions and intermediate patches.
10) Segregate Networks and Func3ons – Plan for the possibility of a successful intrusion and design the network architecture and management procedures to separate segments based on role and func=onality.
![Page 12: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/12.jpg)
IAD Top 10 Mi=ga=ons
12
Detailed informa=on available at hXps://www.nsa.gov/ia/mi=ga=on_guidance
![Page 13: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/13.jpg)
SAMI
![Page 14: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/14.jpg)
SAMI
14
SAMI – An App built to assess IAD Top 10 Mi=ga=ons – Audit and track implementa=on and effec=veness – You can apply techniques to build your own
Experience has shown mi=ga=ons aren’t always implemented consistently or correctly.
Splunk Assessment of Mi=ga=on Implementa=ons
SAMI
![Page 15: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/15.jpg)
SAMI
15
Goals Approach Architecture Ini=al 7 metrics with examples
SAMI
![Page 16: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/16.jpg)
SAMI Goals
16
Evaluate implementa=on of mi=ga=ons using machine data Track progress deploying mi=ga=ons Track and report security posture Iden=fy configura=on driR Iden=fy specific ac=ons to improve security posture
SAMI
![Page 17: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/17.jpg)
SAMI Approach
17
Iden=fy desired mi=ga=on behaviors Determine whether to test specific configura=ons or behaviors Iden=fy cri=cal sehngs or behaviors to measure Iden=fy required data objects and condi=ons Determine efficient collec=on method – Na=ve Splunk capabili=es or custom scripts
Build searches to interpret the data Priori=ze results
SAMI
![Page 18: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/18.jpg)
Mi=ga=on Evalua=on
18
Supported by hardware and OS Installed Updated Turned on Configured Demonstra=ng expected behavior
SAMI
![Page 19: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/19.jpg)
SAMI Architecture
19
Target Windows endpoints only Some checks assume a specific solu=on Splunk Universal Forwarders on all endpoints Deployment server – TA-‐SAMI app includes scripts and inputs.conf to guide collec=on
Indexer/Search head
SAMI
![Page 20: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/20.jpg)
Collec=on & Analysis
20
Regmon WMI WinHostMon
Custom scripts – CPUID – PE Header – DNS query – Port scan – LDAP query
Evalua=on of collected values encoded in Splunk search
Criteria evaluated and saved to summary indexes as condi=ons and penal=es
SAMI
![Page 21: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/21.jpg)
21
recon exploit Establish persistence Install tools Move
laterally
Collect, exfil,
destroy
Device Integrity
Defense of Accounts
Damage Containment
Secure and Available Transport
Mitigation Goals
• An=-‐Exploita=on Features • Host Intrusion Preven=on System • Applica=on Whitelis=ng • Modern Opera=ng System
• An=-‐Virus File Reputa=on Services
• Worksta=on-‐to-‐Worksta=on Communica=ons
• Control Admin Privileges SAMI Metrics
Attack Lifecycle
![Page 22: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/22.jpg)
An=-‐Exploita=on Features (5)
22
Provides protec=on against exploits in a broad, generic manner – May mi=gate zero-‐day aXacks
MicrosoR Enhanced Mi=ga=on Experience Toolkit (EMET) – DEP – Data Execu=on Preven=on – ASLR – Address Space Layout Randomiza=on – SEHOP – Structured Excep=on Handler Overwrite Protec=on – Kernel Null Page
Other key features – Cer=ficate Padding – Secure Search Path
Some sehngs per app; 50 common executables of main interest – Office, 7-‐Zip, IE, Adobe Reader, Skype, etc.
Collec=on: Registry keys, WMI, CPUID, PE Header, custom script
Device Integrity
![Page 23: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/23.jpg)
An=-‐Exploita=on -‐ DEP
23
Data Execu=on Preven=on – Helps prevent exploits that execute code in data memory (e.g., buffer
overflow)
Some features dependent on hardware and OS BeXer to check sehngs configured by EMET rather than EMET policy itself
![Page 24: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/24.jpg)
An=-‐Exploita=on -‐ DEP
24
OS supports DEP – HW supports DEP
ê DEP enabled (x32, x32 on x64) – DEP configured appropriately (x32, x32 on x64) – DEP not overridden for installed soRware – Installed soRware not opted in for DEP | opted out for DEP
![Page 25: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/25.jpg)
Installed SoRware Not Opted In for DEP
25
An applica=on of interest (archive apps, browsers, communica=on app, document viewers/editors, media viewers/players, Java, etc.) is not opted in for DEP – Check configura=on for every app – Config of last resort – DEP should really be “always on” or “opt out”
Only 32bit sw (DEP applies to 64 bits sw by default) Policy not overridden (for all or per sw)
![Page 26: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/26.jpg)
SW Not Opted In for DEP
26
Mi=ga=on op=ons from registry – HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Kernel\Mi=ga=onOp=ons
DEP Policy from registry – HKLM\SYSTEM\CurrentControlSet\Control\SystemStartOp=ons
List of SW of interest from script – Recursive search for specific EXEs (e.g., iexplore.exe, AcroRd32.exe)
SW details (bits, nxcompat) from script – Custom script to inspect PE Header – IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER –
IMAGE_DLLCHARACTERISTICS_NX_COMPAT SW details (mi=ga=on op=ons, execute op=ons) from registry – HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File
Execu=on Op=ons\[app exe name]\Mi=ga=onOp=ons – HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File
Execu=on Op=ons\[app exe name]\executeOp=ons
![Page 27: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/27.jpg)
An=-‐Exploita=on Collec=on
27
SAMI currently uses a custom exe to collect all data – A variety of objects are checked
[script://$SPLUNK_HOME\etc\apps\sami\bin\ae.bat] disabled = false interval = 86400 index = sami_script [monitor://C:\Windows\System32\ae.txt] index = sami_script sourcetype = samiAE
![Page 28: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/28.jpg)
pae: YES depPolicy: OptIn ableToMapNullPage: No hotFix: KB2893294 app_path="C:\Program Files\Internet Ex… nxcompat: YES ...
An=-‐Exploita=on Collec=on
28
CPUID – EAX=1 (EDX bit 6)
WMI – select * from Win32_QuickFixEngineering
Test effect – DWORD *pNullPage = NULL;
PE Header – IMAGE_OPTIONAL_HEADER – IMAGE_DLLCHARACTERISTICS_NX_COMPAT
Registry – HKLM\SYSTEM\CCS\Control\SystemStartOptions
![Page 29: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/29.jpg)
App Not Opted In for DEP
29
Find all 32 bit applica=ons with data Determine the app mi=ga=on op=ons policy (0x3 & mi=ga=onOp=ons) – Extract value from hex – Use “mod 4” since there is no bitwise “and” – Fill missing values; evaluate only apps where =0
Evaluate only if system DEP policy is “OptIn” Apply logic – app passes if nxcompat=YES or executeOp=ons=0 Check policy override not set – (System mi=ga=on op=ons & 4) >>2 – Use ÷4, mod 2 since there is no bitwise “and” or bit shiR
![Page 30: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/30.jpg)
Ac=onable Results
30
Opt In applica=on in ques=on Upgrade app for DEP Override policy Set system mi=ga=on op=ons Alterna=ves – Change DEP policy – Uninstall applica=on
![Page 31: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/31.jpg)
Host Intrusion Preven=on System (6)
31
Proac=ve mi=ga=on to iden=fy and block suspicious ac=vity – Doesn’t include host firewall or registry monitor configura=ons
Collec=on: Regmon, WMI (or WinHostMon://Services) McAfee only
Device Integrity
![Page 32: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/32.jpg)
Host Intrusion Preven=on System (6)
32
Current version of HIPS is installed HIPS Service is running HIPS Service starts by default HIPS Content is current HIPS is enabled and in enforcement (not audit) mode Reac=on mode is set to prevent for high and medium severity events; log for low severity events
![Page 33: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/33.jpg)
Applica=on Whitelis=ng (1)
33
Blocks most current malware Prevents use of unauthorized applica=ons Does not require daily defini=on updates Requires standardized process for administrator installa=on and approval of new applica=on
Path-‐based AW avoids problem of iden=fying every program
Device Integrity
![Page 34: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/34.jpg)
Applica=on Whitelis=ng (1)
34
Desired effect – prevent unauthorized soRware execu=on Tes=ng sehngs vs. tes=ng behavior (method vs. effect) – Specific products limit applicability – Permissions problem with tes=ng behavior
Focus – SRP, AppLocker – Path-‐based whitelis=ng
Device Integrity
![Page 35: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/35.jpg)
Applica=on Whitelis=ng -‐ SRP
35
Configured for whitelis=ng mode Policy applies to users and administrators Policy applies to EXEs and DLLs Default executable types exist Required path-‐based whitelis=ng rules exist Required path-‐based blacklis=ng rules exist No unenforced rules (audit or inert)
Device Integrity
![Page 36: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/36.jpg)
SRP Required Blacklisted Paths
36
Blacklist paths included in required whitelist paths – These are writeable by more Windows groups (users, auth users, everyone) – Non-‐admins should not execute from these paths
%SystemRoot%\Debug %SystemRoot%\Temp %SystemRoot%\System32\Tasks … (16 total)
1. hHps://www.nsa.gov/ia/_files/os/win2k/applica7on_whitelis7ng_using_srp.pdf
1
![Page 37: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/37.jpg)
SRP Required Blacklisted Paths
37
SRP configured in local or group policy Blacklist paths stored in the registry
[WinRegMon://SRPBlacklisted]baseline = 1baseline_interval = 86400disabled = 0proc = .*hive = \\REGISTRY\\MACHINE\\software\\policies\\microsoft\\windows\\safer\\codeidentifiers\\0\\.*\\itemdata*index = regmontype = set|create|open|delete
inputs.conf
![Page 38: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/38.jpg)
Regmon
38
Baseline collected only on splunkd restart when last collec=on =me more than baseline_interval in the past
Baseline =mestamp is =me of last key mod, NOT =me of collec=on – Will see iden=cal (including =me) events
key_path prefix – REGISTRY\MACHINE (baseline) – HKLM (set|create|open|delete)
No regex, no subnodes or values Collect only what you need to limit license impact
![Page 39: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/39.jpg)
SRP Required Blacklisted Paths (find the absence of something)
39
Get a list of current hosts For each host, make a list of expected blacklist paths From the registry, get a list of all blacklisted paths – join this list by host and path to get a dis=nct list of paths by host
Entries not found in the registry will have null key paths Null paths => required path that doesn’t exist => penalty
Host Required Path Registry Path
ABCDEF %SystemRoot%\Debug %hkey_local_machine\soRware\microsoR\windows nt\currentversion\systemroot%\debug
ZYXWVU %SystemRoot%\Debug 0
![Page 40: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/40.jpg)
Ac=onable Results
40
Searches result in a list of hostname, finding, and penalty Penal=es help priori=ze fixes for each host Findings each have specific fixes SRP required blacklist paths fix -‐ add required paths
![Page 41: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/41.jpg)
Modern OS Take advantage of soRware improvements (9)
41
Are hosts running the latest OS? – New versions incorporate new security features
High impact, high cost, infrequent change OS version and service pack evaluated with registry keys OS/architecture/role data used as a lookup for other metrics (|outputlookup) – Defines which hosts should be evaluated
Doesn’t include checking patches or applica=ons
Device Integrity
![Page 42: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/42.jpg)
An=-‐Virus File Reputa=on Services (4)
42
AV Cloud Lookup to leverage large catalog of file reputa=ons – More =mely and more complete coverage
Requires configura=on checks and connec=vity checks Collec=on: Regmon, custom script (DNS query) SAMI implements checks for McAfee only
Device Integrity
![Page 43: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/43.jpg)
An=-‐Virus File Reputa=on Services (4)
43
Server reachable Cloud lookup enabled Sensi=vity high – Desktop protec=on, email scanner, on delivery, on access
DAT current AV engine current VSE (VirusScan Enterprise) current Service installed Service running Service automa=c
Device Integrity
![Page 44: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/44.jpg)
Worksta=on-‐to-‐Worksta=on Communica=ons (3)
44
Limits aXackers’ freedom of movement via techniques such as PtH and creden=al reuse – Aids detec=on of malicious ac=vity
Collec=on: custom script (port scan neighbors) Large-‐scale port scanning, requires a target list; scans only three ports
W-‐to-‐W connec=ons should fail
Damage Containment
Secure and Available Transport
![Page 45: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/45.jpg)
Control Admin Privileges (2)
45
Domain admin privileges should only be used on limited systems to prevent exposure
Collec=on: custom script (list domain admins, check logs for logons)
Should not find domain admin logons on worksta=ons
Defense of Accounts
Damage Containment
![Page 46: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/46.jpg)
SAMI app
46
Endpoint custom scripts run daily, results indexed Regmon, WinHostMon running and indexing
Searches to analyze data and assign penal=es run daily -‐> summary index
Daily summary data -‐> summary index Views computed off summary indexes
SAMI
![Page 47: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/47.jpg)
47
(sample data)
![Page 48: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/48.jpg)
(sample data)
48
![Page 49: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/49.jpg)
(sample data)
49
![Page 50: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/50.jpg)
Network Vulnerability Scoring
![Page 51: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/51.jpg)
Network Vulnerability Scoring
51
SAMI evaluates mi=ga=on configura=ons for each host Turn evalua=on findings into priori=zed ac=onable instruc=ons – Use data to drive desired behavior
Report security posture Provide network owners comparison with peers DoD, DHS, others have exis=ng automated scoring
systems for priori=zing patching and configura=on – Expand to include all mi=ga=ons data
![Page 52: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/52.jpg)
Automated Scoring
52
Exis=ng systems have lists of requirements to check – Each requirement has a normalized weight – Checks per host aggregated by network and owning organiza=on
Average scores per host graded on a curve – Organiza=ons see where they rank among peers
Raw scores used to iden=fy priori=zed tasks to improve
![Page 53: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/53.jpg)
Automated Scoring with SAMI
53
Normalize weights across mi=ga=ons Normalize weights with exis=ng compliance-‐oriented checks Iden=fy areas where mi=ga=ons replace exis=ng compliance checks in part or in full
Balance scores across mi=ga=on goals / aXack lifecycle – Success in any one category alone does not make a secure network
![Page 54: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/54.jpg)
SAMI Summary
54
SAMI provides health and status rather than incident detec=on SAMI app will be available soon – Detailed documenta=on of the business logic and source code for exis=ng
scripts will be included – Everything will be open source
Mi=ga=ons for the four mi=ga=on goals are a useful part of measuring network health; build addi=onal measures to evaluate your own status
![Page 55: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/55.jpg)
SAMI Lessons Learned (Bonus)
55
Verify host data is current – Iden=fy missing hosts (forwarders but no recent data) – Fixing the data stream is a top priority
SUF audi=ng – Use other data sources to make sure all hosts have SUFs
Summary indexing – Especially useful for data that doesn’t change oRen and can be slow to
search
![Page 56: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/56.jpg)
SAMI Lessons Learned (Bonus) stats product(x)
56
Ini=al scoring model required mul=plying penal=es to produce score – Each penalty reduced score by a frac=on
Data table -‐ host, fault, penalty – Need to mul=ply penal=es together for each host – Would be easy if it were a sum (stats sum(penalty) by host)
Solu=on: |stats list(penalty) as penlist by host | eval Score=tonumber(mvindex(penlist,mvcount(penlist)-‐1),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐2),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐3),1)… – Create MV field and mul7ply each item
Limita=on – only good for the number of items checked
![Page 57: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/57.jpg)
THANK YOU CD R&T Team
![Page 58: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/58.jpg)
Backup Slides
![Page 59: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/59.jpg)
Spearphishing e-‐mails with malware
Malware on removable media
1) Implement Applica=on Whitelis=ng The Problem: • Compromise from malware
delivered via e-‐mail, websites, and removable media
The Mi3ga3on: • Allow only approved soXware • Block most common aHack
vectors and zero-‐day malware • Provide applica7on installa7on
control
Websites with malware
59
![Page 60: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/60.jpg)
2) Control Administra=ve Privileges The Problem: • Compromise of privileged
accounts and/or privilege escala7on can lead to compromise of cri7cal systems and informa7on The Mi3ga3on: • Grant admin privileges only when
necessary • Don’t allow admin accounts
exposure to Internet • Implement two-‐factor
authen7ca7on
Internet
User Worksta=ons
Management Worksta=ons
Trusted Cri=cal Servers
Domain Controllers
Domain
Management Worksta=ons
60
![Page 61: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/61.jpg)
LOCAL WORKSTATION
LOCAL WORKSTATION
LOCAL WORKSTATION
ALL SERVERS
DOMAIN CONTROLLER
3) Limit Worksta=on-‐to-‐Worksta=on Communica=on
ADMIN WORKSTATION
ALL WORKSTATIONS
The Problem: • Compromised devices used to
springboard to other devices, grabbing higher privileged creden7als along the way
The Mi3ga3on: • Deny local account logon across
network • Restrict lateral movement on
network with access control lists
61
![Page 62: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/62.jpg)
4) Use An=-‐Virus File Reputa=on Services
The Problem: • An7-‐virus signature files are not
updated real-‐7me • Host protec7on products rely on
the cloud for full coverage
The Mi3ga3on: • Leverage real-‐7me intelligence
from cloud-‐hosted threat databases
62
![Page 63: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/63.jpg)
5) Enable An=-‐Exploita=on Features The Problem: • Malware exploits soXware
vulnerabili7es • Zero-‐days
The Mi3ga3on: • Use opera7ng system and
applica7on an7-‐exploita7on and sandboxing features such as EMET (Enhanced Mi7ga7ons Experience Toolkit)
63
![Page 64: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/64.jpg)
6) Implement Host Intrusion Preven=on System (HIPS) Rules
The Problem: • Standard signature-‐based host
defenses don’t defend against zero days and can’t keep up with exploita7on kits that con7nually morph aHack components
The Mi3ga3on: • Use HIPS to focus on threat
behaviors and flag anomalous ac7vity on the host and/or network
64
![Page 65: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/65.jpg)
7) Set a Secure Baseline Configura=on
The Problem: • Security configura7ons are
applied inconsistently across an enterprise
• One weakly configured device can endanger the en7re network
The Mi3ga3on: • Establish baselines for various
components in the enterprise that include approved and secure applica7on and opera7ng system configura7ons
65
![Page 66: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/66.jpg)
8) Use Web DNS Reputa=on The Problem: • Accessing the internet poses a
threat to aHacks such as Drive-‐By Downloads
The Mi3ga3on: • Screen web accesses against a
commercial web domain ra7ng service
• Redirect dangerous web requests to a warning page
66
![Page 67: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/67.jpg)
9) Take Advantage of SoRware Improvements The Problem: • Out of date and unpatched
soXware have vulnerabili7es that can be exploited by an adversary
The Mi3ga3on: • Apply updates in a 7mely manner
to reduce vulnerability exposure
67
![Page 68: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/68.jpg)
10) Segregate Networks & Func=ons The Problem: • When an adversary gains access
to the network they will move laterally and try to gain control of the whole network
The Mi3ga3on: • Design the network architecture
into separate segments based on role and func7onality
• Closely monitor user interac7ons between the segments
68
![Page 69: conf2015 sami final 150908 - SplunkConf · Agenda IAD*Top*10*Mi=gaons* SAMI–Using*Splunk*to*measure*mi=gaons* Network*vulnerability*scoring* 3](https://reader033.vdocument.in/reader033/viewer/2022060304/5f08f7137e708231d4249518/html5/thumbnails/69.jpg)
AE Checks
69
Data Execu=on Preven=on -‐ prevents data from execu=ng Address Space Layout Randomiza=on -‐ randomizes the addresses where modules are loaded to help prevent an aXacker from leveraging data at predictable loca=ons
Structured Enhanced Handler Overwrite Protec=on -‐prevents malware from overwri=ng entries in the structured event handler and malicious code referenced by that entry
Kernel Null Page -‐ prevent poten=al null dereference issues in user mode Cer=ficate Padding -‐ Windows Authen=code signature verifica=on will no longer allow extraneous informa=on in the WIN_CERTIFICATE structure
Secure Search Path -‐ blocks a DLL Load from the current working directory if the current working directory is set to a remote folder