information security hands-on breakout session
TRANSCRIPT
![Page 1: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/1.jpg)
1
A – 50.18.236.24B – 54.193.161.48C – 54.176.28.229D – 204.236.150.46E – 54.193.159.25F – 54.193.159.25G – 54.177.237.203H – 54.177.83.238I – 204.236.157.138
J – 54.193.146.10K – 204.236.150.46L – 54.215.37.103M – 184.169.219.249N – 54.193.159.25O – 204.236.157.138P – 54.176.114.110Q – 204.236.157.138R – 54.215.47.68
S – 50.18.11.13T – 54.193.200.81U – 54.193.200.241V – 54.193.200.241W – 54.193.201.42X – 54.193.200.241Y – 54.193.159.25Z – 54.193.200.241? – 54.151.47.45
https://<yourIP>/ Username: splunklive Password: security
![Page 2: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/2.jpg)
Copyright © 2016 Splunk Inc.
Splunk Enterprise for Information Security
Hands-On
Presenters: David Veuve & Lily Lee
![Page 3: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/3.jpg)
3
Agenda
Intro
Web Attacks
Lateral Movement
DNS Exfiltration
Wrap-up / Q&A
![Page 4: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/4.jpg)
Copyright © 2016 Splunk Inc.
Intro
![Page 5: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/5.jpg)
Machine data contains a definitive record of all interactions
Splunk is a very effective platform to collect, store, and analyze all of that data
Human Machine
Machine Machine
![Page 6: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/6.jpg)
Platform for Operational Intelligence
The Splunk Portfolio
Rich Ecosystem ofApps & Add-Ons
Splunk PremiumSolutions
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCPIoTDevices
NetworkWire Data
Hadoop
![Page 7: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/7.jpg)
7
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or
service depicted in its research publication and not advise technology users to select only those
vendors with the highest ratings or other designation. Gartner research publications consist of the
opinions of Gartner’s research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, express or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
![Page 8: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/8.jpg)
8
A – 50.18.236.24B – 54.193.161.48C – 54.176.28.229D – 204.236.150.46E – 54.193.159.25F – 54.193.159.25G – 54.177.237.203H – 54.177.83.238I – 204.236.157.138
J – 54.193.146.10K – 204.236.150.46L – 54.215.37.103M – 184.169.219.249N – 54.193.159.25O – 204.236.157.138P – 54.176.114.110Q – 204.236.157.138R – 54.215.47.68
S – 50.18.11.13T – 54.193.200.81U – 54.193.200.241V – 54.193.200.241W – 54.193.201.42X – 54.193.200.241Y – 54.193.159.25Z – 54.193.200.241? – 54.151.47.45
https://<yourIP>/ Username: splunklive Password: security
![Page 9: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/9.jpg)
Copyright © 2016 Splunk Inc.
Web Attacks
![Page 10: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/10.jpg)
10
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-site request forgery
[7] Missing function level access control
[6] Sensitive data exposure
[5] Security misconfiguration
[4] Insecure direct object reference
[3] Cross-site scripting (XSS)
[2] Broken authentication and session management
![Page 11: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/11.jpg)
11
[1] Injection
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow
![Page 12: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/12.jpg)
12
Our focus
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow
SQL injection is a massive headache for all companies who have a database and a
web interface.
![Page 13: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/13.jpg)
13
The anatomy of a SQL injection attack
SELECT * FROM users WHERE email='[email protected]'
OR 1 = 1 -- ' AND password='xxx';
[email protected]' OR 1 = 1 -- '
xxx
1234
An attacker might supply:
![Page 14: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/14.jpg)
14
Simple SQL Injection
index=web_vuln password select
(Starting with a simple, full-text search)
![Page 15: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/15.jpg)
15
![Page 16: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/16.jpg)
16
Simple SQL Injection
index=web_vuln password select (administrator OR root OR system OR sa)
| iplocation clientip
| search Country=Ukraine
(Furthermore, search for a privileged user and isolate the traffic from a specific country)
![Page 17: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/17.jpg)
17
![Page 18: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/18.jpg)
18
https://splunkbase.splunk.com/app/1528/
Search for possible SQL injection in your events: looks for patterns in URI query field to see if
anyone has injected them with SQL statements
use standard deviations that are 2.5 times greater than the average length of your URI query field
Macros used• sqlinjection_pattern(sourcetype, uri query field)• sqlinjection_stats(sourcetype, uri query field)
![Page 19: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/19.jpg)
19
Advanced SQL Injection
index=web_vuln …
TIP: To decode URIs you can use: | eval u = urldecode(field)
![Page 20: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/20.jpg)
20
Advanced SQL Injection
index=web_vuln
| rex field=uri `sqlinjection_rex`
| search injection=*
| stats count by clientip status
![Page 21: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/21.jpg)
21
![Page 22: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/22.jpg)
22
![Page 23: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/23.jpg)
23
Summary: Web attacks/SQL injection
SQL injection provide attackers with easy access to data
Detecting advanced SQL injection is hard – use an app!
Augment your WAF with enterprise-wide Splunk searches
Other scenarios? Come see us at the Security Answers Booth
![Page 24: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/24.jpg)
Copyright © 2016 Splunk Inc.
Lateral Movement
![Page 25: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/25.jpg)
25
Poking around
An attacker hacks a non-privileged user system.
So what?
![Page 26: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/26.jpg)
26
Lateral Movement
Lateral Movement is the expansion of systems controlled, and data accessed.
![Page 27: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/27.jpg)
27
Most famous Lateral Movement attack?(excluding password re-use)
Pass the Hash!
![Page 28: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/28.jpg)
28
Detecting Legacy PtH
Look for Windows Events:
Event ID: 4624 or 4625
Logon type: 3
Auth package: NTLM
User account is not a domain logon, or Anonymous Logon
![Page 29: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/29.jpg)
29
LM Detection: Pass the Hash
source=WinEventLog:SecurityEventCode=4624 Authentication_Package=NTLM Type=Information
![Page 30: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/30.jpg)
30
![Page 31: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/31.jpg)
31
Then it got harder
• Pass the Hash tools have improved
• Tracking of jitter, other metrics
• So let’s detect lateral movement differently
![Page 32: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/32.jpg)
32
Network traffic provides source of truth
I usually talk to 10 hosts
Then one day I talk to 10,000 hosts
ALARM!
![Page 33: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/33.jpg)
33
LM Detection: Network Destinations
sourcetype="pan:traffic"
| stats count dc(dest) sparkline(dc(dest)) by src_ip
![Page 34: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/34.jpg)
34
Consistently large
Inconsistent!
![Page 35: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/35.jpg)
35
LM Detection: Network Destinations
sourcetype="pan:traffic" | bucket _time span=1d | stats count dc(dest) as NumDests by src_ip _time | stats avg(NumDests) as avg stdev(NumDests) as stdev latest(NumDests) as latest by src_ip| where latest > 2 * stdev + avg
Find daily average, standard deviation, and most recent
![Page 36: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/36.jpg)
36
![Page 37: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/37.jpg)
37
LM Detection: Network Destinations – Bonus
… | stats avg( eval( if(_time < relative_time(now(), “-1d@d”), NumDests, null))) as avg ….
If you are fancy, use stats, eval and the relative_timefunctions to ignore our recent spike.
With a valid avg and stdev, yesterday’s value becomes 28 standard deviations away from normal!
![Page 38: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/38.jpg)
38
iz so hard… u haz magic?
![Page 39: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/39.jpg)
39
Summary: Lateral Movement
Attacker success defines scope of a breach
High difficulty, high importance
Worth doing in Splunk
Easy with UBA
![Page 40: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/40.jpg)
Copyright © 2016 Splunk Inc.
DNS Exfiltration
![Page 41: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/41.jpg)
41
domain=corp;user=dave;password=12345
encrypt
DNS Query:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
![Page 42: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/42.jpg)
42
DNS exfil tends to be overlooked within an ocean of DNS data.
Let’s fix that!
DNS exfiltration
![Page 43: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/43.jpg)
43
FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic
But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
… few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“”
DNS exfiltration
![Page 44: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/44.jpg)
44
https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade parse URLs & complicated TLDs (Top Level Domain) calculate Shannon Entropy
List of provided lookups• ut_parse_simple(url)• ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word)• ut_countset(word, set)• ut_suites(word, sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1, word2)
![Page 45: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/45.jpg)
45
Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string
Shannon Entropy
![Page 46: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/46.jpg)
46
Detecting Data Exfiltration
index=bro sourcetype=bro_dns| `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain)| table ut_domain ut_subdomainut_shannon sublen
TIPS
Leverage our Bro DNS data
Calculate Shannon Entropy scores
Calculate subdomain length
Display Details
![Page 47: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/47.jpg)
47
![Page 48: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/48.jpg)
48
Detecting Data Exfiltration
… | stats count avg(ut_shannon) as avg_shaavg(sublen) as avg_sublenstdev(sublen) as stdev_sublenby ut_domain| search avg_sha>3 avg_sublen>20 stdev_sublen<2
TIPS
Leverage our Bro DNS data
Calculate Shannon Entropy scores
Calculate subdomain length
Display count, scores, lengths,
deviations
![Page 49: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/49.jpg)
49
Detecting Data Exfiltration
RESULTS
• Exfiltrating data requires many DNS requests – look for high counts
• DNS exfiltration to mooo.com and chickenkiller.com
![Page 50: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/50.jpg)
50
Summary: DNS exfiltration
Exfiltration by DNS and ICMP is a very common technique
Many organizations do not analyze DNS activity – do not be like them!
No DNS logs? No Splunk Stream? Look at FW byte counts
![Page 51: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/51.jpg)
Copyright © 2016 Splunk Inc.
Wrap-up / Q&A
![Page 52: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/52.jpg)
52
Summary
Multiple phases to modern attacks
Deploy detection across all phases
Also consider adaptive response!
Stay abreast of modern advancements
App Export:
http://davidveuve.com/go/slsf16
![Page 53: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/53.jpg)
53
Northern Cal Tech Talks!
Monthly WebEx Sessions– Ted Talk style presentation– Q&A chat forum
So what’s next on the agenda?– March 23rd @ 10AM PST
Building & deploying apps– April 20th @ 10AM PST
Top 5 most useful search commands
http://live.splunk.com/NorCalTechTalks
![Page 54: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/54.jpg)
54
SEPT 26-29, 2016WALT DISNEY WORLD, ORLANDOSWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals• 3 days of technical content• 165+ sessions • 80+ Customer Speakers• 35+ Apps in Splunk Apps Showcase• 75+ Technology Partners• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks• NEW hands-on labs! • Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University• Three days: Sept 24-26, 2016• Get Splunk Certified for FREE!• Get CPE credits for CISSP, CAP, SSCP• Save thousands on Splunk education!
![Page 55: Information Security Hands-On Breakout Session](https://reader036.vdocument.in/reader036/viewer/2022082215/58f08cdd1a28abdd7a8b4605/html5/thumbnails/55.jpg)
THANK YOU
http://davidveuve.com/go/slsf16