workshop threat-hunting
TRANSCRIPT
ThreatHun+ngwithSplunkPresenter:KenWes+nM.Sc,OSCP,ITPMSplunk,SecurityMarketSpecialist
Preworkfortoday
● SetupSplunkEnterpriseSecuritySandbox● InstallfreeSplunkonlaptop● InstallMLToolkitapp
hEps://splunkbase.splunk.com/app/2890/
3
> [email protected]@kwestin
• 1yearatSplunk–SecuritySpecialist• BasedinPortland,Oregon• 17yearsintechnologyandsecurity• M.Sc,OSCP,ITPM• Trainedinoffensive&defensivesecurity• Putbadguysinjail…withdata
$whoami
Agenda• ThreatHun+ngBasics
• ThreatHun+ngDataSources
• SysmonEndpointData
• CyberKillChain
• WalkthroughofACackScenarioUsingCoreSplunk(handson)
• AdvancedThreatHun+ngTechniques
• EnterpriseSecurityWalkthrough
• ApplyingMachineLearningandDataSciencetoSecurity
LogInCreden+als
January,February&March hEps://od-threathun+ng-01.splunkoxygen.comApril,May&June hEps://od-threathun+ng-02.splunkoxygen.comJulyandAugust hEps://od-threathun+ng-03.splunkoxygen.comSeptemberandOctober hEps://od-threathun+ng-04.splunkoxygen.comNovemberandDecember hEps://od-threathun+ng-05.splunkoxygen.com
User:hunterPass:pr3dator
BirthMonth
Thesewon’twork…
AmIintherightplace?
Somefamiliaritywith…
● CSIRT/SOCOpera+ons
● GeneralunderstandingofThreatIntelligence
● GeneralunderstandingofDNS,Proxy,andEndpointtypesofdata
7
Thisisahands-onsession.
Theoverviewslidesareimportantforbuildingyour“hunt”methodology
10minutes-Seriously.
Whatisthreathun+ng,whydoyouneedit?TheWhat?
• Threathun+ng-theactofaggressively
intercep+ng,trackingand
elimina+ngcyberadversariesasearlyaspossibleintheCyberKillChain2
9
TheWhy?
• Threatsarehuman.Focusedandfundedadversarieswillnotbecounteredbysecurityboxesonthenetwork
alone.Threathuntersareac+velysearchingforthreatstopreventor
minimizedamage[beforeithappens]1
2CyberThreatHun+ng-SamuelAlonsoblog,Jan2016
1TheWho,What,Where,When,WhyandHowofEffec+veThreatHun+ng,SANSFeb2016
“ThreatHun,ngisnotnew,it’sjustevolving!”
ThreatHun+ngwithSplunk
10
Vs.
Search&Visualisa+on
Enrichment
Data
Automa+on
11
HumanThreatHunter
KeyBuildingBlockstoDriveThreatHun+ngMaturity
Ref:TheheWho,What,Where,When,WhyandHowofEffec+veThreatHun+ng,SANSFeb2016
Objec+ves>Hypotheses>Exper+se
SANSThreatHun+ngMaturity
12
AdHocSearch
Sta+s+calAnalysis
Visualiza+onTechniques
Aggrega+on MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHun+ngSummit2016
Search&Visualisa+on
Enrichment
Data
Automa+on
HumanThreatHunter
HowSplunkhelpsYouDriveThreatHun+ngMaturity
ThreatHun+ngAutoma+onIntegrated&outoftheboxautoma+ontoolingfromar+factquery,contextual“swim-laneanalysis”,anomaly&+meseriesanalysistoadvanceddatascienceleveragingmachinelearning
ThreatHun+ngDataEnrichment
Enrichdatawithcontextandthreat-intelacrossthestackor+metodiscerndeeperpaEernsorrela+onships
Search&VisualiseRela+onshipsforFasterHun+ng
Searchandcorrelatedatawhilevisuallyfusingresultsforfastercontext,analysisandinsight
Ingest&OnboardAnyThreatHun+ngMachineDataSourceEnablefastinges+onofanymachinedatathroughefficient
indexing,abigdatareal+mearchitectureand‘schemaontheread’technology
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
Hun+ngTools:InternalData
14
• IPAddresses:threatintelligence,blacklist,whitelist,reputa+onmonitoringTools:Firewalls,proxies,SplunkStream,Bro,IDS
• NetworkAr+factsandPaCerns:networkflow,packetcapture,ac+venetworkconnec+ons,historicnetworkconnec+ons,portsandservicesTools:SplunkStream,BroIDS,FPC,Neqlow
• DNS:ac+vity,queriesandresponses,zonetransferac+vityTools:SplunkStream,BroIDS,OpenDNS
• Endpoint–HostAr+factsandPaCerns:users,processes,services,drivers,files,registry,hardware,memory,diskac+vity,filemonitoring:hashvalues,integritycheckingandalerts,crea+onordele+onTools:Windows/Linux,CarbonBlack,Tanium,Tripwire,Ac+veDirectory
• VulnerabilityManagementDataTools:TripwireIP360,Qualys,Nessus
• UserBehaviorAnaly+cs:TTPs,usermonitoring,+meofdayloca+on,HRwatchlistSplunkUBA,(Alloftheabove)
Persist,Repeat
ThreatIntelligence
Access/Iden+ty
Endpoint
Network
AEacker,knowrelay/C2sites,infectedsites,IOC,aEack/campaignintentandaEribu+on
Wheretheywentto,whotalkedtowhom,aEacktransmiEed,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,aEack/malwarear+facts,patchinglevel,aEacksuscep+bility
Accesslevel,privilegedusers,likelihoodofinfec+on,wheretheymightbeinkillchain
• Third-partythreatintel• Open-sourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• Endpoint(AV/IPS/FW)• Malwaredetec+on• PCLM
• DHCP• OSlogs• Patching
• Ac+veDirectory• LDAP• CMDB
• Opera+ngsystem• Database• VPN,AAA,SSO
TypicalDataSources
• Webproxy• NetFlow• Network
Endpoint:MicrosowSysmonPrimer
16
● TAAvailableontheAppStore● GreatBlogPosttogetyoustarted
● IncreasesthefidelityofMicrosowLogging
BlogPost:hEp://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
User:hunterPass:pr3dator
January,February&March hEps://od-threathun+ng-01.splunkoxygen.comApril,May&June hEps://od-threathun+ng-02.splunkoxygen.comJulyandAugust hEps://od-threathun+ng-03.splunkoxygen.comSeptemberandOctober hEps://od-threathun+ng-04.splunkoxygen.comNovemberandDecember hEps://od-threathun+ng-05.splunkoxygen.com
SysmonEventTags
18
MapsNetworkCommtoprocess_id
Process_idcrea+onandmappingtoparentprocess_id
sourcetype=X*|searchtag=communicate
19
sourcetype=X*|deduptag|searchtag=process
20
DataSourceMapping
DemoStory-KillChainFrameworkSuccessfulbruteforce–downloadsensi+vepdfdocument
WeaponizethepdffilewithZeusMalware
Convincingemailsentwithweaponizedpdf
Vulnerablepdfreaderexploitedbymalware.Droppercreatedonmachine
Dropperretrievesandinstallsthemalware
Persistenceviaregularoutboundcomm
DataExfiltra+on
Source:LockheedMar,n
Servers
Storage
DesktopsEmail Web
Transac+onRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
The image cannot be displayed. Your computer
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
The image cannot be displ
IntrusionDetec+on
Firewall
DataLossPreven+on
An+-Malware
VulnerabilityScans
Tradi+onal
Authen+ca+on
StreamInves+ga+ons–chooseyourdatawisely
23
24
Let’sdigin!
Please,raisethathandifyouneedustohitthepausebuEon
APTTransac+onFlowAcrossDataSources
25
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
OurInves+ga+onbeginsbydetec+nghighriskcommunica+onsthroughtheproxy,attheendpoint,andevenaDNScall.
index=zeus_demo3
26
insearch:
Tobeginourinves+ga+on,wewillstartwithaquicksearchtofamiliarizeourselveswiththedatasources.
Inthisdemoenvironment,wehaveavarietyofsecurityrelevantdataincluding…
WebDNSProxyFirewallEndpointEmailClick
Takealookattheendpointdatasource.WeareusingtheMicrosowSysmonTA.
Wehaveendpointvisibilityintoallnetworkcommunica+onandcanmapeachconnec+onbacktoaprocess.
}Wealsohavedetailedinfooneachprocessandcanmapitbacktotheuserandparentprocess.}
Letsgetourdaystartedbylookingusingthreatinteltopriori+zeoureffortsandfocusoncommunica+onwithknownhighrisken++es.
Wehavemul+plesourceIPscommunica+ngtohighrisken++esiden+fiedbythese2threatsources.
Weareseeinghighriskcommunica+onfrommul+pledatasources.
Weseemul+plethreatintelrelatedeventsacrossmul+plesourcetypesassociatedwiththeIPAddressofChrisGilbert.Let’stakecloserlookattheIPAddress.
Wecannowseetheownerofthesystem(ChrisGilbert)andthatitisn’taPIIorPCIrelatedasset,sotherearenoimmediatebusinessimplica+onsthatwouldrequireinformingagenciesorexternalcustomerswithinacertain+meframe.
Thisdashboardisbasedoneventdatathatcontainsathreatintelbasedindicatormatch(IPAddress,domain,etc.).ThedataisfurtherenrichedwithCMDBbasedAsset/iden+tyinforma+on.
Wearenowlookingatonlythreatintelrelatedac+vityfortheIPAddressassociatedwithChrisGilbertandseeac+vityspanningendpoint,proxy,andDNSdatasources.
Thesetrendlinestellaveryinteres+ngvisualstory.ItappearsthattheassetmakesaDNSqueryinvolvingathreatintelrelateddomainorIPAddress.
ScrollDo
wn
ScrolldownthedashboardtoexaminethesethreatinteleventsassociatedwiththeIPAddress.
Wethenseethreatintelrelatedendpointandproxyeventsoccurringperiodicallyandlikelycommunica+ngwithaknownZeusbotnetbasedonthethreatintelsource(zeus_c2s).
It’sworthmen+oningthatatthispointyoucouldcreatea+ckettohavesomeonere-imagethemachinetopreventfurtherdamageaswecon+nueourinves+ga+onwithinSplunk.
Withinthesamedashboard,wehaveaccesstoveryhighfidelityendpointdatathatallowsananalysttocon+nuetheinves+ga+oninaveryefficientmanner.Itisimportanttonotethatnearreal-+meaccesstothistypeofendpointdataisnotnotcommonwithinthetradi+onalSOC.
Theini+algoaloftheinves+ga+onistodeterminewhetherthiscommunica+onismaliciousorapoten+alfalseposi+ve.Expandtheendpointeventtocon+nuetheinves+ga+on.
Proxyrelatedthreatintelmatchesareimportantforhelpingustopriori+zeoureffortstowardini+a+nganinves+ga+on.Furtherinves+ga+onintotheendpointisowenvery+meconsumingandoweninvolvesmul+pleinternalhand-offstootherteamsorneedingtoaccessaddi+onalsystems.Thisencryptedproxytrafficisconcerningbecauseofthelargeamountofdata(~1.5MB)beingtransferredwhichiscommonwhendataisbeingexfiltrated.
Exfiltra+onofdataisaseriousconcernandoutboundcommunica+ontoexternalen+tythathasaknownthreatintelindicator,especiallywhenitisencryptedasinthiscase.
Letscon+nuetheinves+ga+on.
Anotherclue.Wealsoseethatsvchost.exeshouldbelocatedinaWindowssystemdirectorybutthisisbeingrunintheuserspace.Notgood.
Weimmediatelyseetheoutboundcommunica+onwith115.29.46.99viahEpsisassociatedwiththesvchost.exeprocessonthewindowsendpoint.Theprocessidis4768.Thereisagreatdealmoreinforma+onfromtheendpointasyouscrolldownsuchastheuserIDthatstartedtheprocessandtheassociatedCMDBenrichmentinforma+on.
Wehaveaworkflowac+onthatwilllinkustoaProcessExplorerdashboardandpopulateitwiththeprocessidextractedfromtheevent(4768).
ThisisastandardWindowsapp,butnotinitsusualdirectory,tellingusthatthemalwarehasagainspoofedacommonfilename.
Wealsocanseethattheparentprocessthatcreatedthissuspicuoussvchost.exeprocessiscalledcalc.exe.
ThishasbroughtustotheProcessExplorerdashboardwhichletsusviewWindowsSysmonendpointdata.
SuspectedMalware
Letscon+nuetheinves+ga+onbyexaminingtheparentprocessasthisisalmostcertainlyagenuinethreatandwearenowworkingtowardarootcause.
ThisisveryconsistentwithZeusbehavior.Theini+alexploita+ongenerallycreatesadownloaderordropperthatwillthendownloadtheZeusmalware.Itseemslikecalc.exemaybethatdownloader/dropper.
SuspectedDownloader/Dropper
Thisprocesscallsitself“svchost.exe,”acommonWindowsprocess,butthepathisnotthenormalpathforsvchost.exe.
…whichisacommontraitofmalwareaEemp+ngtoevadedetec+on.WealsoseeitmakingaDNSquery(port53)thencommunica+ngviaport443.
TheParentProcessofoursuspecteddownloader/dropperisthelegi+matePDFReaderprogram.ThiswilllikelyturnouttobethevulnerableappthatwasexploitedinthisaEack.
SuspectedDownloader/Dropper
SuspectedVulnerableAppWehaveveryquicklymovedfromthreatintelrelatednetworkandendpointac+vitytothelikelyexploita+onofavulnerableapp.Clickontheparentprocesstokeepinves+ga+ng.
WecanseethatthePDFReaderprocesshasnoiden+fiedparentandistherootoftheinfec+on.
ScrollDo
wn
Scrolldownthedashboardtoexamineac+vityrelatedtothePDFreaderprocess.
Chrisopened2nd_qtr_2014_report.pdfwhichwasanaEachmenttoanemail!
Wehaveourrootcause!Chrisopenedaweaponized.pdffilewhichcontainedtheZeusmalware.Itappearstohavebeendeliveredviaemailandwehaveaccesstoouremaillogsasoneofourimportantdatasources.Letscopythefilename2nd_qtr_2014_report.pdfandsearchabitfurthertodeterminethescopeofthiscompromise.
LetsdigaliElefurtherinto2nd_qtr_2014_report.pdftodeterminethescopeofthiscompromise.
index=zeus_demo32nd_qtr_2014_report.pdf
39
insearch:
Letssearchthoughmul+pledatasourcestoquicklygetasenseforwhoelsemayhavehavebeenexposedtothisfile.
Wewillcomebacktothewebac+vitythatcontainsreferencetothepdffilebutletsfirstlookattheemaileventtodeterminethescopeofthisapparentphishingaEack.
WehaveaccesstotheemailbodyandcanseewhythiswassuchaconvincingaEack.Thesenderapparentlyhadaccesstosensi+veinsiderknowledgeandhintedatquarterlyresults.
ThereisouraEachment.
HoldOn!That’snotourDomainName!Thespellingisclosebutit’smissinga“t”.TheaEackerlikelyregisteredadomainnamethatisveryclosetothecompanydomainhopingChriswouldnotno+ce.
ThislookstobeaverytargetedspearphishingaEackasitwassenttoonlyoneemployee(Chris).
RootCauseRecap
42
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
.pdfSvchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
Weu+lizedthreatinteltodetectcommunica+onwithknownhighriskindicatorsandkickoffourinves+ga+onthenworkedbackwardthroughthekillchaintowardarootcause.
Keytothisinves+ga+veprocessistheabilitytoassociatenetworkcommunica+onswithendpointprocessdata.
Thishighvalueandveryrelevantabilitytoworkamalwarerelatedinves+ga+onthroughtorootcausetranslatesintoaverystreamlinedinves+ga+veprocesscomparedtothelegacySIEMbasedapproach.
43
Letsrevisitthesearchforaddi+onalinforma+ononthe2nd_qtr_2014-_report.pdffile.
Weunderstandthatthefilewasdeliveredviaemailandopenedattheendpoint.Whydoweseeareferencetothefileintheaccess_combined(webserver)logs?
Click
Selecttheaccess_combinedsourcetypetoinves+gatefurther.
44
Theresultsshow54.211.114.134hasaccessedthisfilefromthewebportalofbuEergames.com.
Thereisalsoaknownthreatintelassocia+onwiththesourceIPAddressdownloading(HTTPGET)thefile.
45
ClickSelecttheIPAddress,lew-click,thenselect“Newsearch”.WewouldliketounderstandwhatelsethisIPAddresshasaccessedintheenvironment.
46
That’sanabnormallylargenumberofrequestssourcedfromasingleIPAddressina~90minutewindow.
Thislookslikeascriptedac+ongiventheconstanthighrateofrequestsoverthebelowwindow.
ScrollDo
wn
Scrolldownthedashboardtoexamineotherinteres+ngfieldstofurtherinves+gate.
No+cetheGooglebotuseragentstringwhichisanotheraEempttoavoidraisingaEen+on..
47
Therequestsfrom52.211.114.134aredominatedbyrequeststotheloginpage(wp-login.php).It’sclearlynotpossibletoaEemptaloginthismany+mesinashortperiodof+me–thisisclearlyascriptedbruteforceaEack.
Awersuccessfullygainingaccesstoourwebsite,theaEackerdownloadedthepdffile,weaponizeditwiththezeusmalware,thendeliveredittoChrisGilbertasaphishingemail.
TheaEackerisalsoaccessingadminpageswhichmaybeanaEempttoestablishpersistenceviaabackdoorintothewebsite.
KillChainAnalysisAcrossDataSources
48
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
Wecon+nuedtheinves+ga+onbypivo+ngintotheendpointdatasourceandusedaworkflowac+ontodeterminewhichprocessontheendpointwasresponsiblefortheoutboundcommunica+on.
WeBeganbyreviewingthreatintelrelatedeventsforapar+cularIPaddressandobservedDNS,Proxy,andEndpointeventsforauserinSales.
Inves+ga+oncomplete!LetsgetthisturnedovertoIncidentReponseteam.
Wetracedthesvchost.exeZeusmalwarebacktoit’sparentprocessIDwhichwasthecalc.exedownloader/dropper.
Onceourrootcauseanalysiswascomplete,weshiwedoutfocusintotheweblogstodeterminethatthesensi+vepdffilewasobtainedviaabruteforceaEackagainstthecompanywebsite.
Wewereabletoseewhichfilewasopenedbythevulnerableappanddeterminedthatthemaliciousfilewasdeliveredtotheuserviaemail.
AquicksearchintothemaillogsrevealedthedetailsbehindthephishingaEackandrevealedthatthescopeofthecompromisewaslimitedtojusttheoneuser.
Wetracedcalc.exebacktothevulnerableapplica+onPDFReader.
10minBreak!
SQLi
SQLInjec+on● SQLinjec+on● Codeinjec+on● OScommanding● LDAPinjec+on● XMLinjec+on● XPathinjec+on● SSIinjec+on● IMAP/SMTPinjec+on● Bufferoverflow
ImpervaWebACacksReport,2015
TheanatomyofaSQLinjec+onaEack
SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx';
[email protected]' OR 1 = 1 -- '
xxx
1234
AnaEackermightsupply:
…andsofarthisyear…39
index=web_vulnpasswordselect
Whathavewehere?Ourlearningenvironmentconsistsof:• Abunchofpublically-accessiblesingle
Splunkservers• Eachwith~5.5Mevents,fromreal
environmentsbutmassaged:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
hEps://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjec+oninyourevents:ü looksforpaEernsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddevia+onsthatare2.5+mesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjec+on_paEern(sourcetype,uriqueryfield)• sqlinjec+on_stats(sourcetype,uriqueryfield)
RegularExpressionFTWsqlinjec+on_rexisasearchmacro.Itcontains:(?<injec,on>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)Whichmeans:Inthestringwearegiven,lookforANYofthefollowingmatchesandputthatintothe“injec+on”field.• AnythingcontainingSELECTfollowedbyFROM• AnythingcontainingUNIONfollowedbySELECT• Anythingwitha‘attheend• AnythingcontainingDELETEfollowedbyFROM• AnythingcontainingUPDATEfollowedbySET• AnythingcontainingALTERfollowedbyTABLE• A%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
• Note:%27isencoded“’”and%20isencoded<space>• Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
Bonus:TryouttheSQLInjec+onapp!
Summary:WebaEacks/SQLinjec+on● SQLinjec+onprovideaEackerswitheasyaccesstodata● Detec+ngadvancedSQLinjec+onishard–useanapp!
● UnderstandwhereSQLiishappeningonyournetworkandputastoptoit.
● AugmentyourWAFwithenterprise-wideSplunksearches.
10minBreak!
LateralMovement
Pokingaround
AnaEackerhacksanon-privilegedusersystem.
Sowhat?
LateralMovement
LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.
MostfamousLateralMovementaEack?(excludingpasswordre-use)
PasstheHash!
Detec+ngLegacyPtHLookforWindowsEvents:
● EventID:4624or4625
● Logontype:3
● Authpackage:NTLM
● Useraccountisnotadomainlogon,orAnonymousLogon
LMDetec+on:PasstheHash
source=WinEventLog:SecurityEventCode=4624Authen+ca+on_Package=NTLMType=Informa+on
Thenitgotharder• PasstheHashtoolshaveimproved• TrackingofjiEer,othermetrics• Solet’sdetectlateralmovementdifferently
Networktrafficprovidessourceoftruth● Iusuallytalkto10hosts● ThenonedayItalkto10,000hosts● ALARM!
LMDetec+on:NetworkDes+na+ons
sourcetype="pan:traffic"|statscountdc(dest)sparkline(dc(dest))bysrc_ip
ConsistentlylargeInconsistent!
LMDetec+on:NetworkDes+na+ons
sourcetype="pan:traffic"|bucket_+mespan=1d|statscountdc(dest)asNumDestsbysrc_ip_+me|statsavg(NumDests)asavgstdev(NumDests)asstdevlatest(NumDests)aslatestbysrc_ip|wherelatest>2*stdev+avg
Finddailyaverage,standarddevia+on,andmostrecent
SplunkUBA
Summary:LateralMovement● AEackersuccessdefinesscopeofabreach
● Highdifficulty,highimportance● WorthdoinginSplunk● EasywithUBA
DNSExfiltra+on
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.aEack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
DNSexfiltendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSexfiltra+on
FrameworkPOS:acard-stealingprogramthatexfiltratesdatafromthetarget’snetworkbytransmi�ngitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!hEps://blog.gdatasowware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganiza,onsactuallykeepdetailedlogsorrecordsoftheDNStraffictraversingtheirnetworks—makingitanidealwaytosiphondatafromahackednetwork.
hEp://krebsonsecurity.com/2015/05/deconstruc+ng-the-2014-sally-beauty-breach/#more-30872
“”
DNSexfiltra+on
hEps://splunkbase.splunk.com/app/2734/
DNSexfildetec+on–tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
Examples• Thedomainaaaaa.comhasaShannonEntropyscoreof1.8(verylow)• Thedomaingoogle.comhasaShannonEntropyscoreof2.6(ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.comhasaShannon
Entropyscoreof3(ratherhigh)
Layman’sdefini+on:ascorereflec+ngtherandomnessormeasureofuncertaintyofastring
ShannonEntropy
Detec+ngDataExfiltra+on
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|evalsublen=length(ut_subdomain)|tableut_domainut_subdomainut_shannonsublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
Let’sgethandson!
DNSExfiltra+on
Detec+ngDataExfiltra+on
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
devia+ons
Detec+ngDataExfiltra+onRESULTS• Exfiltra+ngdatarequiresmanyDNSrequests–lookforhighcounts• DNSexfiltra+ontomooo.comandchickenkiller.com
Summary:DNSexfiltra+on● Exfiltra+onbyDNSandICMPisaverycommontechnique● Manyorganiza+onsdonotanalyzeDNSac+vity–donotbelikethem!● NoDNSlogs?NoSplunkStream?LookatFWbytecounts
SplunkEnterpriseSecurity
90
SplunkEnterprise
-BigDataAnaly+csPlaqorm-
SplunkEnterpriseSecurity
-SecurityAnaly+csPlaqorm-
ThreatHun+ngwithSplunk
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
ThreatHun+ngDataEnrichment
ThreatHun+ngAutoma+on
Ingest&OnboardAnyThreatHun+ng
MachineDataSource
Search&VisualiseRela+onshipsforFasterHun+ng
OtherItemsToNote
ItemstoNote
Naviga+on-HowtoGetHere
Descrip+onofwhattoclickon
Click
KeySecurityIndicators(buildyourown!)
Sparklines
Editable
Variouswaystofilterdata
Malware-SpecificKSIsandReports
SecurityDomains->Endpoint->MalwareCenter
Filterable
KSIsspecifictoRisk
Riskassignedtosystem,userorother
UnderAdvancedThreat,selectRiskAnalysis
(ScrollDown)
RecentRiskAc+vity
UnderAdvancedThreat,selectRiskAnalysis
Filterable,downtoIoC
KSIsspecifictoThreat
Mostac+vethreatsource
Scrolldown… Scroll
UnderAdvancedThreat,selectThreatAc+vity
Specificsaboutrecentthreatmatches
UnderAdvancedThreat,selectThreatAc+vity
Toaddthreatintelgoto:Configure->DataEnrichment->ThreatIntelligenceDownloads
Click
Click“ThreatAr+facts”Under“AdvancedThreat”
Click
Ar+factCategories–clickdifferenttabs…
STIXfeed
Customfeed
UnderAdvancedThreat,selectThreatAr+facts
ReviewtheAdvancedThreatcontent
Click
DatafromassetframeworkConfigurableSwimlanes
Darker=moreevents
Allhappenedaroundsame+meChangeto“Today”ifneeded
AssetInves+gator,enter“192.168.56.102”
DataScience&MachineLearningInSecurity
103
Disclaimer:Iamnotadatascien+st
TypesofMachineLearningSupervisedLearning:generalizingfromlabeleddata
SupervisedMachineLearning
106
DomainName TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Maliciousjjeyd2u37an30.com 6192 5.05 0 1 0 0 Maliciouscdn4s.steelhousemedia.com 107 3 0 0 0 0 Benignlog.tagcade.com 111 2 0 1 0 0 Benigngo.vidprocess.com 170 2 0 0 0 0 Benignstatse.webtrendslive.com 310 2 0 1 0 0 Benigncdn4s.steelhousemedia.com 107 1 0 0 0 0 Benignlog.tagcade.com 111 1 0 1 0 0 Benign
UnsupervisedLearning:generalizingfromunlabeleddata
UnsupervisedMachineLearning
• Notuning
• Programma+callyfindstrends
• UBAisprimarilyunsupervised
• Rigorouslytestedforfit
108
AlgorithmRawSecurityData AutomatedClustering
109
MLToolkit&Showcase• SplunkSupportedframeworkforbuildingMLApps
– Getitforfree:hEp://+ny.cc/splunkmlapp
• LeveragesPythonforScien+ficCompu+ng(PSC)add-on:– Open-sourcePythondatascienceecosystem– NumPy,SciPy,scitkit-learn,pandas,statsmodels
• Showcaseusecases:PredictHardDriveFailure,ServerPowerConsump+on,Applica+onUsage,CustomerChurn&more
• Standardalgorithmsoutofthebox:– Supervised:Logis+cRegression,SVM,LinearRegression,RandomForest,etc.– Unsupervised:KMeans,DBSCAN,SpectralClustering,PCA,KernelPCA,etc.
• Implementoneof300+algorithmsbyedi+ngPythonscripts
MachineLearningToolkitDemo
111
SplunkUBA
114
SplunkEnterprise
-BigDataAnaly+csPlaqorm-
SplunkEnterpriseSecurity
-SecurityAnaly+csPlaqorm-
ThreatHun+ngwithSplunk
ThreatHun+ngDataEnrichment
ThreatHun+ngAutoma+on
Ingest&OnboardAnyThreatHun+ng
MachineDataSource
Search&VisualiseRela+onshipsforFasterHun+ng
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
UserBehaviorAnaly+cs
-SecurityDataSciencePlaqorm-
115
MachineLearningSecurityUseCasesMachine
LearningUseCases
PolymorphicAEackAnalysis
BehavioralPeerGroupAnalysis
User&En+tyBehaviorBaseline
Entropy/RareEventDetec+on
CyberAEack/ExternalThreatDetec+on
Reconnaissance,BotnetandC&CAnalysis
LateralMovementAnalysis
Sta+s+calAnalysis
DataExfiltra+onModels
IPReputa+onAnalysis
InsiderThreatDetec+on
User/DeviceDynamicFingerprin+ng
SplunkUBAUseCases
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataexfiltra+on
LATERALMOVEMENT
• Pass-the-hashkillchain• Privilegeescala+onSUSPICIOUSACTIVITY• Misuseofcreden+als• Geo-loca+onanomalies
MALWAREATTACKS• Hiddenmalwareac+vityBOTNET,COMMAND&CONTROL
• Malwarebeaconing• Dataleakage
USER&ENTITYBEHAVIORANALYTICS• Suspiciousbehaviorbyaccountsor
devices
EXTERNALTHREATSINSIDERTHREATS
SplunkUserBehaviorAnaly+cs(UBA)• ~100%ofbreachesinvolvevalidcreden+als(MandiantReport)• Needtounderstandnormal&anomalousbehaviorsforALLusers• UBAdetectsAdvancedCyberaEacksandMaliciousInsiderThreats• LotsofMLunderthehood:
– BehaviorBaselining&Modeling– AnomalyDetec+on(30+models)– AdvancedThreatDetec+on
• E.g.,DataExfilThreat:– “Sawthisstrangelogin&datatransferforuserkwes+n
at3aminChina…”– SurfacethreattoSOCAnalysts
Raw Events
1
Statistical methods
Security semantics
2 Threat Models
Lateralmovement
ML
Patterns
Sequences
Beaconing
Land-speedviola+on
Threats
Kill chain sequence
5
Supporting evidence
Threat scoring
Graph Mining
4
Con
tinuo
us s
elf-l
earn
ing!
Anomalies graph
Entity relationship graph
3
Anomalies
RAW SECURITY EVENTS
ANOMALIES ANOMALY CHAINS (THREATS)
MACHINE LEARNING
GRAPH MINING
THREAT MODELS
Lateral Movement Beaconing Land-Speed Violation
HCI
Anomalies graph Entity relationship graph
Kill chain sequence Forensic artifacts Threat/Risk scoring
FEEDBACK
SplunkUBADemo
119
SecurityWorkshops
● ThreatIntelligenceWorkshop● InsiderThreat● CSC20Workshop● SIEM+● SplunkUBADataScienceWorkshop● EnterpriseSecurityBenchmarkAssessment
SecurityWorkshopSurvey
hCps://www.surveymonkey.com/r/TW2S56W
[email protected]:@kwes+nlinkedin.com/in/kwes+n