ThreatHuntingwithSplunkPresenter:KenWestinM.Sc,OSCP,ITPMSplunk,SecurityMarketSpecialist
Prework fortoday
● SetupSplunk EnterpriseSecuritySandbox● InstallfreeSplunk onlaptop● InstallMLToolkitapp
https://splunkbase.splunk.com/app/2890/
3
> [email protected] @kwestin
• 1yearatSplunk– SecuritySpecialist• BasedinPortland,Oregon• 17yearsintechnologyandsecurity• M.Sc,OSCP,ITPM• Trainedinoffensive&defensivesecurity• Putbadguysinjail…withdata
$whoami
Agenda• ThreatHuntingBasics
• ThreatHuntingDataSources
• Sysmon EndpointData
• CyberKillChain
• WalkthroughofAttackScenarioUsingCoreSplunk (handson)
• AdvancedThreatHuntingTechniques(DependingonTime)
• EnterpriseSecurityWalkthrough
• ApplyingMachineLearningandDataSciencetoSecurity
LogInCredentials
January,February&March https://od-threathunting-01.splunkoxygen.comApril,May&June https://od-threathunting-02.splunkoxygen.comJuly and August https://od-threathunting-03.splunkoxygen.comSeptemberandOctober https://od-threathunting-04.splunkoxygen.comNovemberandDecember https://od-threathunting-05.splunkoxygen.com
User:hunterPass:pr3dator
BirthMonth
Thesewon’twork…
AmIintherightplace?
Somefamiliaritywith…
● CSIRT/SOCOperations
● GeneralunderstandingofThreatIntelligence
● GeneralunderstandingofDNS,Proxy,andEndpointtypesofdata
7
Thisisahands-onsession.
Theoverviewslidesareimportantforbuildingyour“hunt”methodology
10minutes- Seriously.
Whatisthreathunting,whydoyouneedit?TheWhat?
• Threathunting- theactofaggressively
intercepting,trackingand
eliminatingcyberadversariesasearlyaspossible intheCyberKillChain 2
9
TheWhy?
• Threatsarehuman.Focusedandfundedadversarieswillnotbecounteredbysecurityboxesonthenetwork
alone.Threathuntersareactivelysearchingforthreatstopreventor
minimizedamage[beforeithappens] 1
2 CyberThreatHunting- SamuelAlonsoblog,Jan20161 TheWho,What,Where,When,WhyandHowof EffectiveThreatHunting,SANSFeb2016
“ThreatHuntingisnotnew,it’sjustevolving!”
ThreatHuntingwithSplunk
11
Vs.
Search&Visualisation
Enrichment
Data
Automation
12
HumanThreatHunter
KeyBuildingBlockstoDriveThreatHuntingMaturity
Ref:TheheWho,What,Where,When,WhyandHowof EffectiveThreatHunting,SANSFeb2016
Objectives> Hypotheses> Expertise
“Agoodintelligenceofficercultivatesanawarenessofwhatheorshedoesnotknow.Youneedadoseofmodestytoacknowledgeyourownignorance- evenmore,toseekoutyourignorance.Thentheharderpartcomes,tryingtodosomethingaboutit.Thisoftenrequiresanimmodestdetermination”HenryA.CrumptonTheArtofIntelligence:LessonsFromAlifeIntheCIA’sClandestineService
13
SANSThreatHuntingMaturity
14
AdHocSearch
StatisticalAnalysis
VisualizationTechniques
Aggregation MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHuntingSummit2016
Search&Visualisation
Enrichment
Data
Automation
HumanThreatHunter
HowSplunkhelpsYouDriveThreatHuntingMaturity
ThreatHuntingAutomationIntegrated&outoftheboxautomationtoolingfromartifactquery,contextual“swim-laneanalysis”,anomaly×eriesanalysistoadvanceddatascienceleveragingmachinelearning
ThreatHuntingDataEnrichmentEnrichdatawithcontextandthreat-intelacrossthestackortime
todiscerndeeperpatternsorrelationships
Search&VisualiseRelationshipsforFasterHuntingSearchandcorrelatedatawhilevisuallyfusingresultsforfaster
context,analysisandinsight
Ingest&OnboardAnyThreatHuntingMachineDataSourceEnablefastingestionofanymachinedatathroughefficient
indexing,abigdatarealtimearchitectureand‘schemaontheread’technology
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
HuntingTools:InternalData
16
• IPAddresses:threatintelligence,blacklist,whitelist,reputationmonitoringTools:Firewalls,proxies,Splunk Stream,Bro,IDS
• NetworkArtifactsandPatterns:networkflow,packetcapture,activenetworkconnections,historicnetworkconnections,portsandservicesTools:Splunk Stream,BroIDS,FPC,Netflow
• DNS:activity,queriesandresponses,zonetransferactivityTools:Splunk Stream,BroIDS,OpenDNS
• Endpoint– HostArtifactsandPatterns:users,processes,services,drivers,files,registry,hardware,memory,diskactivity,filemonitoring:hashvalues,integritycheckingandalerts,creationordeletionTools:Windows/Linux,CarbonBlack,Tanium,Tripwire,ActiveDirectory
• VulnerabilityManagementDataTools:TripwireIP360,Qualys,Nessus
• UserBehaviorAnalytics:TTPs,usermonitoring,timeofdaylocation,HRwatchlistSplunk UBA,(Alloftheabove)
Persist,Repeat
ThreatIntelligence
Access/Identity
Endpoint
Network
Attacker,knowrelay/C2sites,infectedsites,IOC,attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
• Third-partythreatintel• Open-sourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• Endpoint(AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• Operatingsystem• Database• VPN,AAA,SSO
TypicalDataSources
• Webproxy• NetFlow• Network
Endpoint:MicrosoftSysmonPrimer
18
● TAAvailableontheAppStore
● GreatBlogPosttogetyoustarted
● IncreasesthefidelityofMicrosoftLogging
BlogPost:http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
User:hunterPass:pr3dator
January,February&March https://od-threathunting-01.splunkoxygen.comApril,May&June https://od-threathunting-02.splunkoxygen.comJuly and August https://od-threathunting-03.splunkoxygen.comSeptemberandOctober https://od-threathunting-04.splunkoxygen.comNovemberandDecember https://od-threathunting-05.splunkoxygen.com
SysmonEventTags
20
MapsNetworkCommtoprocess_id
Process_idcreationandmappingtoparentprocess_id
sourcetype=X*|searchtag=communicate
21
sourcetype=X*|deduptag|searchtag=process
22
DataSourceMapping
DemoStory- KillChainFrameworkSuccessfulbruteforce– downloadsensitivepdfdocument
WeaponizethepdffilewithZeusMalware
Convincingemailsentwithweaponizedpdf
Vulnerablepdfreaderexploitedbymalware.Droppercreatedonmachine
Dropperretrievesandinstallsthemalware
Persistenceviaregularoutboundcomm
DataExfiltration
Source:LockheedMartin
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
StreamInvestigations– chooseyourdatawisely
25
26
Let’sdigin!
Please,raisethathandifyouneedustohitthepausebutton
APTTransactionFlowAcrossDataSources
27
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
OurInvestigationbeginsbydetectinghighriskcommunicationsthroughtheproxy,attheendpoint,andevenaDNScall.
index=zeus_demo3
28
insearch:
Tobeginourinvestigation,wewillstartwithaquicksearchtofamiliarizeourselveswiththedatasources.
Inthisdemoenvironment,wehaveavarietyofsecurityrelevantdataincluding…
WebDNSProxyFirewallEndpointEmail
Takealookattheendpointdatasource.WeareusingtheMicrosoftSysmon TA.
Wehaveendpointvisibilityintoallnetworkcommunicationandcanmapeachconnectionbacktoaprocess.
}Wealsohavedetailedinfooneachprocessandcanmapitbacktotheuserandparentprocess.}
Letsgetourdaystartedbylookingusingthreatintel toprioritizeoureffortsandfocusoncommunicationwithknown highriskentities.
WehavemultiplesourceIPscommunicatingtohighriskentitiesidentifiedbythese2threatsources.
Weareseeinghighriskcommunicationfrommultipledatasources.
Weseemultiplethreatintel relatedeventsacrossmultiplesourcetypesassociatedwiththeIPAddressofChrisGilbert.Let’stakecloserlookattheIPAddress.
Wecannowseetheownerofthesystem(ChrisGilbert)andthatitisn’taPIIorPCIrelatedasset,sotherearenoimmediatebusinessimplicationsthatwouldrequireinformingagenciesorexternalcustomerswithinacertaintimeframe.
Thisdashboardisbasedoneventdatathatcontainsathreatintelbasedindicatormatch(IPAddress,domain,etc.).ThedataisfurtherenrichedwithCMDBbasedAsset/identityinformation.
Wearenowlookingatonlythreatintel relatedactivityfortheIPAddressassociatedwithChrisGilbertandseeactivityspanningendpoint,proxy,andDNSdatasources.
Thesetrendlinestellaveryinterestingvisualstory.ItappearsthattheassetmakesaDNSqueryinvolvingathreatintel relateddomainorIPAddress.
ScrollDo
wn
Scrolldownthedashboardtoexaminethesethreatintel eventsassociatedwiththeIPAddress.
Wethenseethreatintel relatedendpointandproxyeventsoccurringperiodicallyandlikelycommunicatingwithaknownZeusbotnetbasedonthethreatintelsource(zeus_c2s).
It’sworthmentioningthatatthispointyoucouldcreateatickettohavesomeonere-imagethemachinetopreventfurtherdamageaswecontinueourinvestigationwithinSplunk.
Withinthesamedashboard,wehaveaccesstoveryhighfidelityendpointdatathatallowsananalysttocontinuetheinvestigationinaveryefficientmanner.Itisimportanttonotethatnearreal-timeaccesstothistypeofendpointdataisnotnotcommonwithinthetraditionalSOC.
Theinitialgoaloftheinvestigationistodeterminewhetherthiscommunicationismaliciousorapotentialfalsepositive.Expandtheendpointeventtocontinuetheinvestigation.
Proxyrelatedthreatintel matchesareimportantforhelpingustoprioritizeoureffortstowardinitiatinganinvestigation.Furtherinvestigationintotheendpointisoftenverytimeconsumingandofteninvolvesmultipleinternalhand-offstootherteamsorneedingtoaccessadditionalsystems.Thisencryptedproxytrafficisconcerningbecauseofthelargeamountofdata(~1.5MB)beingtransferredwhichiscommonwhendataisbeingexfiltrated.
Exfiltrationofdataisaseriousconcernandoutboundcommunicationtoexternalentitythathasaknownthreatintelindicator,especiallywhenitisencryptedasinthiscase.
Letscontinuetheinvestigation.
Anotherclue.Wealsoseethatsvchost.exe shouldbelocatedinaWindowssystemdirectorybutthisisbeingrunintheuserspace.Notgood.
Weimmediatelyseetheoutboundcommunicationwith115.29.46.99viahttpsisassociatedwiththesvchost.exeprocessonthewindowsendpoint.Theprocessidis4768.ThereisagreatdealmoreinformationfromtheendpointasyouscrolldownsuchastheuserIDthatstartedtheprocessandtheassociatedCMDBenrichmentinformation.
WehaveaworkflowactionthatwilllinkustoaProcessExplorerdashboardandpopulateitwiththeprocessidextractedfromtheevent(4768).
ThisisastandardWindowsapp,butnotinitsusualdirectory,tellingusthatthemalwarehasagainspoofedacommonfilename.
Wealsocanseethattheparentprocessthatcreatedthissuspicuous svchost.exe processiscalledcalc.exe.
ThishasbroughtustotheProcessExplorerdashboardwhichletsusviewWindowsSysmon endpointdata.
SuspectedMalware
Letscontinuetheinvestigationbyexaminingtheparentprocessasthisisalmostcertainlyagenuinethreatandwearenowworkingtowardarootcause.
ThisisveryconsistentwithZeusbehavior.TheinitialexploitationgenerallycreatesadownloaderordropperthatwillthendownloadtheZeusmalware.Itseemslikecalc.exemaybethatdownloader/dropper.
SuspectedDownloader/Dropper
Thisprocesscallsitself“svchost.exe,”acommonWindowsprocess,butthepathisnotthenormalpathforsvchost.exe.
…whichisacommontraitofmalwareattemptingtoevadedetection.WealsoseeitmakingaDNSquery(port53)thencommunicatingviaport443.
TheParentProcessofoursuspecteddownloader/dropperisthelegitimatePDFReaderprogram.Thiswilllikelyturnouttobethevulnerableappthatwasexploitedinthisattack.
SuspectedDownloader/Dropper
SuspectedVulnerableAppWehaveveryquicklymovedfromthreatintel relatednetworkandendpointactivitytothelikelyexploitationofavulnerableapp.Clickontheparentprocesstokeepinvestigating.
WecanseethatthePDFReaderprocesshasnoidentifiedparentandistherootoftheinfection.
ScrollDo
wn
ScrolldownthedashboardtoexamineactivityrelatedtothePDFreaderprocess.
Chrisopened2nd_qtr_2014_report.pdfwhichwasanattachmenttoanemail!
Wehaveourrootcause!Chrisopenedaweaponized .pdf filewhichcontainedtheZeusmalware.Itappearstohavebeendeliveredviaemailandwehaveaccesstoouremaillogsasoneofourimportantdatasources.Letscopythefilename2nd_qtr_2014_report.pdfandsearchabitfurthertodeterminethescopeofthiscompromise.
Letsdigalittlefurtherinto2nd_qtr_2014_report.pdftodeterminethescopeofthiscompromise.
index=zeus_demo32nd_qtr_2014_report.pdf
41
insearch:
Letssearchthoughmultipledatasourcestoquicklygetasenseforwhoelsemayhavehavebeenexposedtothisfile.
Wewillcomebacktothewebactivitythatcontainsreferencetothepdf filebutletsfirstlookattheemaileventtodeterminethescopeofthisapparentphishingattack.
Wehaveaccesstotheemailbodyandcanseewhythiswassuchaconvincingattack.Thesenderapparentlyhadaccesstosensitiveinsiderknowledgeandhintedatquarterlyresults.
Thereisourattachment.
HoldOn!That’snotourDomainName!Thespellingisclosebutit’smissinga“t”.TheattackerlikelyregisteredadomainnamethatisveryclosetothecompanydomainhopingChriswouldnotnotice.
Thislookstobeaverytargetedspearphishingattackasitwassenttoonlyoneemployee(Chris).
RootCauseRecap
44
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
.pdfSvchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Weutilizedthreatintel todetectcommunicationwithknownhighriskindicatorsandkickoffourinvestigationthenworkedbackwardthroughthekillchaintowardarootcause.
Keytothisinvestigativeprocessistheabilitytoassociatenetworkcommunicationswithendpointprocessdata.
ThishighvalueandveryrelevantabilitytoworkamalwarerelatedinvestigationthroughtorootcausetranslatesintoaverystreamlinedinvestigativeprocesscomparedtothelegacySIEMbasedapproach.
45
Letsrevisitthesearchforadditionalinformationonthe2nd_qtr_2014-_report.pdffile.
Weunderstandthatthefilewasdeliveredviaemailandopenedattheendpoint.Whydoweseeareferencetothefileintheaccess_combined (webserver)logs?
Selecttheaccess_combinedsourcetype toinvestigatefurther.
46
Theresultsshow54.211.114.134hasaccessedthisfilefromthewebportalofbuttergames.com.
ThereisalsoaknownthreatintelassociationwiththesourceIPAddressdownloading(HTTPGET)thefile.
47
SelecttheIPAddress,left-click,thenselect“Newsearch”.WewouldliketounderstandwhatelsethisIPAddresshasaccessedintheenvironment.
48
That’sanabnormallylargenumberofrequestssourcedfromasingleIPAddressina~90minutewindow.
Thislookslikeascriptedactiongiventheconstanthighrateofrequestsoverthebelowwindow.
ScrollDo
wn
Scrolldownthedashboardtoexamineotherinterestingfieldstofurtherinvestigate.
NoticetheGooglebotuseragent string whichisanotherattempttoavoidraisingattention..
49
Therequestsfrom52.211.114.134aredominatedbyrequeststotheloginpage(wp-login.php).It’sclearlynotpossibletoattemptaloginthismanytimesinashortperiodoftime– thisisclearlyascriptedbruteforceattack.
Aftersuccessfullygainingaccesstoourwebsite,theattackerdownloadedthepdf file,weaponized itwiththezeusmalware,thendeliveredittoChrisGilbertasaphishingemail.
Theattackerisalsoaccessingadminpageswhichmaybeanattempttoestablishpersistenceviaabackdoorintothewebsite.
KillChainAnalysisAcrossDataSources
50
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Wecontinuedtheinvestigationbypivotingintotheendpointdatasourceandusedaworkflowactiontodeterminewhichprocessontheendpointwasresponsiblefortheoutboundcommunication.
WeBeganbyreviewingthreatintel relatedeventsforaparticularIPaddressandobservedDNS,Proxy,andEndpointeventsforauserinSales.
Investigationcomplete!LetsgetthisturnedovertoIncidentReponse team.
Wetracedthesvchost.exeZeusmalwarebacktoit’sparentprocessIDwhichwasthecalc.exedownloader/dropper.
Onceourrootcauseanalysiswascomplete,weshiftedoutfocusintotheweblogstodeterminethatthesensitivepdffilewasobtainedviaabruteforceattackagainstthecompanywebsite.
Wewereabletoseewhichfilewasopenedbythevulnerableappanddeterminedthatthemaliciousfilewasdeliveredtotheuserviaemail.
Aquicksearchintothemaillogsrevealedthedetailsbehindthephishingattackandrevealedthatthescopeofthecompromisewaslimitedtojusttheoneuser.
Wetracedcalc.exe backtothevulnerableapplicationPDFReader.
10minBreak!
Appendix- SQLi- LateralMovement-DNSExfilatration
SQLi
SQLInjection● SQLinjection● Codeinjection● OScommanding● LDAPinjection● XMLinjection● XPathinjection● SSIinjection● IMAP/SMTPinjection● Bufferoverflow
ImpervaWebAttacksReport,2015
TheanatomyofaSQLinjectionattack
SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx';
[email protected]' OR 1 = 1 -- '
xxx
1234
Anattackermightsupply:
…andsofarthisyear…39
index=web_vuln passwordselect
Whathavewehere?Ourlearningenvironmentconsistsof:
• Abunchofpublically-accessiblesingleSplunk servers
• Eachwith~5.5Mevents,fromrealenvironmentsbutmassaged:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
https://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjectioninyourevents:ü looksforpatternsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddeviationsthatare2.5timesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjection_pattern(sourcetype,uri queryfield)• sqlinjection_stats(sourcetype,uri queryfield)
RegularExpressionFTWsqlinjection_rex isasearchmacro.Itcontains:
(?<injection>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)
Whichmeans:Inthestringwearegiven,lookforANY ofthefollowingmatchesandputthatintothe“injection”field.
• AnythingcontainingSELECTfollowedbyFROM• AnythingcontainingUNIONfollowedbySELECT• Anythingwitha‘attheend• AnythingcontainingDELETEfollowedbyFROM• AnythingcontainingUPDATEfollowedbySET• AnythingcontainingALTERfollowedbyTABLE• A%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
• Note:%27isencoded“’”and%20isencoded<space>• Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
Bonus:TryouttheSQLInjectionapp!
Summary:Webattacks/SQLinjection● SQLinjectionprovideattackerswitheasyaccesstodata
● DetectingadvancedSQLinjectionishard– useanapp!
● UnderstandwhereSQLi ishappeningonyournetworkandputastoptoit.
● AugmentyourWAFwithenterprise-wideSplunk searches.
LateralMovement
Pokingaround
Anattackerhacksanon-privilegedusersystem.
Sowhat?
LateralMovement
LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.
MostfamousLateralMovementattack?(excludingpasswordre-use)
PasstheHash!
DetectingLegacyPtHLookforWindowsEvents:
● EventID:4624or4625
● Logontype:3
● Auth package:NTLM
● Useraccountisnotadomainlogon,orAnonymousLogon
LMDetection:PasstheHash
source=WinEventLog:SecurityEventCode=4624Authentication_Package=NTLMType=Information
Thenitgotharder• PasstheHashtoolshaveimproved• Trackingofjitter,othermetrics• Solet’sdetectlateralmovementdifferently
Networktrafficprovidessourceoftruth● Iusuallytalkto10hosts● ThenonedayItalkto10,000hosts● ALARM!
LMDetection:NetworkDestinations
sourcetype="pan:traffic"|statscountdc(dest)sparkline(dc(dest))bysrc_ip
Consistentlylarge
Inconsistent!
LMDetection:NetworkDestinations
sourcetype="pan:traffic"|bucket_timespan=1d|statscountdc(dest)asNumDests bysrc_ip _time|statsavg(NumDests)asavg stdev(NumDests)asstdev latest(NumDests)aslatestbysrc_ip|wherelatest>2*stdev +avg
Finddailyaverage,standarddeviation,andmostrecent
Splunk UBA
Summary:LateralMovement● Attackersuccessdefinesscopeofabreach● Highdifficulty,highimportance● WorthdoinginSplunk● EasywithUBA
DNSExfiltration
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
DNSexfil tendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSexfiltration
FrameworkPOS:acard-stealingprogramthatexfiltrates datafromthetarget’snetworkbytransmittingitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganizationsactuallykeepdetailedlogsorrecordsof theDNStraffictraversingtheirnetworks— makingitanidealwaytosiphondatafromahackednetwork.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“”
DNSexfiltration
https://splunkbase.splunk.com/app/2734/
DNSexfil detection– tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
Examples• Thedomainaaaaa.com hasaShannonEntropyscoreof1.8 (verylow)• Thedomaingoogle.com hasaShannonEntropyscoreof2.6 (ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon
Entropyscoreof3 (ratherhigh)
Layman’sdefinition:ascorereflectingtherandomness ormeasureofuncertainty ofastring
ShannonEntropy
DetectingDataExfiltration
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|eval sublen =length(ut_subdomain)|tableut_domain ut_subdomainut_shannon sublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
Let’sgethandson!
DNSExfiltration
DetectingDataExfiltration
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
deviations
DetectingDataExfiltrationRESULTS• Exfiltrating datarequiresmanyDNSrequests– lookforhighcounts• DNSexfiltrationtomooo.com and chickenkiller.com
Summary:DNSexfiltration● ExfiltrationbyDNSandICMPisaverycommontechnique● ManyorganizationsdonotanalyzeDNSactivity– donotbelikethem!● NoDNSlogs?NoSplunkStream?LookatFWbytecounts
http://www.slideshare.net/kwestin/workshop-threathunting
Splunk EnterpriseSecurity
93
SplunkEnterprise
- BigDataAnalyticsPlatform-
SplunkEnterpriseSecurity
- SecurityAnalyticsPlatform-
ThreatHuntingwithSplunk
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
ThreatHuntingDataEnrichment
ThreatHuntingAutomation
Ingest&OnboardAnyThreatHunting
MachineDataSource
Search&VisualiseRelationshipsforFasterHunting
OtherItemsToNote
ItemstoNote
Navigation- HowtoGetHere
Descriptionofwhattoclickon
Click
KeySecurityIndicators(buildyourown!)
Sparklines
Editable
Variouswaystofilterdata
Malware-SpecificKSIsandReports
SecurityDomains->Endpoint->MalwareCenter
Filterable
KSIsspecifictoRisk
Riskassignedtosystem,userorother
UnderAdvancedThreat,selectRiskAnalysis
(ScrollDown)
RecentRiskActivity
UnderAdvancedThreat,selectRiskAnalysis
Filterable,downtoIoC
KSIsspecifictoThreat
Mostactivethreatsource
Scrolldown… Scroll
UnderAdvancedThreat,selectThreatActivity
Specificsaboutrecentthreatmatches
UnderAdvancedThreat,selectThreatActivity
Toaddthreatintelgoto:Configure->DataEnrichment->ThreatIntelligenceDownloads
Click
Click“ThreatArtifacts”Under“AdvancedThreat”
Click
ArtifactCategories–clickdifferenttabs…
STIXfeed
Customfeed
UnderAdvancedThreat,selectThreatArtifacts
ReviewtheAdvancedThreatcontent
Click
DatafromassetframeworkConfigurableSwimlanes
Darker=moreevents
AllhappenedaroundsametimeChangeto“Today”ifneeded
AssetInvestigator,enter“192.168.56.102”
DataScience&MachineLearningInSecurity
106
Disclaimer:Iamnotadatascientist
TypesofMachineLearningSupervised Learning:generalizingfromlabeled data
SupervisedMachineLearning
109
DomainName TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Maliciousjjeyd2u37an30.com 6192 5.05 0 1 0 0 Maliciouscdn4s.steelhousemedia.com 107 3 0 0 0 0 Benignlog.tagcade.com 111 2 0 1 0 0 Benigngo.vidprocess.com 170 2 0 0 0 0 Benignstatse.webtrendslive.com 310 2 0 1 0 0 Benigncdn4s.steelhousemedia.com 107 1 0 0 0 0 Benignlog.tagcade.com 111 1 0 1 0 0 Benign
Unsupervised Learning:generalizingfromunlabeled data
UnsupervisedMachineLearning
• Notuning
• Programmaticallyfindstrends
• UBAisprimarilyunsupervised
• Rigorouslytestedforfit
111
AlgorithmRawSecurityData AutomatedClustering
112
MLToolkit&Showcase• SplunkSupportedframeworkforbuildingMLApps
– Getitforfree:http://tiny.cc/splunkmlapp
• LeveragesPythonforScientificComputing (PSC)add-on:– Open-sourcePythondatascienceecosystem– NumPy,SciPy,scitkit-learn,pandas,statsmodels
• Showcaseusecases:PredictHardDriveFailure,ServerPowerConsumption,ApplicationUsage,CustomerChurn&more
• Standardalgorithms outofthebox:– Supervised:LogisticRegression,SVM,LinearRegression,RandomForest,etc.– Unsupervised: KMeans,DBSCAN,SpectralClustering,PCA,KernelPCA,etc.
• Implementoneof300+algorithmsbyeditingPythonscripts
MachineLearningToolkitDemo
114
Splunk UBA
117
SplunkEnterprise
- BigDataAnalyticsPlatform-
SplunkEnterpriseSecurity
- SecurityAnalyticsPlatform-
ThreatHuntingwithSplunk
ThreatHuntingDataEnrichment
ThreatHuntingAutomation
Ingest&OnboardAnyThreatHunting
MachineDataSource
Search&VisualiseRelationshipsforFasterHunting
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
UserBehaviorAnalytics
- SecurityDataSciencePlatform-
118
MachineLearningSecurityUseCasesMachine
LearningUseCases
PolymorphicAttackAnalysis
BehavioralPeerGroupAnalysis
User&EntityBehaviorBaseline
Entropy/RareEventDetection
CyberAttack/ExternalThreatDetection
Reconnaissance,BotnetandC&CAnalysis
LateralMovementAnalysis
StatisticalAnalysis
DataExfiltrationModels
IPReputationAnalysis
InsiderThreatDetection
User/DeviceDynamicFingerprinting
Splunk UBAUseCases
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataexfiltration
LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation
SUSPICIOUSACTIVITY• Misuseofcredentials• Geo-locationanomalies
MALWAREATTACKS• Hiddenmalwareactivity
BOTNET,COMMAND&CONTROL• Malwarebeaconing• Dataleakage
USER&ENTITYBEHAVIORANALYTICS• Suspiciousbehaviorbyaccountsor
devices
EXTERNALTHREATSINSIDERTHREATS
SplunkUserBehaviorAnalytics(UBA)• ~100%ofbreachesinvolvevalidcredentials(Mandiant Report)• Needtounderstandnormal&anomalousbehaviorsforALLusers• UBAdetectsAdvancedCyberattacks andMaliciousInsiderThreats• LotsofMLunderthehood:
– BehaviorBaselining&Modeling– AnomalyDetection(30+models)– AdvancedThreatDetection
• E.g.,DataExfil Threat:– “Sawthisstrangelogin&datatransferfor userkwestin
at3aminChina…”– SurfacethreattoSOCAnalysts
RAW SECURITY EVENTS
ANOMALIES ANOMALY CHAINS
(THREATS)
MACHINELEARNING
GRAPHMINING
THREAT MODELS
Lateral MovementBeaconingLand-Speed Violation
HCI
Anomalies graphEntity relationship graph
Kill chain sequenceForensic artifactsThreat/Risk scoring
FEEDBACK
Splunk UBADemo
122
SecurityWorkshops
● ThreatIntelligenceWorkshop● InsiderThreat● CSC20Workshop● SIEM+● Splunk UBADataScienceWorkshop● EnterpriseSecurityBenchmarkAssessment
SecurityWorkshopSurvey
https://www.surveymonkey.com/r/NL7RN6B
[email protected]:@kwestinlinkedin.com/in/kwestin