Embed Size (px)
Citation preview
Username:conf2016Password:security
https://conf-sec-seho-<2digitnumberthatisyourbirthday>.splunkoxygen.com/
https://conf-sec-seho-31.splunkoxygen.com/
EXAMPLEifIwasbornonJuly31st:
https://conf-sec-seho-04.splunkoxygen.com/
EXAMPLEifIwasbornonAugust4th:
Copyright©2016Splunk Inc.
JamesBrodskyGuywithbeard|Splunk
DimitriMcKayGuywithlargerbeard|Splunk
Splunking theEndpoint:“Handson!”RansomwareEdition
Disclaimer
3
Duringthecourseofthispresentation,wemaymakeridiculousstatementsregardingSplunkfeaturesthatmayormaynotbetrue.ThisisnotreflectiveofSplunkasacompany.Wecautionyouthatsuchstatementsreflectourownpersonallackofintelligenceandyoushouldloweryourexpectationsbasedonthefactthatwe’renotallthatbright.Bywe,wemeanDimitri.Actualfeaturesorfunctionsandtheirexplanationofwhichmaydifferfromreality.ForSplunkSearchLanguagequestions,Dimitri’sanswerswillprobably notbethetruth,assuch,actualresultswilldiffergreatlyfromthosecontainedinSplunkdocumentation.Ifyourecordthispresentation,youaregivingupyourrighttovote,righttobarearms(i.e.notanktops),andrightstoyourfirstbornmalechild. Theforward-lookingstatementsmadeinthispresentationarebeingmadeupaswegoalong.If reviewedafter itslivepresentation, thiscontentmaynotcontaincurrentorfactualinformation. Pleasedonotassumeanylegalobligationtoourcommentsorstatementsasfrankly,ifyoutattle,wewilldenyeverything. Inaddition,informationinthispresentationissubjecttochangeatanytimewithoutnoticebasedonhowmuchtroublewecouldpotentiallybein.Thispresentation isforeducational informational entertainmentpurposesonly.Donothold Splunkaccountableforanythingthatwemightsayordo,asfrankly,thebiasedopinionsandpoordecisionsweareabouttomakehereareourown.Thanks,andenjoytheshow.
4
5
6
Brodsky
SEManagerSWMajorsSecurityPracticeFanboy
3 Years+
7
3 Years+
Brodsky
SEManagerSWMajorsSecurityPracticeFanboy
8
> DimitriMcKay|SeniorSecurityArchitect|CISSP|CCSK|LOLZ|WTF
q 20yearsofnet/systemsecurityexperience.q 2nd place,2016Defcon BeardCompetition
q Formerpentester,corporatesecurityslackerforasearchengineandplussizedhandmodel.
q Enjoysmakingpoordecisions,breakingthingsanddisappointingmyparents.
q CurrentroleontheSecurityPracticeteamfocusesonsecuritystrategyforthefortune50,evangelismandaskingdumbquestions.
q Currentlyinterestedinmachinelearningforhomehomeautomationproductswhichwilleventuallybecomeselfawareandkillusall.
9
MinsterofSwagger@dimitrimckay
> DimitriMcKay|SeniorSecurityArchitect|CISSP|CCSK|LOLZ|WTF
q 20yearsofnet/systemsecurityexperience.q 2nd place,2016Defcon BeardCompetition
q Formerpentester,corporatesecurityslackerforasearchengineandplussizedhandmodel.
q Enjoysmakingpoordecisions,breakingthingsanddisappointingmyparents.
q CurrentroleontheSecurityPracticeteamfocusesonsecuritystrategyforthefortune50,evangelismandaskingdumbquestions.
q Currentlyinterestedinmachinelearningforhomehomeautomationproductswhichwilleventuallybecomeselfawareandkillusall.
10
MinsterofSwagger@dimitrimckay
11
AgendaReallyshortransomwareoverviewWhat’dwetalkaboutlastyearanderrataHowdowelogin?Hands-On:DetectionbywatchingtheendpointsHands-On:AdiversionovertoforensicsHands-On:IdeasforpreventionCollapseonstage
12
13
IntentionallyLeftBlank
14
So… what’stheproblem,Dimitri?
15
16
17
RansomwareEvolution
18
2013 2014 2015 2016
RANSOMLOCK
URAUSY
CRYPTOLOCKER
CRYPTODEFENSECRYPTOWALL
REVETONLOCKDROID
TESLACRYPTCTB-LOCKERLOCKSCREEN
VIRLOCKTOX
TESLACRYPT2.0TORRENTLOCKER
73V3N
DMALOCKCHIMERA
LOCKYSAMSAMKERANGERPOWERWARE
PETYATESLACRYPT3&4
CERBERJIGSAWROKKU
HYDRACRYPT…
19
20
So,wait,howbadisit,Dimitri?
Today
21
22
2016Verizonbreachreport
23
24
25
2016Verizonbreachreport
26
Mindvisualizingthattothekillchain,Dimitri?
RansomwareKillChain
27
CriminalSyndicate
Ransomware
WateringHole/ExploitKit
MaliciousEmail(Link/Attachment)
Vulnerability
28
29
SwitchtoJames
30
Butbeforewecontinue…
31
Let’sgobackintime…
Toexactly1yearago
@MGMLasVegas
34Poordecisionsweremade
35
TheUF:It’smorethanyouthink
Logs
36
Scripts
Perfmon
WireData
Logs
Process/Apps/FIM
Registry
Sysmon
TheUF:It’smorethanyouthink
37
WireData
Logs
Process/Apps/FIM
Registry
Sysmon
RansomwareExercises:fromtheUF
38
WireData
Logs
Process/Apps/FIM
Registry
Sysmon
AndwewilladdfromnonUFsources:
Forensics
FirewallVulnerabilities
39
Howmuchdata?
That’smorelikeit.16MBofSysmon,5.5MBofWindowsevents=21.5MBperendpoint.
Coveragefor1,000Windowsendpoints?21.5GB ingest,perday.
40
Whatwentwronglastyear?
41
Let’sgobackintime…
nooneisperfect…
42
Let’sgobackintime…
Mistakesweremade…
Therewere… inaccuracies…
Thesedidn’talwayswork.Havebeenupdated/fixed.
44
New!
New!
https://splunk.box.com/splunking-the-endpointThankyou,JeffWalzer andMikeSangray!
Username:conf2016Password:security
https://conf-sec-seho-<2digitnumberthatisyourbirthday>.splunkoxygen.com/
https://conf-sec-seho-31.splunkoxygen.com/
EXAMPLEifIwasbornonJuly31st:
https://conf-sec-seho-04.splunkoxygen.com/
EXAMPLEifIwasbornonAugust4th:
Whileyou’regettingloggedin…
46
Aninterludetotalkaboutyourpriorities,people.Dimitri?
47
SwitchtoDimitri
vs.
49
50
51
52
OR
Youmightneedhelp!Followalongwiththenarrationintheapp,atleastforthefirstfew
examples.
NewbiePath
You’vegotthis!Copyandpastetheexamplesearchesintothe“searchbar”inthe“SplunkLive Security2016”
app.
NinjaPath
NinjaPath
Whathavewehere?
Ourlearningenvironmentconsistsof:
• 31publically-accessiblesingle-instanceSplunk servers
• Eachwith~700Kevents,fromrealenvironment.
61
What’sthelabenvironmentlooklike?This?
mylablookslike…youthinkwhat
62
What’sthelabenvironmentlooklike?This?
Whatyouthinkmylablookslike
thereality.
63
attribution.
64
Getreadytocheat learn.
65
Hi.We’reblackhats.
66
we8106desk Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
splunk-02
wenessus1192.168.2.50WE9041SRV
LAN
WESIFTSVR1WESTOQSVR1
webackupsvr1
Ransomware Lab:“WayneEnterprises”
Hi!I’manendpoint!
67
we8106desk
splunk-02
webackupsvr1
Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
wenessus1192.168.2.50WE9041SRV
LAN
WESIFTSVR1WESTOQSVR1
USBDrivewithMaliciousWordMacroDoc
miranda_tate_unveiled.dotm(viaUSBdrive)
68
we8106desk Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
LAN
webackupsvr1wenessus1192.168.2.50WE9041SRV
splunk-02
WESIFTSVR1WESTOQSVR1
CommunicationtoDownloadCryptorCode
69
we8106desk
splunk-02
webackupsvr1
Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
wenessus1192.168.2.50WE9041SRV
LAN
WESIFTSVR1WESTOQSVR1
LocalFileEncryption
70
we8106desk
WE9041SRVwebackupsvr1wenessus1192.168.2.50
splunk-02
Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
LAN
WESIFTSVR1WESTOQSVR1
LateralMovetoFileshare
71
we8106desk
WE9041SRVwebackupsvr1wenessus1192.168.2.50
splunk-02
Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
LAN
WESIFTSVR1WESTOQSVR1
AbandonHope
72
we8106desk Fortigate NGFirewall
192.168.250.1
Internetsuricata-idsOD-FM-CONF-NA
(AWS)
splunk-02
wenessus1192.168.2.50WE9041SRV
LAN
WESIFTSVR1WESTOQSVR1
webackupsvr1
SourcetypesWeHave
WinEventLog:SystemWinEventLog:ApplicationWinEventLog:Security
Microsoft-Windows-Sysmon/OperationalWinRegistry
stream:*
suricata
nessus:pluginnessus:scan
fgt_*
log2timelinestoq:*
WinEventLog:SystemWinEventLog:ApplicationWinEventLog:Security
netbackup_logs
73
DETECTION:Windowsevents,stream,sysmon,registry,firewall….
DETECTION- Welearnedthat:
74
Manywaystodetectunusualendpointbehaviorthatcouldindicateransomwareinfection.Makeyoursearcheslookforgeneral,abnormalbehavior– not“specific”oryou’llneverkeepup.Youdon’thavetoturnoneverythingweshowedtogetsomevalue– butthemoreyouhavethemoreconfidentyoucanbe.Windowseventsareabareminimum!Theearlieryoudetect,thebetterchanceyouhaveatstoppingthespread.
75
FORENSICS:Adiveintoadiskimage
Forensics:Whatdidwelearn?
76
Don’tusesuspiciousUSBdrivescontainingmacro-enabledWorddocs.JWhilelotsofgoodcommercialforensicanalysistoolsexist,there’salotyoucandowithprogramsfromtheopen-sourcecommunity.Log2timeline/Plaso hasbeenaroundforaLONGtimeandcanbeenhancedviaextensiveplugins.Cost=$0.Lotsoftraining!YoucouldgatherdiskimagesfrominfectedsystemsanduseSplunk tosiftthroughtheextensiveamountsofdata.Insmallershops,thisisagooduseforacopyof“FreeSplunk”onyourlaptop.
77
PREVENTION:Infection“Lag.”Backups,backups,backups,backups,backups.Patches,patches,patches,patchesandpatches.Automatedanalysis.
Prevention:Whatdidwelearn?
78
Dowhatyoucanaboutimplementingpolicytohardenyourendpoints.Backeverythingupalwaysandverify.Scanyoursystems,patchyoursystems,useassetandidentityinfo.Performautomatedanalysistoknowwhenbadstuff’sarriving.Leverageinfectionlagbuiltintoransomwarevariantsto“takeaction”beforethedarkness.KenWestin’stalkfromTuesday!
AdaptiveResponse
AdaptiveResponse.
Dimitri’s MagicalandTimelyARSlide
80
THANKYOU
https://splunk.box.com/splunking-the-endpoint2016https://splunk.box.com/splunking-the-endpoint
