Redapt @ splunk .conf 2013 splunk in the hyperscale private cloud
Stalking Hackers with Core Splunk · PDF fileStalking Hackers with Core Splunk Derek Arnold,...
Transcript of Stalking Hackers with Core Splunk · PDF fileStalking Hackers with Core Splunk Derek Arnold,...
Derek Arnold • 12 years in security • Enterprise IT • Industries: Retail, medical tech, health insurance • Specialties: Security operations, threat intelligence,
physical security, SIEM • Certified Splunk admin • Yoga, Pilates, running
Your Presenter
Agenda
Threat Realization
Anomaly Detection
Windows Searches
UNIX Searches
Networking and Remote Desktop Searches
Key Takeaways/Conclusion
Kevin Mitnick
Robert has a sense that he understands how IT and network security people work, and it’s not all that different from everyone else in the
working world. “The only way for them to notice [my going online] would have been going through the logs actively.” His view of IT security
people wasn’t very flattering. “People don’t read logs every morning. When you get to your desk, you sit down, have a coffee, read a few Web
sites of personal interest. You don’t go in and read logs and see who changed their passwords yesterday.”
Source: Kevin Mitnick, The Art of Intrusion
5
2014 Retail Breaches White Paper
In today’s corporations, there are many attack alerts that may possibly overwhelm the staff’s ability to react to them all. Companies must
implement and maintain Security Information and Event Management (SIEM), define events of interest (EOI) and train staff to assess whether the EOI poses a serious threat. Ignoring an alert is like driving a car with
the check engine light on because there are seemingly no other symptoms of a serious problem.
Source: http://www.accuvant.com/resources/ the-four-attack-vectors-to-prevent-or-detect-retailer-breaches
6
Sun Tzu
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.”
Source: Sun Tzu, The Art of War, Ch. III
7
ANOMALY DETECTION Big word, big concept
Reconnaissance Weaponization Delivery Exploitation Command and
Control Exfiltration
• 30-90 day historical profile required
• Shorten the dwell time
• You’re using Universal Forwarder, RIGHT?
Anomaly Detection In order to know what is abnormal, we need to know what is normal
Data sources: § Windows event logs § File system changes § WMI-based data § Windows registry data § Host information § Network information
Use Cases § File integrity monitoring: configuration files § DNS resolution § Downloads folders, temp folders, root folders § Software installations § Crashing processes, AV tampering § Creation of new services § Task scheduler activity
More information § http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorWindowsdata § http://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
Universal Forwarder on Windows Harness the full capability
Who is using local admin instead of a specific administrative user?
Local Admin Usage (description) Risk of escalation of privilege. Who is making the change? Shouldn’t they be using an ID trackable to a specific person?
Does the job role of this employee match their privileges?
Risk of escalation of privilege. Who is making the change?
Domain Admin Changes (description)
Who is being added to the Windows domain admins group?
Does the job role of this employee match their privileges?
sourcetype=WinEventLog:Security Security_ID="YourDomain\\DomainAdminADGroupName"
(EventCode=4728 OR EventCode=632 OR EventCode=4729 OR EventCode=633) | eval ChangedBy=mvindex(Security_ID,0)
| eval Member=mvindex(Security_ID,1) | eval DestinationGroup=mvindex(Security_ID,2)
| search DestinationGroup="YourDomain\\DomainAdminADGroupName" | eval ActionTaken=if((EventCode=4729 OR EventCode=633), "A member was removed from a security-enabled global group.", ActionTaken) | eval ActionTaken=if((EventCode=4728 OR EventCode=632), "A member was added to a security-enabled global group.", ActionTaken) | table _time Member ActionTaken DestinationGroup ChangedBy
Domain Admin Changes (search) Adds/removes from W2k8 and W2k3
Assign variables for interesting fields
Parse event codes and rename to friendly format
Summarize activity in a table
• After a threat actor has performed their task, wouldn’t they try to clean up their tracks?
Event Logs Cleared (description)
sourcetype=wineventlog:* (EventCode=1102 OR EventCode=517) LogName=Security
| table _time ComputerName EventCodeDescription Client_User_Name src_user
Event Logs Cleared (search)
Look for event logs cleared event codes
Display the important info in a table
Suspicious Processes (description) Install malware using a name of a trusted process
Look for trusted process names in non-standard folders
Can’t install it in a system directory without sharing violation/system instability
sourcetype=wineventlog:security "new process has been created" | eval Process_Name=coalesce(Image_File_Name,New_Process_Name)
| fields Message, Process_Name, User_Name, ComputerName | search ((Process_Name=*cmd.exe NOT Process_Name="C:\\WINDOWS\\system32\\cmd.exe" NOT Process_Name="C:\\Windows\\SysWOW64\\cmd.exe" NOT Process_Name="C:\\Windows\\System32\\inetsrv\\appcmd.exe" OR
(Process_Name=*svchost.exe NOT Process_Name="C:\\WINDOWS\\system32\\svchost.exe") OR (Process_Name=*explorer.exe NOT Process_Name="C:\\WINDOWS\\explorer.exe") OR
(Process_Name=*msiexec.exe NOT (Process_Name="C:\\WINDOWS\\system32\\msiexec.exe" OR Process_Name="C:\\Windows\\SysWOW64\\msiexec.exe")) OR (Process_Name=*taskmgr.exe NOT Process_Name="C:\\WINDOWS\\system32\\taskmgr.exe") OR
(Process_Name=*at.exe NOT Process_Name="C:\\WINDOWS\\system32\\at.exe" NOT Process_Name="C:\\WINDOWS\\system32\\netstat.exe") OR (Process_Name=*gpupdate.exe NOT Process_Name="C:\\WINDOWS\\\system32\\gpupdate.exe") OR
(Process_Name=*regedt32.exe NOT Process_Name="C:\\WINDOWS\\\system32\\regedt32.exe") OR
(Process_Name=*iexplore.exe NOT Process_Name="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" NOT Process_Name="C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Process_Name="* *" OR Process_Name=*scvhost.exe OR Process_Name=*iexplorer.exe OR Process_Name=*svcdost.exe)
Suspicious Processes (search) Gather data fields
Look for key system process names not running in their system folder
Blank or misspelled
sourcetype=unix_syslog ((failed password) OR (authentication failure) )
| stats count by user host
| where count>2
| sort - count
UNIX Failed Logins
Failed login attempts
More than 2 failed attempts per user sorted by count
NETWORKING AND REMOTE DESKTOP
Reconnaissance Weaponization Delivery Exploitation Command and
Control Exfiltration
RDP Logins (description)
Who is logging in remotely to servers?
Does the job role of this employee match their privileges?
Do the logins match expected usage patterns? Time of day, departments, change records…
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=528) AND (Logon_Type=10)
| dedup Source_Network_Address dest Security_ID
| eval Security_ID=mvindex(Security_ID,1)
| table _time Security_ID Logon_Type Source_Network_Address Dest_Server
RDP Logins (search) Successful interactive logins
Remove duplicates
Formatting and table
FTP Outbound (description)
Where are your files being sent?
Are the usernames a match to expected naming conventions?
Do the filenames and destinations match expected business applications?
sourcetype=cisco_asa FTP "Stored file" | rex field=_raw "(?i)user (?P<user>.*) Stored file"
| rex field=_raw "(?i)Stored file (?P<file>.*)"
| rex field=_raw "(?i):(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}+)/"
| rex field=_raw "(?i):(?P<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}+)/21"
| search NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12
| geoip dest_ip
| fields - dest_ip_latitude, dest_ip_longitude, dest_ip_postal_code, dest_ip_region_name, dest_ip_country_code, dest_ip_country_name, dest_ip_city
| rename geo_info AS dest_ip_geo_info
| eval time=strftime(_time, "%m/%d %H:%M:%S")
| stats values(time) AS Time values(user) AS Username values(file) AS Filename values(dest_ip) AS dest_ip values(dest_ip_geo_info) AS "Dest IP Geo info" by src_ip
FTP Outbound (search) File upload
Extract user, file, source and dest
Outbound activity only
Get geolocation of dest and timestamp
For format and clarity
Know Your Environment Understand the kill chain theory
Key Takeaways/Conclusion
Baseline the past 30-90 days of activity
Tune continuously
Search and alert on anomalies
29
Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday
Geek out, share ideas with Enterprise Security developers Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM
Learn, share and hack
Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room
Derek Arnold [email protected]
http://www.linkedin.com/in/derekarnold @DerekPArnold
1125 17th Street, Suite 1700, Denver, CO 80202
800.574.0896 [email protected] www.accuvant.com