Threat hunting workshop
-
Upload
splunk -
Category
Technology
-
view
42 -
download
7
Transcript of Threat hunting workshop
![Page 1: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/1.jpg)
ThreatHuntingwithSplunkPresenter:LeeImreySplunk,SecurityMarketSpecialist
![Page 2: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/2.jpg)
Prework fortoday
● SetupSplunk EnterpriseSecuritySandbox● InstallfreeSplunk onlaptop● InstallMLToolkitapp
https://splunkbase.splunk.com/app/2890/
![Page 3: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/3.jpg)
Agenda• ThreatHuntingBasics
• ThreatHuntingDataSources
• Sysmon EndpointData
• CyberKillChain
• WalkthroughofAttackScenarioUsingCoreSplunk (handson)
• AdvancedThreatHuntingTechniques&SecurityEssentials
• EnterpriseSecurityWalkthrough
• ApplyingMachineLearningandDataSciencetoSecurity
![Page 4: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/4.jpg)
LogInCredentials
January,February&March https://54.144.69.125April,May&June https://52.55.68.96July and August https://54.164.82.160SeptemberandOctober https://52.23.227.212NovemberandDecember https://52.202.90.207
User:hunterPass:pr3dat0r
BirthMonth
![Page 5: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/5.jpg)
Thesewon’twork…
![Page 6: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/6.jpg)
AmIintherightplace?
Somefamiliaritywith…
● CSIRT/SOCOperations
● GeneralunderstandingofThreatIntelligence
● GeneralunderstandingofDNS,Proxy,andEndpointtypesofdata
6
![Page 7: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/7.jpg)
Whatisthreathunting,whydoyouneedit?TheWhat?
• Threathunting- theactofaggressively
intercepting,trackingand
eliminatingcyberadversariesasearlyaspossible intheCyberKillChain 2
7
TheWhy?
• Threatsarehuman.Focusedandfundedadversarieswillnotbecounteredbysecurityboxesonthenetwork
alone.Threathuntersareactivelysearchingforthreatstopreventor
minimizedamage[beforeithappens] 1
2 CyberThreatHunting- SamuelAlonsoblog,Jan20161 TheWho,What,Where,When,WhyandHowof EffectiveThreatHunting,SANSFeb2016
“ThreatHuntingisnotnew,it’sjustevolving!”
![Page 8: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/8.jpg)
![Page 9: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/9.jpg)
ThreatHuntingwithSplunk
9
Vs.
![Page 10: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/10.jpg)
Search&Visualisation
Enrichment
Data
Automation
10
HumanThreatHunter
KeyBuildingBlockstoDriveThreatHuntingMaturity
Ref:TheheWho,What,Where,When,WhyandHowof EffectiveThreatHunting,SANSFeb2016
Objectives> Hypotheses> Expertise
![Page 11: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/11.jpg)
“Agoodintelligenceofficercultivatesanawarenessofwhatheorshedoesnotknow.Youneedadoseofmodestytoacknowledgeyourownignorance- evenmore,toseekoutyourignorance.Thentheharderpartcomes,tryingtodosomethingaboutit.Thisoftenrequiresanimmodestdetermination”HenryA.CrumptonTheArtofIntelligence:LessonsFromAlifeIntheCIA’sClandestineService
11
![Page 12: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/12.jpg)
SANSThreatHuntingMaturity
12
AdHocSearch
StatisticalAnalysis
VisualizationTechniques
Aggregation MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHuntingSummit2016
![Page 13: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/13.jpg)
Search&Visualisation
Enrichment
Data
Automation
HumanThreatHunter
HowSplunkhelpsYouDriveThreatHuntingMaturity
ThreatHuntingAutomationIntegrated&outoftheboxautomationtoolingfromartifactquery,contextual“swim-laneanalysis”,anomaly×eriesanalysistoadvanceddatascienceleveragingmachinelearning
ThreatHuntingDataEnrichmentEnrichdatawithcontextandthreat-intelacrossthestackortime
todiscerndeeperpatternsorrelationships
Search&VisualiseRelationshipsforFasterHuntingSearchandcorrelatedatawhilevisuallyfusingresultsforfaster
context,analysisandinsight
Ingest&OnboardAnyThreatHuntingMachineDataSourceEnablefastingestionofanymachinedatathroughefficient
indexing,abigdatarealtimearchitectureand‘schemaontheread’technology
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
![Page 14: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/14.jpg)
HuntingTools:InternalData
14
• IPAddresses:threatintelligence,blacklist,whitelist,reputationmonitoringTools:Firewalls,proxies,Splunk Stream,Bro,IDS
• NetworkArtifactsandPatterns:networkflow,packetcapture,activenetworkconnections,historicnetworkconnections,portsandservicesTools:Splunk Stream,BroIDS,FPC,Netflow
• DNS:activity,queriesandresponses,zonetransferactivityTools:Splunk Stream,BroIDS,OpenDNS
• Endpoint– HostArtifactsandPatterns:users,processes,services,drivers,files,registry,hardware,memory,diskactivity,filemonitoring:hashvalues,integritycheckingandalerts,creationordeletionTools:Windows/Linux,CarbonBlack,Tanium,Tripwire,ActiveDirectory
• VulnerabilityManagementDataTools:TripwireIP360,Qualys,Nessus
• UserBehaviorAnalytics:TTPs,usermonitoring,timeofdaylocation,HRwatchlistSplunk UBA,(Alloftheabove)
![Page 15: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/15.jpg)
Persist,Repeat
ThreatIntelligence
Access/Identity
Endpoint
Network
Attacker,knowrelay/C2sites,infectedsites,IOC,attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
• Third-partythreatintel• Open-sourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• Endpoint(AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• Operatingsystem• Database• VPN,AAA,SSO
TypicalDataSources
• Webproxy• NetFlow• Network
![Page 16: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/16.jpg)
Endpoint:MicrosoftSysmonPrimer
16
● TAAvailableontheAppStore
● GreatBlogPosttogetyoustarted
● IncreasesthefidelityofMicrosoftLogging
BlogPost:http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
![Page 17: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/17.jpg)
LogInCredentials
January,February&March https://54.144.69.125April,May&June https://52.55.68.96July and August https://54.164.82.160SeptemberandOctober https://52.23.227.212NovemberandDecember https://52.202.90.207
User:hunterPass:pr3dat0r
BirthMonth
![Page 18: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/18.jpg)
SysmonEventTags
18
MapsNetworkCommtoprocess_id
Process_idcreationandmappingtoparentprocess_id
![Page 19: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/19.jpg)
sourcetype=X*|searchtag=communicate
19
![Page 20: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/20.jpg)
sourcetype=X*|deduptag|searchtag=process
20
![Page 21: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/21.jpg)
DataSourceMapping
![Page 22: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/22.jpg)
DemoStory- KillChainFrameworkSuccessfulbruteforce– downloadsensitivepdfdocument
WeaponizethepdffilewithZeusMalware
Convincingemailsentwithweaponizedpdf
Vulnerablepdfreaderexploitedbymalware.Droppercreatedonmachine
Dropperretrievesandinstallsthemalware
Persistenceviaregularoutboundcomm
DataExfiltration
Source:LockheedMartin
![Page 23: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/23.jpg)
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
This image cannot currently be displayed.
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
This image cannot currently be displayed.
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
StreamInvestigations– chooseyourdatawisely
23
![Page 24: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/24.jpg)
APTTransactionFlowAcrossDataSources
24
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal.pdf
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
OurInvestigationbeginsbydetectinghighriskcommunicationsthroughtheproxy,attheendpoint,andevenaDNScall.
![Page 25: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/25.jpg)
index=zeus_demo3
25
insearch:
![Page 26: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/26.jpg)
Tobeginourinvestigation,wewillstartwithaquicksearchtofamiliarizeourselveswiththedatasources.
Inthisdemoenvironment,wehaveavarietyofsecurityrelevantdataincluding…
WebDNSProxyFirewallEndpointEmail
![Page 27: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/27.jpg)
Takealookattheendpointdatasource.WeareusingtheMicrosoftSysmon TA.
Wehaveendpointvisibilityintoallnetworkcommunicationandcanmapeachconnectionbacktoaprocess.
}Wealsohavedetailedinfooneachprocessandcanmapitbacktotheuserandparentprocess.}
Letsgetourdaystartedbylookingusingthreatintel toprioritizeoureffortsandfocusoncommunicationwithknown highriskentities.
![Page 28: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/28.jpg)
WehavemultiplesourceIPscommunicatingtohighriskentitiesidentifiedbythese2threatsources.
Weareseeinghighriskcommunicationfrommultipledatasources.
Weseemultiplethreatintel relatedeventsacrossmultiplesourcetypesassociatedwiththeIPAddressofChrisGilbert.Let’stakecloserlookattheIPAddress.
Wecannowseetheownerofthesystem(ChrisGilbert)andthatitisn’taPIIorPCIrelatedasset,sotherearenoimmediatebusinessimplicationsthatwouldrequireinformingagenciesorexternalcustomerswithinacertaintimeframe.
Thisdashboardisbasedoneventdatathatcontainsathreatintelbasedindicatormatch(IPAddress,domain,etc.).ThedataisfurtherenrichedwithCMDBbasedAsset/identityinformation.
![Page 29: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/29.jpg)
Wearenowlookingatonlythreatintel relatedactivityfortheIPAddressassociatedwithChrisGilbertandseeactivityspanningendpoint,proxy,andDNSdatasources.
Thesetrendlinestellaveryinterestingvisualstory.ItappearsthattheassetmakesaDNSqueryinvolvingathreatintel relateddomainorIPAddress.
ScrollDo
wn
Scrolldownthedashboardtoexaminethesethreatintel eventsassociatedwiththeIPAddress.
Wethenseethreatintel relatedendpointandproxyeventsoccurringperiodicallyandlikelycommunicatingwithaknownZeusbotnetbasedonthethreatintelsource(zeus_c2s).
![Page 30: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/30.jpg)
It’sworthmentioningthatatthispointyoucouldcreateatickettohavesomeonere-imagethemachinetopreventfurtherdamageaswecontinueourinvestigationwithinSplunk.
Withinthesamedashboard,wehaveaccesstoveryhighfidelityendpointdatathatallowsananalysttocontinuetheinvestigationinaveryefficientmanner.Itisimportanttonotethatnearreal-timeaccesstothistypeofendpointdataisnotnotcommonwithinthetraditionalSOC.
Theinitialgoaloftheinvestigationistodeterminewhetherthiscommunicationismaliciousorapotentialfalsepositive.Expandtheendpointeventtocontinuetheinvestigation.
Proxyrelatedthreatintel matchesareimportantforhelpingustoprioritizeoureffortstowardinitiatinganinvestigation.Furtherinvestigationintotheendpointisoftenverytimeconsumingandofteninvolvesmultipleinternalhand-offstootherteamsorneedingtoaccessadditionalsystems.Thisencryptedproxytrafficisconcerningbecauseofthelargeamountofdata(~1.5MB)beingtransferredwhichiscommonwhendataisbeingexfiltrated.
![Page 31: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/31.jpg)
Exfiltrationofdataisaseriousconcernandoutboundcommunicationtoexternalentitythathasaknownthreatintelindicator,especiallywhenitisencryptedasinthiscase.
Letscontinuetheinvestigation.
Anotherclue.Wealsoseethatsvchost.exe shouldbelocatedinaWindowssystemdirectorybutthisisbeingrunintheuserspace.Notgood.
Weimmediatelyseetheoutboundcommunicationwith115.29.46.99viahttpsisassociatedwiththesvchost.exeprocessonthewindowsendpoint.Theprocessidis4768.ThereisagreatdealmoreinformationfromtheendpointasyouscrolldownsuchastheuserIDthatstartedtheprocessandtheassociatedCMDBenrichmentinformation.
![Page 32: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/32.jpg)
WehaveaworkflowactionthatwilllinkustoaProcessExplorerdashboardandpopulateitwiththeprocessidextractedfromtheevent(4768).
![Page 33: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/33.jpg)
ThisisastandardWindowsapp,butnotinitsusualdirectory,tellingusthatthemalwarehasagainspoofedacommonfilename.
Wealsocanseethattheparentprocessthatcreatedthissuspicuous svchost.exe processiscalledcalc.exe.
ThishasbroughtustotheProcessExplorerdashboardwhichletsusviewWindowsSysmon endpointdata.
SuspectedMalware
Letscontinuetheinvestigationbyexaminingtheparentprocessasthisisalmostcertainlyagenuinethreatandwearenowworkingtowardarootcause.
ThisisveryconsistentwithZeusbehavior.TheinitialexploitationgenerallycreatesadownloaderordropperthatwillthendownloadtheZeusmalware.Itseemslikecalc.exemaybethatdownloader/dropper.
SuspectedDownloader/Dropper
Thisprocesscallsitself“svchost.exe,”acommonWindowsprocess,butthepathisnotthenormalpathforsvchost.exe.
…whichisacommontraitofmalwareattemptingtoevadedetection.WealsoseeitmakingaDNSquery(port53)thencommunicatingviaport443.
![Page 34: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/34.jpg)
TheParentProcessofoursuspecteddownloader/dropperisthelegitimatePDFReaderprogram.Thiswilllikelyturnouttobethevulnerableappthatwasexploitedinthisattack.
SuspectedDownloader/Dropper
SuspectedVulnerableAppWehaveveryquicklymovedfromthreatintel relatednetworkandendpointactivitytothelikelyexploitationofavulnerableapp.Clickontheparentprocesstokeepinvestigating.
![Page 35: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/35.jpg)
WecanseethatthePDFReaderprocesshasnoidentifiedparentandistherootoftheinfection.
ScrollDo
wn
ScrolldownthedashboardtoexamineactivityrelatedtothePDFreaderprocess.
![Page 36: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/36.jpg)
Chrisopened2nd_qtr_2014_report.pdfwhichwasanattachmenttoanemail!
Wehaveourrootcause!Chrisopenedaweaponized .pdf filewhichcontainedtheZeusmalware.Itappearstohavebeendeliveredviaemailandwehaveaccesstoouremaillogsasoneofourimportantdatasources.Letscopythefilename2nd_qtr_2014_report.pdfandsearchabitfurthertodeterminethescopeofthiscompromise.
![Page 37: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/37.jpg)
Letsdigalittlefurtherinto2nd_qtr_2014_report.pdftodeterminethescopeofthiscompromise.
![Page 38: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/38.jpg)
index=zeus_demo32nd_qtr_2014_report.pdf
38
insearch:
![Page 39: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/39.jpg)
Letssearchthoughmultipledatasourcestoquicklygetasenseforwhoelsemayhavehavebeenexposedtothisfile.
Wewillcomebacktothewebactivitythatcontainsreferencetothepdf filebutletsfirstlookattheemaileventtodeterminethescopeofthisapparentphishingattack.
![Page 40: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/40.jpg)
Wehaveaccesstotheemailbodyandcanseewhythiswassuchaconvincingattack.Thesenderapparentlyhadaccesstosensitiveinsiderknowledgeandhintedatquarterlyresults.
Thereisourattachment.
HoldOn!That’snotourDomainName!Thespellingisclosebutit’smissinga“t”.TheattackerlikelyregisteredadomainnamethatisveryclosetothecompanydomainhopingChriswouldnotnotice.
Thislookstobeaverytargetedspearphishingattackasitwassenttoonlyoneemployee(Chris).
![Page 41: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/41.jpg)
RootCauseRecap
41
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
.pdfSvchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal.pdf
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Weutilizedthreatintel todetectcommunicationwithknownhighriskindicatorsandkickoffourinvestigationthenworkedbackwardthroughthekillchaintowardarootcause.
Keytothisinvestigativeprocessistheabilitytoassociatenetworkcommunicationswithendpointprocessdata.
ThishighvalueandveryrelevantabilitytoworkamalwarerelatedinvestigationthroughtorootcausetranslatesintoaverystreamlinedinvestigativeprocesscomparedtothelegacySIEMbasedapproach.
![Page 42: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/42.jpg)
42
Letsrevisitthesearchforadditionalinformationonthe2nd_qtr_2014-_report.pdffile.
Weunderstandthatthefilewasdeliveredviaemailandopenedattheendpoint.Whydoweseeareferencetothefileintheaccess_combined (webserver)logs?
Selecttheaccess_combinedsourcetype toinvestigatefurther.
![Page 43: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/43.jpg)
43
Theresultsshow54.211.114.134hasaccessedthisfilefromthewebportalofbuttergames.com.
ThereisalsoaknownthreatintelassociationwiththesourceIPAddressdownloading(HTTPGET)thefile.
![Page 44: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/44.jpg)
44
SelecttheIPAddress,left-click,thenselect“Newsearch”.WewouldliketounderstandwhatelsethisIPAddresshasaccessedintheenvironment.
![Page 45: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/45.jpg)
45
That’sanabnormallylargenumberofrequestssourcedfromasingleIPAddressina~90minutewindow.
Thislookslikeascriptedactiongiventheconstanthighrateofrequestsoverthebelowwindow.
ScrollDo
wn
Scrolldownthedashboardtoexamineotherinterestingfieldstofurtherinvestigate.
NoticetheGooglebotuseragent string whichisanotherattempttoavoidraisingattention..
![Page 46: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/46.jpg)
46
Therequestsfrom52.211.114.134aredominatedbyrequeststotheloginpage(wp-login.php).It’sclearlynotpossibletoattemptaloginthismanytimesinashortperiodoftime– thisisclearlyascriptedbruteforceattack.
Aftersuccessfullygainingaccesstoourwebsite,theattackerdownloadedthepdf file,weaponized itwiththezeusmalware,thendeliveredittoChrisGilbertasaphishingemail.
Theattackerisalsoaccessingadminpageswhichmaybeanattempttoestablishpersistenceviaabackdoorintothewebsite.
![Page 47: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/47.jpg)
KillChainAnalysisAcrossDataSources
47
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal.pdf
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Wecontinuedtheinvestigationbypivotingintotheendpointdatasourceandusedaworkflowactiontodeterminewhichprocessontheendpointwasresponsiblefortheoutboundcommunication.
WeBeganbyreviewingthreatintel relatedeventsforaparticularIPaddressandobservedDNS,Proxy,andEndpointeventsforauserinSales.
Investigationcomplete!LetsgetthisturnedovertoIncidentReponse team.
Wetracedthesvchost.exeZeusmalwarebacktoit’sparentprocessIDwhichwasthecalc.exedownloader/dropper.
Onceourrootcauseanalysiswascomplete,weshiftedoutfocusintotheweblogstodeterminethatthesensitivepdffilewasobtainedviaabruteforceattackagainstthecompanywebsite.
Wewereabletoseewhichfilewasopenedbythevulnerableappanddeterminedthatthemaliciousfilewasdeliveredtotheuserviaemail.
Aquicksearchintothemaillogsrevealedthedetailsbehindthephishingattackandrevealedthatthescopeofthecompromisewaslimitedtojusttheoneuser.
Wetracedcalc.exe backtothevulnerableapplicationPDFReader.
![Page 48: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/48.jpg)
10minBreak!
![Page 49: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/49.jpg)
Appendix- SQLi- DNSExfilatration- Splunk SecurityEssentials
![Page 50: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/50.jpg)
SQLi
![Page 51: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/51.jpg)
SQLInjection● SQLinjection● Codeinjection● OScommanding● LDAPinjection● XMLinjection● XPathinjection● SSIinjection● IMAP/SMTPinjection● Bufferoverflow
![Page 52: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/52.jpg)
ImpervaWebAttacksReport,2015
![Page 53: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/53.jpg)
![Page 54: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/54.jpg)
TheanatomyofaSQLinjectionattack
SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx';
[email protected]' OR 1 = 1 -- '
xxx
1234
Anattackermightsupply:
![Page 55: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/55.jpg)
…andsofarthisyear…39
![Page 56: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/56.jpg)
index=web_vuln passwordselect
![Page 57: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/57.jpg)
Whathavewehere?Ourlearningenvironmentconsistsof:
• Abunchofpublically-accessiblesingleSplunk servers
• Eachwith~5.5Mevents,fromrealenvironmentsbutmassaged:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
![Page 58: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/58.jpg)
https://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjectioninyourevents:ü looksforpatternsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddeviationsthatare2.5timesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjection_pattern(sourcetype,uri queryfield)• sqlinjection_stats(sourcetype,uri queryfield)
![Page 59: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/59.jpg)
RegularExpressionFTWsqlinjection_rex isasearchmacro.Itcontains:
(?<injection>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)
Whichmeans:Inthestringwearegiven,lookforANY ofthefollowingmatchesandputthatintothe“injection”field.
• AnythingcontainingSELECTfollowedbyFROM• AnythingcontainingUNIONfollowedbySELECT• Anythingwitha‘attheend• AnythingcontainingDELETEfollowedbyFROM• AnythingcontainingUPDATEfollowedbySET• AnythingcontainingALTERfollowedbyTABLE• A%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
• Note:%27isencoded“’”and%20isencoded<space>• Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
![Page 60: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/60.jpg)
Bonus:TryouttheSQLInjectionapp!
![Page 61: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/61.jpg)
Summary:Webattacks/SQLinjection● SQLinjectionprovideattackerswitheasyaccesstodata
● DetectingadvancedSQLinjectionishard– useanapp!
● UnderstandwhereSQLi ishappeningonyournetworkandputastoptoit.
● AugmentyourWAFwithenterprise-wideSplunk searches.
![Page 62: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/62.jpg)
DNSExfiltration
![Page 63: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/63.jpg)
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
![Page 64: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/64.jpg)
DNSexfil tendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSexfiltration
![Page 65: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/65.jpg)
FrameworkPOS:acard-stealingprogramthatexfiltrates datafromthetarget’snetworkbytransmittingitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganizationsactuallykeepdetailedlogsorrecordsof theDNStraffictraversingtheirnetworks— makingitanidealwaytosiphondatafromahackednetwork.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“”
DNSexfiltration
![Page 66: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/66.jpg)
https://splunkbase.splunk.com/app/2734/
DNSexfil detection– tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
![Page 67: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/67.jpg)
Examples• Thedomainaaaaa.com hasaShannonEntropyscoreof1.8 (verylow)• Thedomaingoogle.com hasaShannonEntropyscoreof2.6 (ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon
Entropyscoreof3 (ratherhigh)
Layman’sdefinition:ascorereflectingtherandomness ormeasureofuncertainty ofastring
ShannonEntropy
![Page 68: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/68.jpg)
DetectingDataExfiltration
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|eval sublen =length(ut_subdomain)|tableut_domain ut_subdomainut_shannon sublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
![Page 69: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/69.jpg)
DetectingDataExfiltration
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
deviations
![Page 70: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/70.jpg)
DetectingDataExfiltrationRESULTS• Exfiltrating datarequiresmanyDNSrequests– lookforhighcounts• DNSexfiltrationtomooo.com and chickenkiller.com
![Page 71: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/71.jpg)
Summary:DNSexfiltration● ExfiltrationbyDNSandICMPisaverycommontechnique● ManyorganizationsdonotanalyzeDNSactivity– donotbelikethem!● NoDNSlogs?NoSplunkStream?LookatFWbytecounts
![Page 72: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/72.jpg)
Splunk SecurityEssentials
![Page 73: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/73.jpg)
https://splunkbase.splunk.com/app/3435/
Identifybadguysinyourenvironment:ü 45+usecasescommoninUEBAproducts,all
freeonSplunkEnterpriseü Targetexternalattackersandinsiderthreatü Scalesfromsmalltomassivecompaniesü Savefromtheapp,sendresultstoES/UBA
ThemostwidelydeployedUEBAvendorinthemarketisSplunkEnterprise,butnooneknowsit.
Solveusecasesyoucantodayforfree,thenuseSplunkUBAforadvancedMLdetection.
![Page 74: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/74.jpg)
SplunkSecurityEssentials
TimeSeriesAnalysiswithStandardDeviation
FirstTimeSeenpoweredbystats
GeneralSecurityAnalyticsSearches
TypesofUseCases
![Page 75: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/75.jpg)
SplunkSecurityEssentialsDataSources
ElectronicMedicalRecords
SourceCodeRepository
![Page 76: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/76.jpg)
● Howdoestheappwork?– Leveragesprimarily| stats forUEBA– AlsoimplementsseveraladvancedSplunksearches(URLToolbox,etc.)
● WhycallitUEBA?– TheseusecasesareofteninUEBAtools– 2/3ofusecasebuildonabaseline,whichisahallmarkofUEBA– 1/3areadvancedanalyticsthatothervendorsshowcaseintheirUEBA
● Howdoesitscale?– Appautomatestheutilizationofhighscaletechniques– SummaryindexingforTimeSeries,cachinginlookupforFirstTime
![Page 77: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/77.jpg)
Splunk EnterpriseSecurity
![Page 78: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/78.jpg)
78
SplunkEnterprise
- BigDataAnalyticsPlatform-
SplunkEnterpriseSecurity
- SecurityAnalyticsPlatform-
ThreatHuntingwithSplunk
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
ThreatHuntingDataEnrichment
ThreatHuntingAutomation
Ingest&OnboardAnyThreatHunting
MachineDataSource
Search&VisualiseRelationshipsforFasterHunting
![Page 79: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/79.jpg)
OtherItemsToNote
ItemstoNote
Navigation- HowtoGetHere
Descriptionofwhattoclickon
Click
![Page 80: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/80.jpg)
KeySecurityIndicators(buildyourown!)
Sparklines
Editable
![Page 81: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/81.jpg)
Variouswaystofilterdata
Malware-SpecificKSIsandReports
SecurityDomains->Endpoint->MalwareCenter
![Page 82: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/82.jpg)
Filterable
KSIsspecifictoRisk
Riskassignedtosystem,userorother
UnderAdvancedThreat,selectRiskAnalysis
![Page 83: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/83.jpg)
(ScrollDown)
RecentRiskActivity
UnderAdvancedThreat,selectRiskAnalysis
![Page 84: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/84.jpg)
Filterable,downtoIoC
KSIsspecifictoThreat
Mostactivethreatsource
Scrolldown… Scroll
UnderAdvancedThreat,selectThreatActivity
![Page 85: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/85.jpg)
Specificsaboutrecentthreatmatches
UnderAdvancedThreat,selectThreatActivity
![Page 86: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/86.jpg)
Toaddthreatintelgoto:Configure->DataEnrichment->ThreatIntelligenceDownloads
Click
![Page 87: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/87.jpg)
Click“ThreatArtifacts”Under“AdvancedThreat”
Click
![Page 88: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/88.jpg)
ArtifactCategories–clickdifferenttabs…
STIXfeed
Customfeed
UnderAdvancedThreat,selectThreatArtifacts
![Page 89: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/89.jpg)
ReviewtheAdvancedThreatcontent
Click
![Page 90: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/90.jpg)
DatafromassetframeworkConfigurableSwimlanes
Darker=moreevents
AllhappenedaroundsametimeChangeto“Today”ifneeded
AssetInvestigator,enter“192.168.56.102”
![Page 91: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/91.jpg)
DataScience&MachineLearningInSecurity
91
![Page 92: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/92.jpg)
Disclaimer:Iamnotadatascientist
![Page 93: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/93.jpg)
TypesofMachineLearningSupervised Learning:generalizingfromlabeled data
![Page 94: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/94.jpg)
SupervisedMachineLearning
94
DomainName TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Maliciousjjeyd2u37an30.com 6192 5.05 0 1 0 0 Maliciouscdn4s.steelhousemedia.com 107 3 0 0 0 0 Benignlog.tagcade.com 111 2 0 1 0 0 Benigngo.vidprocess.com 170 2 0 0 0 0 Benignstatse.webtrendslive.com 310 2 0 1 0 0 Benigncdn4s.steelhousemedia.com 107 1 0 0 0 0 Benignlog.tagcade.com 111 1 0 1 0 0 Benign
![Page 95: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/95.jpg)
Unsupervised Learning:generalizingfromunlabeled data
![Page 96: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/96.jpg)
UnsupervisedMachineLearning
• Notuning
• Programmaticallyfindstrends
• UBAisprimarilyunsupervised
• Rigorouslytestedforfit
96
AlgorithmRawSecurityData AutomatedClustering
![Page 97: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/97.jpg)
97
![Page 98: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/98.jpg)
MLToolkit&Showcase• SplunkSupportedframeworkforbuildingMLApps
– Getitforfree:http://tiny.cc/splunkmlapp
• LeveragesPythonforScientificComputing (PSC)add-on:– Open-sourcePythondatascienceecosystem– NumPy,SciPy,scitkit-learn,pandas,statsmodels
• Showcaseusecases:PredictHardDriveFailure,ServerPowerConsumption,ApplicationUsage,CustomerChurn&more
• Standardalgorithms outofthebox:– Supervised:LogisticRegression,SVM,LinearRegression,RandomForest,etc.– Unsupervised: KMeans,DBSCAN,SpectralClustering,PCA,KernelPCA,etc.
• Implementoneof300+algorithmsbyeditingPythonscripts
![Page 99: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/99.jpg)
MachineLearningToolkitDemo
99
![Page 100: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/100.jpg)
![Page 101: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/101.jpg)
Splunk UBA
![Page 102: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/102.jpg)
102
SplunkEnterprise
- BigDataAnalyticsPlatform-
SplunkEnterpriseSecurity
- SecurityAnalyticsPlatform-
ThreatHuntingwithSplunk
ThreatHuntingDataEnrichment
ThreatHuntingAutomation
Ingest&OnboardAnyThreatHunting
MachineDataSource
Search&VisualiseRelationshipsforFasterHunting
Hypotheses
AutomatedAnalytics
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisation
Maturity
UserBehaviorAnalytics
- SecurityDataSciencePlatform-
![Page 103: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/103.jpg)
103
MachineLearningSecurityUseCasesMachine
LearningUseCases
PolymorphicAttackAnalysis
BehavioralPeerGroupAnalysis
User&EntityBehaviorBaseline
Entropy/RareEventDetection
CyberAttack/ExternalThreatDetection
Reconnaissance,BotnetandC&CAnalysis
LateralMovementAnalysis
StatisticalAnalysis
DataExfiltrationModels
IPReputationAnalysis
InsiderThreatDetection
User/DeviceDynamicFingerprinting
![Page 104: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/104.jpg)
Splunk UBAUseCases
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataexfiltration
LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation
SUSPICIOUSACTIVITY• Misuseofcredentials• Geo-locationanomalies
MALWAREATTACKS• Hiddenmalwareactivity
BOTNET,COMMAND&CONTROL• Malwarebeaconing• Dataleakage
USER&ENTITYBEHAVIORANALYTICS• Suspiciousbehaviorbyaccountsor
devices
EXTERNALTHREATSINSIDERTHREATS
![Page 105: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/105.jpg)
SplunkUserBehaviorAnalytics(UBA)• ~100%ofbreachesinvolvevalidcredentials(Mandiant Report)• Needtounderstandnormal&anomalousbehaviorsforALLusers• UBAdetectsAdvancedCyberattacks andMaliciousInsiderThreats• LotsofMLunderthehood:
– BehaviorBaselining&Modeling– AnomalyDetection(30+models)– AdvancedThreatDetection
• E.g.,DataExfil Threat:– “Sawthisstrangelogin&datatransferfor userkwestin
at3aminChina…”– SurfacethreattoSOCAnalysts
![Page 106: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/106.jpg)
RAW SECURITY EVENTS
ANOMALIES ANOMALY CHAINS
(THREATS)
MACHINELEARNING
GRAPHMINING
THREAT MODELS
Lateral MovementBeaconingLand-Speed Violation
HCI
Anomalies graphEntity relationship graph
Kill chain sequenceForensic artifactsThreat/Risk scoring
FEEDBACK
![Page 107: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/107.jpg)
OverallArchitecture
107
Real-TimeInfra(Storm-based)
Filte
rEvents
Drop
Events
Mod
elExecutio
n&
OnlineTraining
Runtim
eTo
pologies
ThreatandAnomalyReview
Hadoop/HDFS
DataReceivers
(flume,REST,etc.)
Real-Tim
eUpd
ates/N
otifications
App/SaaSConnectors
Core+ES
NetworkData
Push/PullModel
PersistenceLayer
DataDistributedKafka
ETL
IRModelParsers Filters
Attribution
ControlP
ath–Re
source/H
ealth
Mon
itorin
g
HBase/HDFSDirectAccessFaçade
GraphDB
SQL AccessLayer
Node.js
Socket.ioserver
SQLStore(Threats/Anomalies)
Time-SeriesDBModelRegistry
ModelStore HBase
ModelNData
Model1
ModelN
Model1
ModelN
Neo4J(Graph
visualizations)
RulesEngine
Anomalies+Threats
AnalyticsStore
SyslogandOtherData
![Page 108: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/108.jpg)
DataFlowandSystemRequirements
APICONNECTOR
SYSLOG
FORWARDER
Explore Visualize ShareAnalyze Dashboards
RESULTS
THREAT&ANOMALYDATA
QUERYUBA
REQUESTFORADDITIONALDETAILS
THREATS
RESULTS
QUERY
NOTABLEEVENTS
RISKSCORINGFRAMEWORK
WORKFLOWMANAGEMENT
VM
Searchhead
StandardRTQuery
VMspecs:- Ubuntu/RHEL- 16cores- 64GBRAM- Localandnetworkdisks- GigEconnectivity
Performance/scale:- UBAv2.3- E.g.,5-nodes
- 25KEPS- Addnodesfornear-linearscale
SplunkEnterprise:- RTsearchcapability- 8-10concurrent
searches- RESTAPIport(8089)- SA-LDAPSEARCH
Sharednetworkstorage
![Page 109: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/109.jpg)
Splunk UBADemo
109
![Page 110: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/110.jpg)
SecurityWorkshops
● SecurityReadinessWorkshop● DataScienceWorkshop● EnterpriseSecurityBenchmarkAssessment
![Page 111: Threat hunting workshop](https://reader034.fdocuments.us/reader034/viewer/2022042505/58f365c61a28abcf158b456f/html5/thumbnails/111.jpg)
SecurityWorkshopSurvey
https://www.surveymonkey.com/r/3T6T9TH
[email protected]:@kwestinlinkedin.com/in/kwestin