Turning*Indicators*of* Compromise*into** Tangible*Protec:on* · 3...
Transcript of Turning*Indicators*of* Compromise*into** Tangible*Protec:on* · 3...
Copyright © 2015 Splunk Inc.
Ka:e Winslow Sr. Manager, Kaiser Permanente
Turning Indicators of Compromise into Tangible Protec:on
Mike Slavick Lead Cyber Threat Intel, Kaiser Permanente
Disclaimer
2
During the course of this presenta:on, we may make forward looking statements regarding future events or the expected performance of the company. We cau:on you that such statements reflect our current expecta:ons and es:mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta:on are being made as of the :me and date of its live presenta:on. If reviewed aQer its live presenta:on, this presenta:on may not contain current or
accurate informa:on. We do not assume any obliga:on to update any forward looking statements we may make.
In addi:on, any informa:on about our roadmap outlines our general product direc:on and is subject to change at any :me without no:ce. It is for informa:onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga:on either to develop the features
or func:onality described or to include any such feature or func:onality in a future release.
3
“It is by comparing a variety of informa:on, we are frequently enabled to inves:gate facts,
which were so intricate or hidden, that no single clue could have lead to the knowledge of them.”
-‐ George Washington
Personal Introduc:on
4
Ka:e Winslow, Kaiser Permanente Sr. Manager, Threat Management and Governance
Mike Slavick, Kaiser Permanente Lead Cyber Threat Intelligence
About Kaiser Permanente
5
10 Million Members and Growing!
Company Name Breach Date Records Lost
August 2014 4.5M
February 2015 80M
March 2015 11M
July 2015 4.5M
Healthcare is a Primary Target
6
Healthcare Data is Valuable and Marketable = 1M records
Cyber Risk Defense Center
7
Input: Threat Data Sources • 3 Leber Agencies • Rela:onships • Vendor Subscrip:ons • ISACs
Advanced Warning: Cyber Threat Intelligence
8
CTI: Advanced
Warning
• Malicious IP / URLs Blocked • Compromised Creden:als Remediated • Impostor and New Domains Iden:fied
Output: Ac:onable Intelligence
Sharing Threat Data Makes CTI Successful!
Ac:onable Intelligence
9
Highlights:
• Text • Text
Results – Drama:c Reduc:on of Malware
10
• Users s:ll click on malicious links but 90% of infec:ons are blocked • Most malware alerts “eliminated” with no impact to user
• Users s:ll led to malicious site • Approach blocks “downstream” ac:vity
Intel Driven Results – What Might Have Been…
11
• Allows us to • Find compromised accounts/ac:vity • Block before infec:on occurs • Iden:fy poten:al malicious ac:vity
Compromised accounts are inevitable but infecCons and downstream impact are preventable
Results – Network Security & Endpoint Security
12
Reduc:on in IPS, DNS Sinkhole ac:vity
• Less malicious traffic • Less noise to follow up
13
• Significantly less malicious files/ac:vity @ the endpoint • Less virus and file modifica:on à fewer abackers gepng to the endpoint
Results – Network Security & Endpoint Security
14
Shared Visibility
Technology Examples
Now Time for Techy Stuff!
16
What we’re going to talk about: Creden:al dump parsing Fun with PCRE! Newly created domains
Making Sense of Creden:al Dumps
17
We’ll use a Pony C2 server in this example….
“hbps://*REDACTED*@us.ibm.com:*REDACTED*@smc3apps.smc3.com/Login2/Login.asp”
Did the Field Extrac:on Work?
18
Take Ac:on on All Compromised Creden:als
19
Search and filter on a list of company domains…
Share exposed creden:als with industry partners….
Laugh at horrible passwords J
Fun with PCRE!
20
Using PCRE expressions you can then match these against your proxy logs to find evil!
^hbp:\/\/[^\x3f]+\/search\.php\?keywords=[0-‐9a-‐z&]+&fid\[?0\]?=[0-‐9a-‐z]+$
REDACTED/REDACTED/REDACTED, 2015-‐07-‐27, Angler EK evolved redirect
Special thanks to Packetmail!
Newly Created Domain Shenanigans
21
New Domains
Research
WIN!
Takeaways
22
Integrate CTI with your SOC
Not all CTI feeds are created equal
Smart people to transform informa:on into intelligence
Collaborate, consolidate data and share value
Sharing, Sharing, Sharing!
Resources
23
FS-‐ISAC hbps://www.fs-‐isac.com/
NH-‐ISAC hbp://www.nhisac.org/
Packetmail PCREs hbp://www.packetmail.com
InfraGard hbps://www.infragard.net
24
Ques:ons?
THANK YOU!