Page 1 of 3 Copyright © 2017 Insight Engines, Inc. All rights reserved. 2017-06-27

Using Natural Language in Modern Incident Response During any large malware infection or outbreak, seconds matter. Security operations teams need fast, frictionless access to all security-relevant data, in order to assess, analyze, and act quickly, as part of incident response. Most security operations teams in large enterprises lack complete tools or skills needed when moving beyond dashboards to quickly dive deep, as data collection can take hours or days to complete. Using big data platforms such as Splunk can help centralize intelligence, but most analysts still struggle to write optimal, ad-hoc queries across their data sets. “Cyber Security Investigator™ (CSI) for Splunk™ Enterprise” is a Splunk application that enables analysts at any level to use natural language processing to make them significantly more productive, think strategically, and find elusive relationships as they investigate complex machine generated textual data to solve cyber security-specific problems. CSI removes complicated computer syntax from the analyst user’s workflow and allows them to focus on understanding and extracting meaning from the data they explore. CSI transforms human readable written English language questions that are posed into intricate machine language queries on top of any production Splunk deployment.

Instead of struggling with queries and waiting minutes or hours for raw results, …

… ask an English question and get actionable metrics in seconds.

Page 2 of 3 Copyright © 2017 Insight Engines, Inc. All rights reserved. 2017-06-27

Case Study: Petya/Petyawrap/PetrWrap

Among the threat landscape of ransomware campaigns, Petya has certainly garnered significant media attention recently as the new WannaCry variant, largely because of its novel evasion and propagation mechanisms, with substantial global impact – infecting European firms across Ukraine, Britain, Spain. Within the security industry and community, various technical reports and analysis have already been published which explain how the malware infects and spreads across both internal and external infrastructures. Using CSI, analysts can conduct these investigations in parallel by simply asking English questions in Splunk, such as the following examples listed below. ExampleQuestions PurposeShow me systems with successful or failed filesystem changes involving hash "71b6a493388e7d0b40c83ce903bc6b04" or "0df7179693755b810403a972f4466afb" or "42b2ff216d14c2c8387c8eabfb1ab7d0" or "e595c02185d8e12be347915865270cca" or "e285b6ce047015943e685e6638bd837e" or "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" or "8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58"

Filesystemindicatorsgeneratedbymalware

Show me systems with successful or failed filesystem changes involving filename "*sysbin.exe*" Show me systems with successful or failed filesystem changes involving filename "*petwrap.exe*"

Filesystemindicatorsgeneratedbymalware

Show me systems with successful or failed filesystem changes involving file path "*FEO4.tmp*" Show me systems with successful or failed filesystem changes involving file path "*WMIC*" Show me systems with successful or failed filesystem changes involving file path "*psexec*"

Possiblesecondaryfilesystemindicatorsgeneratedbymalware

Which systems have generated IDS alerts on CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0146, CVE-2017-0147, or CVE-2017-0148?

Observedusageofknownexploitsacrossnetwork

Show me traffic from Windows hosts where dest port is 445 to internal IPs since 2017-05-12? Show me traffic from Windows hosts where dest port is 445 to external IPs since 2017-05-12?

Analyzetrafficforpossiblelateralmovementactivityassociatedwithmalware

Show me distinct count of scanning traffic to port 445 by source IP last 20 minutes Show me hosts with count of distinct destination IPs with traffic on port 445 over the last 5 minutes

IdentifythetopsourceIPsthataregeneratingthemostnumberofdistinctSMBconnectionswithinashortperiod

Page 3 of 3 Copyright © 2017 Insight Engines, Inc. All rights reserved. 2017-06-27

ExampleQuestions Purpose Show me hosts with traffic to more than 20 distinct internal IPs within 1 minute What systems are vulnerable to CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0146, CVE-2017-0147, or CVE-2017-0148?

Malwareknowntousethefollowingexploits

Which systems have failed updates from 2017-05-12 to today? Which systems have failed updates with signature "*MS17-010*" from 2017-05-12 to today? Which systems have successful updates with signature "*MS17-010*" from 2017-05-12 to today? Which systems have successful updates with signature "*MS17-010*" from 2017-05-12 to 2 weeks ago versus 1 week ago to today?

Identifyandanalyzethetrendofsystemswithfailedandsuccessfulpatchesapplied,beginningwhenthemalwarecampaignwasfirstidentified

Show me traffic from hosts where dest port is 445 to external IPs this week versus normal? Show me traffic from external IPs where dest port is 445 to internal IPs this week versus normal?

AscertainifSMBtrafficisnormallyallowedtotraversenetworkboundaries

Which systems are generating DNS queries greater than 40 characters?

RansomwaremalwarevariantsgenerallyappeartopreferlongDNSnamesforC2beacons

Conclusion

As shown in the examples above, security operations teams are expected to quickly analyze and assess high impact threats within their environment, through both tactical and strategic investigative techniques. For each example question listed, consider how long would it take your typical analyst to write an equivalent, optimal SPL query (or dashboard) in Splunk. Is that time well spent? Rather than having analysts distracted by how to query a big data search platform (such as Splunk), CSI empowers teams to quickly navigate their security intelligence through a natural interface to stay focused on actionable results. Want to learn more? Contact sales@insight-engines.com to obtain a live demo and learn how CSI helps accelerate security operations further.