Workshop threat-hunting
-
Upload
tripwire -
Category
Data & Analytics
-
view
1.259 -
download
2
Transcript of Workshop threat-hunting
![Page 1: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/1.jpg)
ThreatHun+ngwithSplunkPresenter:KenWes+nM.Sc,OSCP,ITPMSplunk,SecurityMarketSpecialist
![Page 2: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/2.jpg)
Preworkfortoday
● SetupSplunkEnterpriseSecuritySandbox● InstallfreeSplunkonlaptop● InstallMLToolkitapp
hEps://splunkbase.splunk.com/app/2890/
![Page 3: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/3.jpg)
3
> [email protected]@kwestin
• 1yearatSplunk–SecuritySpecialist• BasedinPortland,Oregon• 17yearsintechnologyandsecurity• M.Sc,OSCP,ITPM• Trainedinoffensive&defensivesecurity• Putbadguysinjail…withdata
$whoami
![Page 4: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/4.jpg)
Agenda• ThreatHun+ngBasics
• ThreatHun+ngDataSources
• SysmonEndpointData
• CyberKillChain
• WalkthroughofACackScenarioUsingCoreSplunk(handson)
• AdvancedThreatHun+ngTechniques
• EnterpriseSecurityWalkthrough
• ApplyingMachineLearningandDataSciencetoSecurity
![Page 5: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/5.jpg)
LogInCreden+als
January,February&March hEps://od-threathun+ng-01.splunkoxygen.comApril,May&June hEps://od-threathun+ng-02.splunkoxygen.comJulyandAugust hEps://od-threathun+ng-03.splunkoxygen.comSeptemberandOctober hEps://od-threathun+ng-04.splunkoxygen.comNovemberandDecember hEps://od-threathun+ng-05.splunkoxygen.com
User:hunterPass:pr3dator
BirthMonth
![Page 6: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/6.jpg)
Thesewon’twork…
![Page 7: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/7.jpg)
AmIintherightplace?
Somefamiliaritywith…
● CSIRT/SOCOpera+ons
● GeneralunderstandingofThreatIntelligence
● GeneralunderstandingofDNS,Proxy,andEndpointtypesofdata
7
![Page 8: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/8.jpg)
Thisisahands-onsession.
Theoverviewslidesareimportantforbuildingyour“hunt”methodology
10minutes-Seriously.
![Page 9: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/9.jpg)
Whatisthreathun+ng,whydoyouneedit?TheWhat?
• Threathun+ng-theactofaggressively
intercep+ng,trackingand
elimina+ngcyberadversariesasearlyaspossibleintheCyberKillChain2
9
TheWhy?
• Threatsarehuman.Focusedandfundedadversarieswillnotbecounteredbysecurityboxesonthenetwork
alone.Threathuntersareac+velysearchingforthreatstopreventor
minimizedamage[beforeithappens]1
2CyberThreatHun+ng-SamuelAlonsoblog,Jan2016
1TheWho,What,Where,When,WhyandHowofEffec+veThreatHun+ng,SANSFeb2016
“ThreatHun,ngisnotnew,it’sjustevolving!”
![Page 10: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/10.jpg)
ThreatHun+ngwithSplunk
10
Vs.
![Page 11: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/11.jpg)
Search&Visualisa+on
Enrichment
Data
Automa+on
11
HumanThreatHunter
KeyBuildingBlockstoDriveThreatHun+ngMaturity
Ref:TheheWho,What,Where,When,WhyandHowofEffec+veThreatHun+ng,SANSFeb2016
Objec+ves>Hypotheses>Exper+se
![Page 12: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/12.jpg)
SANSThreatHun+ngMaturity
12
AdHocSearch
Sta+s+calAnalysis
Visualiza+onTechniques
Aggrega+on MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHun+ngSummit2016
![Page 13: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/13.jpg)
Search&Visualisa+on
Enrichment
Data
Automa+on
HumanThreatHunter
HowSplunkhelpsYouDriveThreatHun+ngMaturity
ThreatHun+ngAutoma+onIntegrated&outoftheboxautoma+ontoolingfromar+factquery,contextual“swim-laneanalysis”,anomaly&+meseriesanalysistoadvanceddatascienceleveragingmachinelearning
ThreatHun+ngDataEnrichment
Enrichdatawithcontextandthreat-intelacrossthestackor+metodiscerndeeperpaEernsorrela+onships
Search&VisualiseRela+onshipsforFasterHun+ng
Searchandcorrelatedatawhilevisuallyfusingresultsforfastercontext,analysisandinsight
Ingest&OnboardAnyThreatHun+ngMachineDataSourceEnablefastinges+onofanymachinedatathroughefficient
indexing,abigdatareal+mearchitectureand‘schemaontheread’technology
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
![Page 14: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/14.jpg)
Hun+ngTools:InternalData
14
• IPAddresses:threatintelligence,blacklist,whitelist,reputa+onmonitoringTools:Firewalls,proxies,SplunkStream,Bro,IDS
• NetworkAr+factsandPaCerns:networkflow,packetcapture,ac+venetworkconnec+ons,historicnetworkconnec+ons,portsandservicesTools:SplunkStream,BroIDS,FPC,Neqlow
• DNS:ac+vity,queriesandresponses,zonetransferac+vityTools:SplunkStream,BroIDS,OpenDNS
• Endpoint–HostAr+factsandPaCerns:users,processes,services,drivers,files,registry,hardware,memory,diskac+vity,filemonitoring:hashvalues,integritycheckingandalerts,crea+onordele+onTools:Windows/Linux,CarbonBlack,Tanium,Tripwire,Ac+veDirectory
• VulnerabilityManagementDataTools:TripwireIP360,Qualys,Nessus
• UserBehaviorAnaly+cs:TTPs,usermonitoring,+meofdayloca+on,HRwatchlistSplunkUBA,(Alloftheabove)
![Page 15: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/15.jpg)
Persist,Repeat
ThreatIntelligence
Access/Iden+ty
Endpoint
Network
AEacker,knowrelay/C2sites,infectedsites,IOC,aEack/campaignintentandaEribu+on
Wheretheywentto,whotalkedtowhom,aEacktransmiEed,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,aEack/malwarear+facts,patchinglevel,aEacksuscep+bility
Accesslevel,privilegedusers,likelihoodofinfec+on,wheretheymightbeinkillchain
• Third-partythreatintel• Open-sourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• Endpoint(AV/IPS/FW)• Malwaredetec+on• PCLM
• DHCP• OSlogs• Patching
• Ac+veDirectory• LDAP• CMDB
• Opera+ngsystem• Database• VPN,AAA,SSO
TypicalDataSources
• Webproxy• NetFlow• Network
![Page 16: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/16.jpg)
Endpoint:MicrosowSysmonPrimer
16
● TAAvailableontheAppStore● GreatBlogPosttogetyoustarted
● IncreasesthefidelityofMicrosowLogging
BlogPost:hEp://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
![Page 17: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/17.jpg)
User:hunterPass:pr3dator
January,February&March hEps://od-threathun+ng-01.splunkoxygen.comApril,May&June hEps://od-threathun+ng-02.splunkoxygen.comJulyandAugust hEps://od-threathun+ng-03.splunkoxygen.comSeptemberandOctober hEps://od-threathun+ng-04.splunkoxygen.comNovemberandDecember hEps://od-threathun+ng-05.splunkoxygen.com
![Page 18: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/18.jpg)
SysmonEventTags
18
MapsNetworkCommtoprocess_id
Process_idcrea+onandmappingtoparentprocess_id
![Page 19: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/19.jpg)
sourcetype=X*|searchtag=communicate
19
![Page 20: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/20.jpg)
sourcetype=X*|deduptag|searchtag=process
20
![Page 21: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/21.jpg)
DataSourceMapping
![Page 22: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/22.jpg)
DemoStory-KillChainFrameworkSuccessfulbruteforce–downloadsensi+vepdfdocument
WeaponizethepdffilewithZeusMalware
Convincingemailsentwithweaponizedpdf
Vulnerablepdfreaderexploitedbymalware.Droppercreatedonmachine
Dropperretrievesandinstallsthemalware
Persistenceviaregularoutboundcomm
DataExfiltra+on
Source:LockheedMar,n
![Page 23: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/23.jpg)
Servers
Storage
DesktopsEmail Web
Transac+onRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
The image cannot be displayed. Your computer
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
The image cannot be displ
IntrusionDetec+on
Firewall
DataLossPreven+on
An+-Malware
VulnerabilityScans
Tradi+onal
Authen+ca+on
StreamInves+ga+ons–chooseyourdatawisely
23
![Page 24: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/24.jpg)
24
Let’sdigin!
Please,raisethathandifyouneedustohitthepausebuEon
![Page 25: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/25.jpg)
APTTransac+onFlowAcrossDataSources
25
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
OurInves+ga+onbeginsbydetec+nghighriskcommunica+onsthroughtheproxy,attheendpoint,andevenaDNScall.
![Page 26: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/26.jpg)
index=zeus_demo3
26
insearch:
![Page 27: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/27.jpg)
Tobeginourinves+ga+on,wewillstartwithaquicksearchtofamiliarizeourselveswiththedatasources.
Inthisdemoenvironment,wehaveavarietyofsecurityrelevantdataincluding…
WebDNSProxyFirewallEndpointEmailClick
![Page 28: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/28.jpg)
Takealookattheendpointdatasource.WeareusingtheMicrosowSysmonTA.
Wehaveendpointvisibilityintoallnetworkcommunica+onandcanmapeachconnec+onbacktoaprocess.
}Wealsohavedetailedinfooneachprocessandcanmapitbacktotheuserandparentprocess.}
Letsgetourdaystartedbylookingusingthreatinteltopriori+zeoureffortsandfocusoncommunica+onwithknownhighrisken++es.
![Page 29: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/29.jpg)
Wehavemul+plesourceIPscommunica+ngtohighrisken++esiden+fiedbythese2threatsources.
Weareseeinghighriskcommunica+onfrommul+pledatasources.
Weseemul+plethreatintelrelatedeventsacrossmul+plesourcetypesassociatedwiththeIPAddressofChrisGilbert.Let’stakecloserlookattheIPAddress.
Wecannowseetheownerofthesystem(ChrisGilbert)andthatitisn’taPIIorPCIrelatedasset,sotherearenoimmediatebusinessimplica+onsthatwouldrequireinformingagenciesorexternalcustomerswithinacertain+meframe.
Thisdashboardisbasedoneventdatathatcontainsathreatintelbasedindicatormatch(IPAddress,domain,etc.).ThedataisfurtherenrichedwithCMDBbasedAsset/iden+tyinforma+on.
![Page 30: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/30.jpg)
Wearenowlookingatonlythreatintelrelatedac+vityfortheIPAddressassociatedwithChrisGilbertandseeac+vityspanningendpoint,proxy,andDNSdatasources.
Thesetrendlinestellaveryinteres+ngvisualstory.ItappearsthattheassetmakesaDNSqueryinvolvingathreatintelrelateddomainorIPAddress.
ScrollDo
wn
ScrolldownthedashboardtoexaminethesethreatinteleventsassociatedwiththeIPAddress.
Wethenseethreatintelrelatedendpointandproxyeventsoccurringperiodicallyandlikelycommunica+ngwithaknownZeusbotnetbasedonthethreatintelsource(zeus_c2s).
![Page 31: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/31.jpg)
It’sworthmen+oningthatatthispointyoucouldcreatea+ckettohavesomeonere-imagethemachinetopreventfurtherdamageaswecon+nueourinves+ga+onwithinSplunk.
Withinthesamedashboard,wehaveaccesstoveryhighfidelityendpointdatathatallowsananalysttocon+nuetheinves+ga+oninaveryefficientmanner.Itisimportanttonotethatnearreal-+meaccesstothistypeofendpointdataisnotnotcommonwithinthetradi+onalSOC.
Theini+algoaloftheinves+ga+onistodeterminewhetherthiscommunica+onismaliciousorapoten+alfalseposi+ve.Expandtheendpointeventtocon+nuetheinves+ga+on.
Proxyrelatedthreatintelmatchesareimportantforhelpingustopriori+zeoureffortstowardini+a+nganinves+ga+on.Furtherinves+ga+onintotheendpointisowenvery+meconsumingandoweninvolvesmul+pleinternalhand-offstootherteamsorneedingtoaccessaddi+onalsystems.Thisencryptedproxytrafficisconcerningbecauseofthelargeamountofdata(~1.5MB)beingtransferredwhichiscommonwhendataisbeingexfiltrated.
![Page 32: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/32.jpg)
Exfiltra+onofdataisaseriousconcernandoutboundcommunica+ontoexternalen+tythathasaknownthreatintelindicator,especiallywhenitisencryptedasinthiscase.
Letscon+nuetheinves+ga+on.
Anotherclue.Wealsoseethatsvchost.exeshouldbelocatedinaWindowssystemdirectorybutthisisbeingrunintheuserspace.Notgood.
Weimmediatelyseetheoutboundcommunica+onwith115.29.46.99viahEpsisassociatedwiththesvchost.exeprocessonthewindowsendpoint.Theprocessidis4768.Thereisagreatdealmoreinforma+onfromtheendpointasyouscrolldownsuchastheuserIDthatstartedtheprocessandtheassociatedCMDBenrichmentinforma+on.
![Page 33: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/33.jpg)
Wehaveaworkflowac+onthatwilllinkustoaProcessExplorerdashboardandpopulateitwiththeprocessidextractedfromtheevent(4768).
![Page 34: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/34.jpg)
ThisisastandardWindowsapp,butnotinitsusualdirectory,tellingusthatthemalwarehasagainspoofedacommonfilename.
Wealsocanseethattheparentprocessthatcreatedthissuspicuoussvchost.exeprocessiscalledcalc.exe.
ThishasbroughtustotheProcessExplorerdashboardwhichletsusviewWindowsSysmonendpointdata.
SuspectedMalware
Letscon+nuetheinves+ga+onbyexaminingtheparentprocessasthisisalmostcertainlyagenuinethreatandwearenowworkingtowardarootcause.
ThisisveryconsistentwithZeusbehavior.Theini+alexploita+ongenerallycreatesadownloaderordropperthatwillthendownloadtheZeusmalware.Itseemslikecalc.exemaybethatdownloader/dropper.
SuspectedDownloader/Dropper
Thisprocesscallsitself“svchost.exe,”acommonWindowsprocess,butthepathisnotthenormalpathforsvchost.exe.
…whichisacommontraitofmalwareaEemp+ngtoevadedetec+on.WealsoseeitmakingaDNSquery(port53)thencommunica+ngviaport443.
![Page 35: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/35.jpg)
TheParentProcessofoursuspecteddownloader/dropperisthelegi+matePDFReaderprogram.ThiswilllikelyturnouttobethevulnerableappthatwasexploitedinthisaEack.
SuspectedDownloader/Dropper
SuspectedVulnerableAppWehaveveryquicklymovedfromthreatintelrelatednetworkandendpointac+vitytothelikelyexploita+onofavulnerableapp.Clickontheparentprocesstokeepinves+ga+ng.
![Page 36: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/36.jpg)
WecanseethatthePDFReaderprocesshasnoiden+fiedparentandistherootoftheinfec+on.
ScrollDo
wn
Scrolldownthedashboardtoexamineac+vityrelatedtothePDFreaderprocess.
![Page 37: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/37.jpg)
Chrisopened2nd_qtr_2014_report.pdfwhichwasanaEachmenttoanemail!
Wehaveourrootcause!Chrisopenedaweaponized.pdffilewhichcontainedtheZeusmalware.Itappearstohavebeendeliveredviaemailandwehaveaccesstoouremaillogsasoneofourimportantdatasources.Letscopythefilename2nd_qtr_2014_report.pdfandsearchabitfurthertodeterminethescopeofthiscompromise.
![Page 38: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/38.jpg)
LetsdigaliElefurtherinto2nd_qtr_2014_report.pdftodeterminethescopeofthiscompromise.
![Page 39: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/39.jpg)
index=zeus_demo32nd_qtr_2014_report.pdf
39
insearch:
![Page 40: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/40.jpg)
Letssearchthoughmul+pledatasourcestoquicklygetasenseforwhoelsemayhavehavebeenexposedtothisfile.
Wewillcomebacktothewebac+vitythatcontainsreferencetothepdffilebutletsfirstlookattheemaileventtodeterminethescopeofthisapparentphishingaEack.
![Page 41: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/41.jpg)
WehaveaccesstotheemailbodyandcanseewhythiswassuchaconvincingaEack.Thesenderapparentlyhadaccesstosensi+veinsiderknowledgeandhintedatquarterlyresults.
ThereisouraEachment.
HoldOn!That’snotourDomainName!Thespellingisclosebutit’smissinga“t”.TheaEackerlikelyregisteredadomainnamethatisveryclosetothecompanydomainhopingChriswouldnotno+ce.
ThislookstobeaverytargetedspearphishingaEackasitwassenttoonlyoneemployee(Chris).
![Page 42: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/42.jpg)
RootCauseRecap
42
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
.pdfSvchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
Weu+lizedthreatinteltodetectcommunica+onwithknownhighriskindicatorsandkickoffourinves+ga+onthenworkedbackwardthroughthekillchaintowardarootcause.
Keytothisinves+ga+veprocessistheabilitytoassociatenetworkcommunica+onswithendpointprocessdata.
Thishighvalueandveryrelevantabilitytoworkamalwarerelatedinves+ga+onthroughtorootcausetranslatesintoaverystreamlinedinves+ga+veprocesscomparedtothelegacySIEMbasedapproach.
![Page 43: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/43.jpg)
43
Letsrevisitthesearchforaddi+onalinforma+ononthe2nd_qtr_2014-_report.pdffile.
Weunderstandthatthefilewasdeliveredviaemailandopenedattheendpoint.Whydoweseeareferencetothefileintheaccess_combined(webserver)logs?
Click
Selecttheaccess_combinedsourcetypetoinves+gatefurther.
![Page 44: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/44.jpg)
44
Theresultsshow54.211.114.134hasaccessedthisfilefromthewebportalofbuEergames.com.
Thereisalsoaknownthreatintelassocia+onwiththesourceIPAddressdownloading(HTTPGET)thefile.
![Page 45: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/45.jpg)
45
ClickSelecttheIPAddress,lew-click,thenselect“Newsearch”.WewouldliketounderstandwhatelsethisIPAddresshasaccessedintheenvironment.
![Page 46: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/46.jpg)
46
That’sanabnormallylargenumberofrequestssourcedfromasingleIPAddressina~90minutewindow.
Thislookslikeascriptedac+ongiventheconstanthighrateofrequestsoverthebelowwindow.
ScrollDo
wn
Scrolldownthedashboardtoexamineotherinteres+ngfieldstofurtherinves+gate.
No+cetheGooglebotuseragentstringwhichisanotheraEempttoavoidraisingaEen+on..
![Page 47: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/47.jpg)
47
Therequestsfrom52.211.114.134aredominatedbyrequeststotheloginpage(wp-login.php).It’sclearlynotpossibletoaEemptaloginthismany+mesinashortperiodof+me–thisisclearlyascriptedbruteforceaEack.
Awersuccessfullygainingaccesstoourwebsite,theaEackerdownloadedthepdffile,weaponizeditwiththezeusmalware,thendeliveredittoChrisGilbertasaphishingemail.
TheaEackerisalsoaccessingadminpageswhichmaybeanaEempttoestablishpersistenceviaabackdoorintothewebsite.
![Page 48: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/48.jpg)
KillChainAnalysisAcrossDataSources
48
hEp(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createaddi+onalenvironment
GainAccesstosystemTransac+on
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdfexecutes&unpacksmalwareoverwri+ngandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AEackerhackswebsiteSteals.pdffiles
WebPortal.pdf
AEackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openaEachment
Wecon+nuedtheinves+ga+onbypivo+ngintotheendpointdatasourceandusedaworkflowac+ontodeterminewhichprocessontheendpointwasresponsiblefortheoutboundcommunica+on.
WeBeganbyreviewingthreatintelrelatedeventsforapar+cularIPaddressandobservedDNS,Proxy,andEndpointeventsforauserinSales.
Inves+ga+oncomplete!LetsgetthisturnedovertoIncidentReponseteam.
Wetracedthesvchost.exeZeusmalwarebacktoit’sparentprocessIDwhichwasthecalc.exedownloader/dropper.
Onceourrootcauseanalysiswascomplete,weshiwedoutfocusintotheweblogstodeterminethatthesensi+vepdffilewasobtainedviaabruteforceaEackagainstthecompanywebsite.
Wewereabletoseewhichfilewasopenedbythevulnerableappanddeterminedthatthemaliciousfilewasdeliveredtotheuserviaemail.
AquicksearchintothemaillogsrevealedthedetailsbehindthephishingaEackandrevealedthatthescopeofthecompromisewaslimitedtojusttheoneuser.
Wetracedcalc.exebacktothevulnerableapplica+onPDFReader.
![Page 49: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/49.jpg)
10minBreak!
![Page 50: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/50.jpg)
SQLi
![Page 51: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/51.jpg)
SQLInjec+on● SQLinjec+on● Codeinjec+on● OScommanding● LDAPinjec+on● XMLinjec+on● XPathinjec+on● SSIinjec+on● IMAP/SMTPinjec+on● Bufferoverflow
![Page 52: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/52.jpg)
ImpervaWebACacksReport,2015
![Page 53: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/53.jpg)
![Page 54: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/54.jpg)
TheanatomyofaSQLinjec+onaEack
SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx';
[email protected]' OR 1 = 1 -- '
xxx
1234
AnaEackermightsupply:
![Page 55: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/55.jpg)
…andsofarthisyear…39
![Page 56: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/56.jpg)
index=web_vulnpasswordselect
![Page 57: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/57.jpg)
Whathavewehere?Ourlearningenvironmentconsistsof:• Abunchofpublically-accessiblesingle
Splunkservers• Eachwith~5.5Mevents,fromreal
environmentsbutmassaged:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
![Page 58: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/58.jpg)
hEps://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjec+oninyourevents:ü looksforpaEernsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddevia+onsthatare2.5+mesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjec+on_paEern(sourcetype,uriqueryfield)• sqlinjec+on_stats(sourcetype,uriqueryfield)
![Page 59: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/59.jpg)
RegularExpressionFTWsqlinjec+on_rexisasearchmacro.Itcontains:(?<injec,on>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)Whichmeans:Inthestringwearegiven,lookforANYofthefollowingmatchesandputthatintothe“injec+on”field.• AnythingcontainingSELECTfollowedbyFROM• AnythingcontainingUNIONfollowedbySELECT• Anythingwitha‘attheend• AnythingcontainingDELETEfollowedbyFROM• AnythingcontainingUPDATEfollowedbySET• AnythingcontainingALTERfollowedbyTABLE• A%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
• Note:%27isencoded“’”and%20isencoded<space>• Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
![Page 60: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/60.jpg)
Bonus:TryouttheSQLInjec+onapp!
![Page 61: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/61.jpg)
Summary:WebaEacks/SQLinjec+on● SQLinjec+onprovideaEackerswitheasyaccesstodata● Detec+ngadvancedSQLinjec+onishard–useanapp!
● UnderstandwhereSQLiishappeningonyournetworkandputastoptoit.
● AugmentyourWAFwithenterprise-wideSplunksearches.
![Page 62: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/62.jpg)
10minBreak!
![Page 63: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/63.jpg)
LateralMovement
![Page 64: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/64.jpg)
Pokingaround
AnaEackerhacksanon-privilegedusersystem.
Sowhat?
![Page 65: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/65.jpg)
LateralMovement
LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.
![Page 66: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/66.jpg)
MostfamousLateralMovementaEack?(excludingpasswordre-use)
PasstheHash!
![Page 67: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/67.jpg)
Detec+ngLegacyPtHLookforWindowsEvents:
● EventID:4624or4625
● Logontype:3
● Authpackage:NTLM
● Useraccountisnotadomainlogon,orAnonymousLogon
![Page 68: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/68.jpg)
LMDetec+on:PasstheHash
source=WinEventLog:SecurityEventCode=4624Authen+ca+on_Package=NTLMType=Informa+on
![Page 69: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/69.jpg)
![Page 70: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/70.jpg)
Thenitgotharder• PasstheHashtoolshaveimproved• TrackingofjiEer,othermetrics• Solet’sdetectlateralmovementdifferently
![Page 71: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/71.jpg)
Networktrafficprovidessourceoftruth● Iusuallytalkto10hosts● ThenonedayItalkto10,000hosts● ALARM!
![Page 72: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/72.jpg)
LMDetec+on:NetworkDes+na+ons
sourcetype="pan:traffic"|statscountdc(dest)sparkline(dc(dest))bysrc_ip
![Page 73: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/73.jpg)
ConsistentlylargeInconsistent!
![Page 74: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/74.jpg)
LMDetec+on:NetworkDes+na+ons
sourcetype="pan:traffic"|bucket_+mespan=1d|statscountdc(dest)asNumDestsbysrc_ip_+me|statsavg(NumDests)asavgstdev(NumDests)asstdevlatest(NumDests)aslatestbysrc_ip|wherelatest>2*stdev+avg
Finddailyaverage,standarddevia+on,andmostrecent
![Page 75: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/75.jpg)
![Page 76: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/76.jpg)
SplunkUBA
![Page 77: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/77.jpg)
Summary:LateralMovement● AEackersuccessdefinesscopeofabreach
● Highdifficulty,highimportance● WorthdoinginSplunk● EasywithUBA
![Page 78: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/78.jpg)
DNSExfiltra+on
![Page 79: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/79.jpg)
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.aEack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
![Page 80: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/80.jpg)
DNSexfiltendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSexfiltra+on
![Page 81: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/81.jpg)
FrameworkPOS:acard-stealingprogramthatexfiltratesdatafromthetarget’snetworkbytransmi�ngitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!hEps://blog.gdatasowware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganiza,onsactuallykeepdetailedlogsorrecordsoftheDNStraffictraversingtheirnetworks—makingitanidealwaytosiphondatafromahackednetwork.
hEp://krebsonsecurity.com/2015/05/deconstruc+ng-the-2014-sally-beauty-breach/#more-30872
“”
DNSexfiltra+on
![Page 82: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/82.jpg)
hEps://splunkbase.splunk.com/app/2734/
DNSexfildetec+on–tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
![Page 83: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/83.jpg)
Examples• Thedomainaaaaa.comhasaShannonEntropyscoreof1.8(verylow)• Thedomaingoogle.comhasaShannonEntropyscoreof2.6(ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.comhasaShannon
Entropyscoreof3(ratherhigh)
Layman’sdefini+on:ascorereflec+ngtherandomnessormeasureofuncertaintyofastring
ShannonEntropy
![Page 84: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/84.jpg)
Detec+ngDataExfiltra+on
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|evalsublen=length(ut_subdomain)|tableut_domainut_subdomainut_shannonsublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
![Page 85: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/85.jpg)
Let’sgethandson!
DNSExfiltra+on
![Page 86: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/86.jpg)
Detec+ngDataExfiltra+on
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
devia+ons
![Page 87: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/87.jpg)
Detec+ngDataExfiltra+onRESULTS• Exfiltra+ngdatarequiresmanyDNSrequests–lookforhighcounts• DNSexfiltra+ontomooo.comandchickenkiller.com
![Page 88: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/88.jpg)
Summary:DNSexfiltra+on● Exfiltra+onbyDNSandICMPisaverycommontechnique● Manyorganiza+onsdonotanalyzeDNSac+vity–donotbelikethem!● NoDNSlogs?NoSplunkStream?LookatFWbytecounts
![Page 89: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/89.jpg)
SplunkEnterpriseSecurity
![Page 90: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/90.jpg)
90
SplunkEnterprise
-BigDataAnaly+csPlaqorm-
SplunkEnterpriseSecurity
-SecurityAnaly+csPlaqorm-
ThreatHun+ngwithSplunk
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
ThreatHun+ngDataEnrichment
ThreatHun+ngAutoma+on
Ingest&OnboardAnyThreatHun+ng
MachineDataSource
Search&VisualiseRela+onshipsforFasterHun+ng
![Page 91: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/91.jpg)
OtherItemsToNote
ItemstoNote
Naviga+on-HowtoGetHere
Descrip+onofwhattoclickon
Click
![Page 92: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/92.jpg)
KeySecurityIndicators(buildyourown!)
Sparklines
Editable
![Page 93: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/93.jpg)
Variouswaystofilterdata
Malware-SpecificKSIsandReports
SecurityDomains->Endpoint->MalwareCenter
![Page 94: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/94.jpg)
Filterable
KSIsspecifictoRisk
Riskassignedtosystem,userorother
UnderAdvancedThreat,selectRiskAnalysis
![Page 95: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/95.jpg)
(ScrollDown)
RecentRiskAc+vity
UnderAdvancedThreat,selectRiskAnalysis
![Page 96: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/96.jpg)
Filterable,downtoIoC
KSIsspecifictoThreat
Mostac+vethreatsource
Scrolldown… Scroll
UnderAdvancedThreat,selectThreatAc+vity
![Page 97: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/97.jpg)
Specificsaboutrecentthreatmatches
UnderAdvancedThreat,selectThreatAc+vity
![Page 98: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/98.jpg)
Toaddthreatintelgoto:Configure->DataEnrichment->ThreatIntelligenceDownloads
Click
![Page 99: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/99.jpg)
Click“ThreatAr+facts”Under“AdvancedThreat”
Click
![Page 100: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/100.jpg)
Ar+factCategories–clickdifferenttabs…
STIXfeed
Customfeed
UnderAdvancedThreat,selectThreatAr+facts
![Page 101: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/101.jpg)
ReviewtheAdvancedThreatcontent
Click
![Page 102: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/102.jpg)
DatafromassetframeworkConfigurableSwimlanes
Darker=moreevents
Allhappenedaroundsame+meChangeto“Today”ifneeded
AssetInves+gator,enter“192.168.56.102”
![Page 103: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/103.jpg)
DataScience&MachineLearningInSecurity
103
![Page 104: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/104.jpg)
Disclaimer:Iamnotadatascien+st
![Page 105: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/105.jpg)
TypesofMachineLearningSupervisedLearning:generalizingfromlabeleddata
![Page 106: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/106.jpg)
SupervisedMachineLearning
106
DomainName TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Maliciousjjeyd2u37an30.com 6192 5.05 0 1 0 0 Maliciouscdn4s.steelhousemedia.com 107 3 0 0 0 0 Benignlog.tagcade.com 111 2 0 1 0 0 Benigngo.vidprocess.com 170 2 0 0 0 0 Benignstatse.webtrendslive.com 310 2 0 1 0 0 Benigncdn4s.steelhousemedia.com 107 1 0 0 0 0 Benignlog.tagcade.com 111 1 0 1 0 0 Benign
![Page 107: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/107.jpg)
UnsupervisedLearning:generalizingfromunlabeleddata
![Page 108: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/108.jpg)
UnsupervisedMachineLearning
• Notuning
• Programma+callyfindstrends
• UBAisprimarilyunsupervised
• Rigorouslytestedforfit
108
AlgorithmRawSecurityData AutomatedClustering
![Page 109: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/109.jpg)
109
![Page 110: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/110.jpg)
MLToolkit&Showcase• SplunkSupportedframeworkforbuildingMLApps
– Getitforfree:hEp://+ny.cc/splunkmlapp
• LeveragesPythonforScien+ficCompu+ng(PSC)add-on:– Open-sourcePythondatascienceecosystem– NumPy,SciPy,scitkit-learn,pandas,statsmodels
• Showcaseusecases:PredictHardDriveFailure,ServerPowerConsump+on,Applica+onUsage,CustomerChurn&more
• Standardalgorithmsoutofthebox:– Supervised:Logis+cRegression,SVM,LinearRegression,RandomForest,etc.– Unsupervised:KMeans,DBSCAN,SpectralClustering,PCA,KernelPCA,etc.
• Implementoneof300+algorithmsbyedi+ngPythonscripts
![Page 111: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/111.jpg)
MachineLearningToolkitDemo
111
![Page 112: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/112.jpg)
![Page 113: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/113.jpg)
SplunkUBA
![Page 114: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/114.jpg)
114
SplunkEnterprise
-BigDataAnaly+csPlaqorm-
SplunkEnterpriseSecurity
-SecurityAnaly+csPlaqorm-
ThreatHun+ngwithSplunk
ThreatHun+ngDataEnrichment
ThreatHun+ngAutoma+on
Ingest&OnboardAnyThreatHun+ng
MachineDataSource
Search&VisualiseRela+onshipsforFasterHun+ng
Hypotheses
AutomatedAnaly+cs
DataScience&MachineLearning
Data&IntelligenceEnrichment
DataSearch
Visualisa+on
Maturity
UserBehaviorAnaly+cs
-SecurityDataSciencePlaqorm-
![Page 115: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/115.jpg)
115
MachineLearningSecurityUseCasesMachine
LearningUseCases
PolymorphicAEackAnalysis
BehavioralPeerGroupAnalysis
User&En+tyBehaviorBaseline
Entropy/RareEventDetec+on
CyberAEack/ExternalThreatDetec+on
Reconnaissance,BotnetandC&CAnalysis
LateralMovementAnalysis
Sta+s+calAnalysis
DataExfiltra+onModels
IPReputa+onAnalysis
InsiderThreatDetec+on
User/DeviceDynamicFingerprin+ng
![Page 116: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/116.jpg)
SplunkUBAUseCases
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataexfiltra+on
LATERALMOVEMENT
• Pass-the-hashkillchain• Privilegeescala+onSUSPICIOUSACTIVITY• Misuseofcreden+als• Geo-loca+onanomalies
MALWAREATTACKS• Hiddenmalwareac+vityBOTNET,COMMAND&CONTROL
• Malwarebeaconing• Dataleakage
USER&ENTITYBEHAVIORANALYTICS• Suspiciousbehaviorbyaccountsor
devices
EXTERNALTHREATSINSIDERTHREATS
![Page 117: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/117.jpg)
SplunkUserBehaviorAnaly+cs(UBA)• ~100%ofbreachesinvolvevalidcreden+als(MandiantReport)• Needtounderstandnormal&anomalousbehaviorsforALLusers• UBAdetectsAdvancedCyberaEacksandMaliciousInsiderThreats• LotsofMLunderthehood:
– BehaviorBaselining&Modeling– AnomalyDetec+on(30+models)– AdvancedThreatDetec+on
• E.g.,DataExfilThreat:– “Sawthisstrangelogin&datatransferforuserkwes+n
at3aminChina…”– SurfacethreattoSOCAnalysts
![Page 118: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/118.jpg)
Raw Events
1
Statistical methods
Security semantics
2 Threat Models
Lateralmovement
ML
Patterns
Sequences
Beaconing
Land-speedviola+on
Threats
Kill chain sequence
5
Supporting evidence
Threat scoring
Graph Mining
4
Con
tinuo
us s
elf-l
earn
ing!
Anomalies graph
Entity relationship graph
3
Anomalies
RAW SECURITY EVENTS
ANOMALIES ANOMALY CHAINS (THREATS)
MACHINE LEARNING
GRAPH MINING
THREAT MODELS
Lateral Movement Beaconing Land-Speed Violation
HCI
Anomalies graph Entity relationship graph
Kill chain sequence Forensic artifacts Threat/Risk scoring
FEEDBACK
![Page 119: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/119.jpg)
SplunkUBADemo
119
![Page 120: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/120.jpg)
SecurityWorkshops
● ThreatIntelligenceWorkshop● InsiderThreat● CSC20Workshop● SIEM+● SplunkUBADataScienceWorkshop● EnterpriseSecurityBenchmarkAssessment
![Page 121: Workshop threat-hunting](https://reader033.fdocuments.us/reader033/viewer/2022052117/586fb3161a28abe57d8b6b13/html5/thumbnails/121.jpg)
SecurityWorkshopSurvey
hCps://www.surveymonkey.com/r/TW2S56W
[email protected]:@kwes+nlinkedin.com/in/kwes+n