Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

Copyright © 2014 Splunk Inc.

Andrew GerberManaging Information Security Consultant, Wipro

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

2

DisclaimerDuring the course of this presentation, we may make forward looking statements regarding future events or the

expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important

factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other

commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.

3

AboutAndrew Gerber is a managing information security consultant at Wipro. Over the last ten years he has focused on security information and event management (SIEM), security analytics, and security operations center (SOC) design. Andrew additionally has experience evaluating information security program maturity and building effective managed security service offerings. Andrew has worked with clients in North America, Europe, and Asia, including several Fortune 100 and Fortune Global 100 industry leaders in financial services, healthcare, manufacturing, retail, and law enforcement. Andrew holds a B.S. in computer science and an M.B.A. from Purdue University.

Wipro Ltd. (NYSE:WIT) is a global information technology, consulting, and outsourcing company with over 145,000 employees across 6 continents and over 175 cities. Wipro posted revenues of $7.3 billion for the financial year ended March 31, 2014. Wipro helps customers do business better by leveraging our industry-wide experience, deep technology expertise, comprehensive portfolio of services, and vertically aligned business model. Wipro is proud of its strategic partnership with Splunk and the value Wipro delivers using Splunk as a platform across industries and applications, with a focus in enterprise information security managed services.

4

Agenda

New approach to Enterprise Security– Situational Awareness– Kill Chain

Techniques using this new approach– Looking for threat behavior – Profiling VPN access– Looking for an attacker trying to get out of environment as well as identifying

potential delivery vectors – Profiling Network Jumpers– A framework for developing additional techniques

Recommendations and best practices for further development and implementation of this approach

5

The Enterprise Security LandscapeAttacks and breaches on the rise, threat actors motivated by previous attacks’ successes

Attackers still have a remarkably easy time getting in

– Organizations are still not implementing basic controls (i.e. geographic restrictions, segmentation, account lockouts)

A LOT CAN BE DONE WITH BASIC CONTROLS

– Organizations are still not monitoring/responding to IOCs (Indicator of Compromise); a recent breach analysis showed - multiple alerts on potential malware and malicious activity completely missed

INFORMATION AND ALERTS FROM ALL SOURCES MUST BE ANALYZED

Don’t focus solely on alerts for denied or failure events

– FOCUS ON PROFILING BEHAVIOR OVER TIME & ACROSS PLATFORMS TO DISTINGUISH ANOMALIES

6

ThreatsThreats are increasing, attacker dwell time still well over 200 days on average.

Move from generic malware targeting everyone to deliberate, smart attackers targeting you, with a specific objective.

With attackers identifying high-value objectives, the investment they are willing to make increases.

We can see attackers’ methodology evolving over time to adapt to organizations’ actions and responses.

People are being targeted more, resulting in more valid-credential based attacks and less need for vulnerability exploits of network/security devices.

Threat actors now look more like legitimate users. You can still tell them apart, just not with legacy tools/strategies.

Breaches by Asset Category over Time

From Verizon’s 2014 Data Breach Investigations Report

7

Threats: Who Attacks and Why?

From IBM’s 2013 Cyber Security Intelligence Index

Categories of Attackers Attacker Motivation

8

Risks: Clear and Present Danger

Brand / Revenue / Financial Data / Product Data / Customer & Patient Records / Financial Theft / Blackmail / Job Loss / Operations Disruption and Manipulation / Competitive Espionage / …

9

Situational AwarenessChanging threat environments demand enhanced security monitoring, often called “situational awareness”

Advanced targeted threats have increased the requirement for the proactive detection of potential incidents above standard due diligence levels.

Situational awareness expands on security information and event management (SIEM) processes, and requires a combination of asset and threat information and activity data, in combination with analysis and reporting capabilities.

Advanced analysis capabilities to support “human in the loop” investigation and decision making are critical requirements. From Gartner’s note “Delivering Situational Awareness” (G00214313)

Tech

Process

People

To deliver situational awareness, we need to add a process/approach/model to the people (us) and the technology (Splunk) deployed to provide enterprise security.

10

Kill ChainModel to identify threat behavior across the lifecycle of an attack– Move from looking at single alert or single aspect of the attack– Must look at entire spectrum of activities (all data) to determine attack/threat

Detection earlier in kill chain = lower impact and mitigation costDetection later in kill chain = greater impact, must look back in time to determine infection/impact and how to contain/mitigate

11

Beyond SIEM – True Security Analytics:

Brings together information that would be time consuming or impossible to manually analyze (goes beyond centralized logging)Enables a deep investigation of what otherwise could only be aggregated and/or ignoredAllows dynamic correlation – visual representation makes anomalies obviousEnables exploration of loose relationships between events, driven by “human-in-the-loop” processes, leading to a “hypothesis test findings” approach instead of an “event evaluate” approach.Accelerates analyst decision trees around behaviorIs cohesive and behaviorally driven, with a monitoring/response posture based on knowing your users, assets, and environment

12

Use cases to implement with Splunk

Use Case 1 - Detect inappropriate or malicious remote access– VPN profiling of employees, contractors, vendors, and other insiders – Useful to identify following kill chain stages

C2, Exfiltration– Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)

Use Case 2 - Detect attempted and actual bypass of network controls – Detect network jumping and off-network activity– Useful to identify following kill chain stages

Delivery, C2, Exfiltration– Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)

Do this:Profile VPN Activity

14

What & Why?Find abnormal remote access usage pattern in remote access– VPN access with valid credentials used in major attacks, including recent healthcare industry

breach

Profile remote usage by employees, contractors, vendors, and other insiders

Look for:– Indicators of Delivery, C2, Exfiltration, as well as employee or insider FTA– Identify potentially compromised credentials

Key points to look for:– Increase in login frequency – Odd times/locations– Improbable travel distance between logins or login attempts

(velocity requirements between consecutive geographical login locations too high)

15

Design & ApproachOverview – Geographic and Network VPN Trends

Overview – User-based VPN Trends

Geographic Analysis with “Traveler” identification

“Traveler” mapping & improbable behavior analysis

16

Design & Approach - Workflow

Multiple login failures by count and over time and successful logins provide insight into VPN behavior.

User level VPN Trends

At-a-glance profiling of VPN login success and failuresGeolocation and domain charting identify normal vs. abnormal access• Top Level Domains and other domain names to find anomalies,

i.e. connections from .edu TLD or external VPN services

Geographic & Network VPN Trends

Identify repeat VPN login failure trends by userEasy to spot outlier and clustered events

17


Determine unlikely distance/time combinations between VPN logins

“Traveler” mapping & improbable behavior analysis

Per-country trends & users with multiple locations in a given time period

Also identify relative distances for users from a relevant fixed location


18

Key Events – VPN Authentication Success/FailureThe key searches are looking for VPN authentication success and failure, which we will expand on throughout this use case.

19

Overview – Geographic & Network VPN Trends

index=firewall sourcetype=ACMEvpn "Security Negotiation Complete" | iplocation IP| geostats count by Username globallimit=0

index=vpn sourcetype=ACMEvpn "Login failed"| eval userinfo=user.":".user_bunit | iplocation src_ip | geostats count by userinfo globallimit=0

index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"| stats count by IP | lookup dnslookup clientip as IP | rex field=clienthost ".*(?P<toplevel>\.\w+)$" | stats count by toplevel

index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"| stats count by IP | lookup dnslookup clientip as IP | rex field=clienthost ".*\.(?P<midlevel>\w+)\.(?P<toplevel>\w+)$“| eval thedomain=midlevel.".".toplevel | eval lendomain=len(thedomain) | where lendomain>0 | stats count by thedomain | sort -thedomain | sort -count

20


index=firewall (sourcetype=ACMEvpn AND"AAA user authentication Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND action!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | stats count by fulluser | search count>3

index=firewall (sourcetype=ACMEvpn AND"AAA user authentication Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND action!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | top fulluser

index=firewall sourcetype=ACMEvpn"Security Negotiation Complete" | stats sparkline(count), count by Username | sort -count

21


index=firewall sourcetype=ACMEvpn "AAA user authentication Rejected" user=* | rex "user\s\=\s(?<fulluser>.*)"| timechart count by fulluser useother=f limit=25

24

Design & Extension Notes

Additional panels:– Simultaneous logins (often rare as a legitimate scenario)– Increase in data volume over connection (sign of exfiltration, data collection)– Potential to add algorithms to refine results and accelerate analysis

Additional Information about user access patterns– “Out-of-Office” information - Integrate with Exchange– PTO/Absence/etc. - Integrate with HR/Time management systems

Do this:Monitor Network Jumping and Off-Network Activity

26

What & Why?Find assets & users jumping from corporate LAN, WLAN to Guest Network– Detect attempts to bypass security controls– Detect malware vector of “benign” off-network browsing

1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report)– If controls exist around Guest network usage, still implement this for attestation

Profile jumping behavior to look for patterns and anomalies– Identify the User, IP address, MAC address– Identify activity before and after jumping– Filter out insider Fraud, Thief, Abuse from possible

Indicators of Compromise

Key points to look for include– Assets and users jumping periodically –

Normal business users should be on corporate network– Network jumps which don’t appear to be pre-meditated

(i.e. looking for programmatic jumps) – Volume, periodicity, destination, traffic type can all be

indicators of potential Exfiltration

“40% [of companies] reported that they had been exposed to a security threat as a direct consequence of an off-network user’s laptop getting compromised within the last twelve months.”

From Google report, “Off-Network Workers –The Weakest Link to Corporate Web Security”

27

Design & ApproachOverview – Long/Short Term Off-Net Jumping Trends

Identify a user of interest and drill-down to investigate

Behavior investigation – longitudinal trending

Behavior investigation – Pre-Jump Activity

Behavior investigation – Guest Network Activity

28


Selection to lookup user

Dynamic drilldown begins at this point on this dashboard:

When you click on the row, the IP, Hostname, MAC is passed on the following subpanels, this is based on drilldown parameters being set in this panel’s XML source.

Rapid investigation to identify users of interestSelection enables deep investigation via initial drilldown into user activity/details

At-a-glance profiling of corporate credentials used on guest network – activity for today, 7-days, 14-days

Long/Short Term Off-Net Jumping TrendsVisual analysis to determine what look abnormal

Selection determines drill down

29


Patterns identify potential repeat offender, or possible C2/exfiltration

look at guest network activity to clarify – compare these two trends

Behavior Investigation – Longitudinal Trending

30


Looking back in time from the jump

User activity on the corporate network preceding the jump

Behavior Investigation – Pre-Jump Activity• Does the jump make sense? – driven by business logic or “benign” behavior• Does the jump look like attacker trying to get out? – more “random” patterns• Does the jump look like insider threat? – exfiltration, etc.

Looking back in time to the jump

User device to IP address mapping of jumper

Looking in time after the jump

User activity on the guest network after the jump

31

Key Event – Guest network DHCP requestKey search to identify this activity• Look at guest network firewall logs which logs DHCP requests (IP MAC hostname)• Look at DHCP requests using IP address of one of our corporate networks, and the MAC address. • Eliminate mobile devices, limit results to our corporate hostname naming convention• Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.

32

Trending – How it’s Done

index=firewall sourcetype=“ACMEguestFW"

(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)

dhcp_msg=Request ip=“ACMEipSpace”

| regex hostname=“ACMEnamingConvention"

| timechart span=4h limit=30 count by hostname

index=firewall sourcetype=“ACMEguestFW”


dhcp_msg=Request ip=“ACMEipSpace" earliest=-14d latest=-1d

| regex hostname=“ACMEnamingConvention"

| dedup hostname

| timechart span=1h count

| eval StartTime=relative_time(now(),"-48h@h")

| eval Series=if(_time>=StartTime, "Yesterday’s Count", “2 Week Average")

| eval Hour = strftime(_time,"%H") | chart max(count) by Hour Series

33

Trending – How it’s Done

index=firewall

sourcetype=“ACMEguestFW" ip=“ACMEipSpace"


dhcp_msg="Request"

| regex hostname=“ACMEipSpace"

| timechart span=1h count by hostname

34

Identify User, present additional data – How it’s Done

index=firewall (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) sourcetype=“ACMEguestFW" ip=“ACMEipSpace" dhcp_msg="Request"| regex hostname=“ACMEipSpace" | stats count by ip,_time,hostname,mac| sort _time

View the XML Source for theDashboard (“Edit Source”),find the panel, and add:

<drilldown> <set token="source_ip">$row.ip$</set> <set token="mac">$row.mac$</set> <set token="hostname">$row.hostname$</set></drilldown>

Make this panel only appear when the drilldown is activated:<panel><single id="jumpername" depends="$source_ip$">

Search uses $source_ip$ based on click and searches the internal firewall logs to find the most recent user from that IP address:index=firewall sourcetype=ACMEfw src=$source_ip$ | rex field=src_user "\w+\\\(<browseusername>\w+)" | dedup browseusername | table browseusername

1

2

3

4

Drill-down to lookup

user

35

Longitudinal Trending – How It’s Done

This panel is driven by the same drill-down we’ve been using, based on $hostname$ from the guest network firewall logs. The search simply returns the jumping pattern over the past week and charts it in 15-minute spans.

index=firewall hostname=$hostname$ dhcp_msg=Request sourcetype=ACMEguestFW | timechart span=15m count

36

Behavior Investigation – Pre-Jump Activity

Select “Edit Panels” for the Dashboard and then“Add Input”, select “Radio”, drag the input to thepanel, and customize in the GUI, or add the XMLcode directly in “Edit Source”. This dropdown inputsets the token $category$ to the value selected:

<input type="dropdown" token="category“ searchWhenChanged="true"> <label>Select Category</label> <populatingSearch earliest="@d" latest="now" fieldForLabel="category" fieldForValue="category">index=firewall sourcetype=pan* src_ip=$source_ip$ | stats count by category</populatingSearch> <choice value="*">ALL</choice></input>

3

Search the Windows DNS logs for requests and responses triggered by the Jumper on the corporate network. Still using the same drilldown from before for source_ip:

index=winevents sourcetype="MSAD:NT6:DNS" src_ip=$source_ip$ | stats count by questionname,questiontype,response,src_ip | rex mode=sed field=questionname s/$\d+$/./g | sort –count

This is a basic filtering search | stats to take a count of queries made, type and the response by the source ip | regex to use sed to change format of DNS queries to exclude (<digits>) | sort by count

1

Selection determines drill downCombined Static & Dynamic Dropdown input. Static (default) vaue of ALL maps to a value of “*”, dynamic options populated by a search:

index=firewall sourcetype=ACMEfw src_ip=$source_ip$ | stats count by category2

37

Guest Network Sessions for Jumper

Again going back to the same drill-down, use the MAC address identified and list guest network IPs associated with the MAC we’ve tied to a corporate asset:

index=firewall sourcetype=“ACMEguestFW” (ip!=“ACMEipSpace" AND ip!="0.0.0.0") mac=$mac$| stats count by mac,ip | fields - count

Get a list of IP addresses for the identified jumper based on MAC address from the Guest network firewall logs.

38

Behavior investigation – Guest Network Activity

List hosts accessed by the jumper on the guest network, filtered by pass/block/all as per the station radio input above and using the source selected in the original drilldown on the dashboard:

index=network sourcetype=ACMEguestWLC srcip=$source$ action=$action$ | stats count by srcip,hostname,action,msg,dstip | sort -count

3

Static form input defined to filter the panel’s search on action field (block, pass, all)

View the XML Source for theDashboard (“Add Input”), select“Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This radio input sets the token $action$ to the value selected:

<input type="radio" token="action" searchWhenChanged="true"> <choice value="pass">pass</choice> <choice value="block">block</choice> <choice value="*">all</choice> <default>*</default></input>

21

39

Design & Extension Notes

Areas to continue the investigation– Select user of interest to drive additional panels – including additional historical trending– Additional review of DNS requests– Data volume on guest network– Threat list mapping for known C2 servers, site hosting malware/malvertising

Practical integrations– Capture page, walled garden for jumpers with training and/or restriction on Guest Network

Potential to add algorithms to refine results and accelerate analysis– High level charts – 14 day, 7 day, today– Integrate additional data sources to further identify behavior

Next Steps:Continuing with other Situational Awareness & Kill Chain Use Cases

41

Developing Additional Use Cases

Have a disciplined approachStart with a behavior, choose a point on the kill chainIdentify what logs sources you haveThink about and try different visualizationsUse statistics and simple algorithms to clarify the dataFind related log sourcesThink longitudinallyFind outliers, shift your parameters, and let more outliers emerge

42

Additional ExamplesIdentifying Pass-the-Hash (PtH) Attacks and other Credential Theft Techniques– Look for lateral movement, then get specific in your search for specific techniques. Methods include RDP and other

remote access tools, the use of PsExec, as well as Windows Management Instrumentation (WMI). – The NSA report “Spotting the Adversary with Windows Event Log Monitoring” provides many good ideas to build on. For

PtH: “The successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event

level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.”

“A failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.”

Validating and Monitoring Mitigation Actions (Closed-Loop Management)– When mitigating risks and threats in your environment, you need to validate that your measures take effect while

monitoring and minimizing disruption to mission-critical business operations.– Look for metrics that are leading indicators to help validate progress– Look for trailing indicators that show potential disruption– One example would be forced password expiry impairing users who only use applications with integrated authentication

that do not support password resets

43

Kill Chain Based Attack Lifecycle Concept

44

Security ControlsThe average enterprise today has decent but incomplete coverage via a collection of security controlsIn addition to gaps in security controls there is usually an even larger gap in which security controls are centrally logged and monitoredMulti-control correlation is rarely done, and even more rarely done rightSecurity controls in silos are not enoughApproach to analysis needs to be cohesive and behaviorally driven, with a monitoring/response posture based on knowing your users, network, and environmentNeed to evolve:– From compliance reporting to threat detection– From finding/neutralizing malware to dissecting/disrupting attack– From static views of data to longitudinal data analytics

45

Security Control Frameworks

• Perimeter-in• Critical assets/crown jewels• Kill chain/behavior-based• Quick wins

Security ControlMonitoring Priorities:

SANS Critical Security Controls V5 – SANS Top 20

(ISC)2 Common Body of Knowledge(10 Domains)

ISO 27001:2013(114 Controls in 14 Groups)

NIST Special Publication 800-53 Rev. 4(224 controls in 18 families)

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses6. Application Software Security7. Wireless Access Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate

Training to Fill Gaps10. Secure Configurations for Network Devices

such as Firewalls, Routers, and Switches11. Limitation and Control of Network Ports,

Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring, and Analysis of

Audit Logs15. Controlled Access Based on the Need to

Know16. Account Monitoring and Control17. Data Protection18. Incident Response and Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises

1. Access Control2. Telecommunications

and Network Security

3. Information Security Governance and Risk Management

4. Software Development Security

5. Cryptography6. Security Architecture

and Design7. Operations Security8. Business Continuity

and Disaster Recovery Planning

9. Legal, Regulations, Investigations and Compliance

10. Physical (Environmental) Security

1. Information security policies (2 controls)

2. Organization of information security (7 controls)

3. Human resource security - 6 controls that are applied before, during, or after employment

4. Asset management (10 controls)5. Access control (14 controls)6. Cryptography (2 controls)7. Physical and environmental security

(15 controls)8. Operations security (14 controls)9. Communications security (7

controls)10. System acquisition, development

and maintenance (13 controls)11. Supplier relationships (5 controls)12. Information security incident

management (7 controls)13. Information security aspects of

business continuity management (4 controls)

14. Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

1. Access Control2. Awareness & Training3. Audit & Accountability4. Certification,

Accreditation & Security Assessments

5. Configuration Management

6. Contingency Planning7. Identification And

Authentication8. Incident Response9. Maintenance10. Media Protection11. Physical & Environmental

Protection12. Planning13. Personnel Security14. Risk Assessment15. System & Services

Acquisition16. System & Communication

Protection17. System & Information

Integrity18. Program Management

THANK YOUAndrew [email protected]

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

Technology

Transcript of Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk