Copyright  ©  2014  Splunk  Inc.  

Fred  Wilmot  Director,  Global  Security  PracCce      

Brad  Lindow  a.k.a.  Superman  Global  Security  Strategist,  Splunk  

Threat  Intelligence:  STIX  and  Stones  Will  Break  Your  Foes  

Disclaimer  

2  

During  the  course  of  this  presentaCon,  we  may  make  forward  looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cauCon  you  that  such  statements  reflect  our  current  expectaCons  and  

esCmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  

please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaCon  are  being  made  as  of  the  Cme  and  date  of  its  live  presentaCon.  If  reviewed  aTer  its  live  presentaCon,  this  presentaCon  may  not  contain  current  or  accurate  informaCon.  We  do  not  assume  any  obligaCon  to  update  any  forward  looking  statements  we  may  make.  In  addiCon,  any  informaCon  about  our  roadmap  outlines  our  general  product  direcCon  and  is  subject  to  change  at  any  Cme  without  noCce.  It  is  for  informaConal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaCon  either  to  develop  the  features  or  funcConality  described  or  to  

include  any  such  feature  or  funcConality  in  a  future  release.  

Fred  Wilmot  |  Director,  Global  Security  PracCce    (fred|Securityczar)@splunk.com  

3  

•  Strategy  §  Drives  Security  PracCce  Strategy  globally  §  Works  on  Splunk’s  hardest  Security  Use  Cases    §  VisualizaCon  and  AnalyCcs  using  Splunk  §  Solves  strategic  product/implementaCon  challenges    

•  Research  •  Digital  Forensics  /Assessment  Tools  •  Social  Risk/User  behavior  modeling  •  ML/Advanced  StaCsCcal  Analysis  •  Threat  Intelligence  

•  Product  §  Influence  product  strategy  for  security  content  and  features  

in  the  field  and  through  the  factory.  

 

 “Electric  Mayhem”  @fewdisc  

Brad  Lindow  |  Global  Security  Strategist  blindow@splunk.com  

4  

Former  aeorney,  current  aeending  SecPrax  Legal…Dr.Strangepork  Worked  with  some  of  the  largest  compuCng  environments  in  the  world:  Orbitz,  Department  of  Commerce,  ConsulCng  organizaCon,  and  Sears    Global  Security  Strategist  for  Splunk  

Drive  customer  success  and  security  innovaCon  around  Splunk’s  products,  customers,  partners  and  the  worldwide  security  community.    

Research  Threat  Intelligence  Enterprise  Security  Hadoop  Security  Use  Cases  

Minister  of  JusCce      a.k.a  “Superman”  

Agenda  

"   Threat  intelligence  today  "   Challenges  with  today’s  threat  intelligence  "   What  should  next  generaCon  threat  intelligence  look  like?  "   How  can  you  uClize  these  threat  intelligence  sources  despite  their  complexity?  

"   SPLICE  -­‐  Splunk’s  soluCon  for  IOC  threat  intelligence  "   SPLICE  Demo    

5  

Today’s  Threat  Landscape  

6  

"   You’ve  all  heard  this  many  Cmes  before  (and  you  probably  live  it)  but:  –  Bad  guys  are  genng  more  sophisCcated  and  organized  –  Its  genng  increasingly  more  difficult  to  defend  –  Tools,  tacCcs  and  procedures  change  during  the  course  of  campaign  aeacks  

"   We  need  to  move  quicker  and  share  informaCon  –  Bad  guys  are  watching  us  and  we  need  to  be  “watching”  them  –  Threat  Intelligence  is  old  in  a  week  –  Triaging  mulCple  sources  of  Threat  Intel  makes  them  hard  to  acCon  on  YOUR  

data  –  This  is  where  Threat  Intelligence  comes  in  

Current  Threat  Intelligence  

7  

"   Some  intelligence  sharing  is  happening  but:  –  Limited  in  detail  and  simplisCc  (lists,  spreadsheets)  –  Human  readable  only  –  Derived  from  various  sources  (.xls,.PDF,RSS,  XML  objects,e-­‐mail)  –  Intel  Not  leveraged  fast  enough  in  the  SOC  –  Not  leveraged  historically  AND  in  real-­‐Cme  –  Requires  manicuring  (watchlists  aren’t  good  forever)  –  No  context  to  any  other  indicator  –  Shortage  in  talented  analysts  reduces  kill  chain  visibility  

Watchlists  of  10,000  IP  addresses  or  Hashes  are  not  enough,  we  need  context…  

External  Threat  Intelligence  Sources  

8  

"   OSINT  "   Dell  SecureWorks  " Verisign  iDefense    "   Symantec  Deepsight  "   McAfee  Threat  Intelligence  "   SANS  "   CVEs,  CWEs,  OSVDB  (Vulns)  " iSight  Partners  " ThreatStream  " OpenDNS  

"   Palo  Alto  Wildfire  " Crowdstrike  " AlienVault  OTX  " RecordedFuture  "   Team  Cymru  "   ISACs  /  US-­‐CERT  " FireEye/Mandiant  " Vorstack  " cyberUnited  "   Norse  IPViking/Darklist  

Open-­‐Source  &  Commercial  Offerings  

Internal  Threat  Intelligence  Sources  

9  

"   Directory  user  informaCon  (personal    e-­‐mail,  access,  user  privilege,    start/end  date)  

"   Proxy  informaCon  (content)  "   DLP  &  business  unit  risk    (trade  secrets  /  IP  sensiCve  docs)  

"   IT  Case  history  /  Ccket  tracking  "   Malware  detecCon  /  AV  alerts  "   SensiCve  business  roles  

"   ApplicaCon  usage  &  consumpCon    events  (in-­‐house)  

"   Database  usage  /  access  monitoring  (privileged)  

"   EnCtlements  /  access  outliers  (in-­‐house)  

"   User  behavior  associaCon  based  on  geography,  frequency,  uniqueness,  and  privilege  

Providing  Context  for  Security  

Challenges  InteracCng  with  Threat  Intel  

10  

Most  complete    

Least  Complete  

Next  GeneraCon  Threat  Intelligence  

11  

"   In  today’s  threat  landscape,  threat  intelligence  using  structured  indicators  of  compromise  (IOC)  should  enable:  –  AutomaCc  consumpCon  and  parsing  (at  least  largely)  –  Shareable  IOCs,  internally  and  externally  –  NormalizaCon  of  key  indicators  –  Contextual  enrichment  for  data  in  Splunk    –  CreaCon  of  STIX  objects  from  internal  Threat  Intelligence  and  Incidents  –  Efficient  use  of  Internal  Threat  Intelligence  as  context  sources  –  MulCple  chains  of  indicators  increase  urgency  for  invesCgaCon  –  Indicators  with  Deeper  Meaning  than  a  list  of  IP  addresses  

Threat  Intelligence  “Standards”  "   STIX  -­‐  Structured  Threat  InformaEon  eXpression    " A  standardized  language  uClizing  XML  to  represent  structured  cyber  threat  informaCon.  

Conveys  the  full  range  of  potenCal  cyber  threat  informaCon  and  strives  to  be  fully  expressive,  flexible,  extensible,  automatable,  and  as  human-­‐readable  as  possible.  

"   TAXII  -­‐  Trusted  Automated  eXchange  of  Indicator  InformaEon  " Transport  mechanism  for  cyber  threat  informaCon  represented  as  STIX.  Through  the  use  of  

TAXII  services,  organizaCons  can  share  cyber  threat  informaCon  in  a  secure  and  automated  manner.  

"   OpenIOC  –  Open  sourced  schema  from  Mandiant  " An  extensible  XML  schema  that  enables  you  to  describe  the  technical  characterisCcs  that  

idenCfy  a  known  threat,  an  aeacker’s  methodology,  or  other  evidence  of  compromise.  

12  

InteracCng  with  IOCs  in  Splunk  

13  

MILE  

VERIS  

InteracCng  with  threat  IOCs  in  Splunk  (current)  

14  

Start  with  the  most  widely  adopted…  

Predominant  in  confidenCal  informaCon-­‐sharing  associaCons…   Predominant  

in  vendor  and  researcher  world  –  lots  of  useful  data  available  on  the  public  internet…  

15  

Example  of  STIX  object  

16  

...

<stix:Observables cybox_major_version="2" cybox_minor_version="1">

<cybox:Observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f">

<cybox:Object>

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type>MD5</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</cybox:Observable>

<cybox:Observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2">

...

17  

Raw  IOC  

Splunking  IOCs  with  SPLICE    

What  is  SPLICE?  

19  

•  SPLICE  is  a  free  Splunk  App  that  enables  you  to  easily  consume  IOCs  (STIX,  CybOX,  OpenIOC)  and  use  them  to  quickly  evaluate  your  own  environment  for  potenCal  security  issues  

•  SPLICE  easily  installs  like  any  other  Splunk  App  and  just  requires  an  instance  of  MongoDB  on  the  search  head  Splice  is  installed  on  

•  Get  Splice  RIGHT  NOW  by  following  @SplunkSec  at  hPps://twiPer.com/SplunkSec    

How  can  SPLICE  help  you?  

20  

"   Facilitates  automated  IOC  consumpCon  "   Provides  you  richer  threat  intelligence  data  "   Provides  the  intel  in  Splunk  to  correlate  with  all  of  your  other  data  "   Provides  searching,  reporCng  and  visualizaCon  capabiliCes  "   Enables  less  experienced  personnel  to  uClize  the  data  "   Reduces  the  complexity  of  IOCs  to  atomic,  consumable  indicators  

How  does  it  reduce  the  complexity?  

21  

"   Splunk  has  chosen  to  iniCally  reduce  the  IOC  surface  area  to  ‘atomic’  indicators  for  usability  and  to  allow  for  more  flexibility  in  IOC  analyCcs  

"   Splunk  has  also  partnered  with  FS-­‐ISAC  (who  have  also  chosen  the  same  approach)  to  integrate  with  their  Avalanche  product  for  IOC  federaCon  and  collaboraCon  

 

SPLICE  –  Supported  Indicators  

22  

"   Supports  STIX  1.1  (more  than  80  Objects!)  –  FileObjectType  (Hash  values,  File  names)  

ê  Examples:  “64ef07ce3e4b420c334227eecb3b3f4c”  or  “virus.exe”  –  DomainNameObjectType  (Domains,  URLs)  

ê  Examples:  “malicious1.example.com”  or  “h9p://malicious1.example.com/clickme.html”  

–  URIObjectType  (Domains,  URLs)  ê  Examples:    “h9p://malicious1.example.com/clickme.html”  or  “>p://badfiles.example.com/data.txt”  

–  AddressObjectType  (IP  Addresses)  ê  Example:  “1.2.3.4”  

"   (STIX  1.0  not  supported)  

SPLICE  –  Supported  Indicators  

23  

"   Supports  CybOX  2.1    –  Same  indicators  as  STIX  

"   Supports  OpenIOC  1.0,  1.1  

SPLICE  Architecture  

24  

1.  SPLICE  consumes  IOCs  (STIX,  CybOX,  OpenIOC)  through  either  a  monitored  directory  path  or  via  TAXII  (including  Avalanche)  

2.  IOCs  are  parsed  and  the  atomic  indicators  (along  with  the  raw  IOC)  are  stored  in  MongoDB  

3.  Security  Analyst  uses  the  Splice  Splunk  App  to  search,  report,  visualize  and  alert  on  the  IOCs  

• *currently  tested  on  Linux  only  

Using  SPLICE  –  Searching  Your  Data  

25  

iocsearch   sourcetype=access_combined_wcookie  |  iocsearch  map="clienCp:ipv4-­‐addr”  |  search  ioc_indicators_count>0  |  `parse_ioc_indicators_json`  

Screenshot  here  

Using  SPLICE  –  Searching  IOCs  

26  

iocfilter   |  iocfilter  regex=”1.2.3.4"  

Screenshot  here  

Using  SPLICE  –  Retrieve  the  full  raw  IOC  data    

27  

iocdisplay   |  iocdisplay  object_id="example:Object-­‐12c760ba-­‐cd2c-­‐4f5d-­‐a37d-­‐18212eac7928"  

Screenshot  here  

Using  SPLICE  –  StaCsCcs  about  ingested  IOCs    

28  

iocstats   |  iocstats  stat=list  

Screenshot  here  

Using  SPLICE  –Export  atomic  indicators  as  a  CSV    

29  

iocexportcsv   |  iocexportcsv  value_type="ipv4-­‐addr"  alias="ip"  directory="/tmp"  filename="myIpList.csv"  

Screenshot  here  

Demo  Time!  

30  

SPLICE  Challenges  

31  

"   SPLICE  has  been  largely  tested  against  public  datasets,  requires  more  sample  data  

"   Some  IOCs  cannot  be  converted  due  to  parser  errors  "   STIX  libraries,  framework,  other  standards  are  sCll  works  in  progress  in  the  community  

SPLICE  –  Future  

32  

"   Next  Steps:    –  Support  addiConal  indicators  –  Improved  dashboards  and  default  searches  –  Export  Splunk  content  as  a  STIX  object  –  UClize  TAXII  to  serve  IOC  data  FROM  Splunk    –  Beeer  Enterprise  Security  integraCon  –  Improved  features  around  how  closely  data  matches  IOCs  –  Improved  support  for  addiConal  indicators  

How  you  can  get  involved    

33  

We  are  looking  for  feedback  to  further  enhance  SPLICE    "   Download  Splice  and  play  with  it!    Tell  us  what  you  want  and  how  you  want  Splice  or  IOCs  to  interoperate  with  your  data.  

"   Get  a  demo  of  how  Splice  works  from  the  Security  PracCce  "   GIVE  US  FEEDBACK!  security@splunk.com  is  a  perfect  way!  "   Support  the  STIX  community  heps://github.com/STIXProject  

Summary  

34  

"   Threat  Landscape  is  rapidly  changing,  threat  data  from  yesterday,  may  not  be  valuable  today  

"   Threat  Intelligence  provides  context,  but  formats,  diversity  limit  adopCon  to  lowest  common  denominator  

"   TradiConal  things  like  IP  lists  are  ineffecCve  without  context  "   IOCs  through  STIX  gives  us  context  "   SPLICE  gives  you  a  way  to  uClize  IOCs  across  your  Splunk  data  today  "   Get  Splice  RIGHT  NOW  by  following  @SplunkSec  at  hPps://twiPer.com/SplunkSec    

THANK  YOU  QuesCons?