We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’. - Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response) -- Tom Wise (Phantom Security Solutions Engineer & Trainer) - Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK -- Cian Heasley / Fraser Dumayne (Security Engineers) - Meet the Experts with SplunkTrust -- Harry McLaren (Senior Splunk Consultant) -- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)

1. © 2 0 2 0 S P L U N K I N C .
Virtual Splunk User
Group
Starting at 16:00PM BST
April 2020
This will be recorded!

2. © 2 0 2 0 S P L U N K I N C .
Largest Splunk Delivery Partner for UK
•Security Consultancy & Managed SOC Provider
•Splunk Revolution Award & Splunk Partner of the Year

3. © 2 0 2 0 S P L U N K I N C .
Agenda
Phantom
Workbook
Automation
Tom
Wise
Threat
Hunting with
ATT&CK
Cian
Heasley
& Fraser
Dumayne Meet the
Experts
Tom
Wise &
Harry
McLaren

4. © 2 0 2 0 S P L U N K I N C .
House Rules
Led by
Technology
Inclusive
Environment
Technical
Discussions
The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved

5. © 2 0 2 0 S P L U N K I N C .
New User Group Site!

6. © 2 0 2 0 S P L U N K I N C .
New Leader – Andrew McManus

7. © 2 0 2 0 S P L U N K I N C .
Splunk Phantom
Workbook Automation
Tom Wise
Phantom Security Solutions Engineer & Trainer @ Adarma

8. © 2 0 2 0 S P L U N K I N C .
$ whoami
Solutions Architect @ Adarma
Phantom SSE & Trainer
Splunk Consultant & Trainer
Previously worked on the Galileo Project for ESA & for the MoD before jumping into
Security with Big Data using Splunk and now Security Automation with Phantom.
A brief history of Tom….

9. © 2 0 2 0 S P L U N K I N C .
Playbooks vs Workbooks
Playbooks
“Playbooks are the codification of an
analyst’s actions”
They can be fully automated or request
human interaction at specific points to
control the automation decision making.
Similar but not the same….
Workbooks
Workbooks containing Phases and Tasks
provide a framework to security event
investigations. ( I.E. NIST 800-61 )
Workbooks can contain automation
capabilities and can also be updated/edited
by automation
Workbooks are a good starting point if not all
automation elements are understood or
available.

10. © 2 0 2 0 S P L U N K I N C .
Suspicious
Email
REVIEW BODY AND
HEADER INFO
QUERY
RECIPIENTS
HUNT FILE
HUNT URL
FILE / URL
REPUTATION
FILE ASSESSMENT
REMOVE EMAIL
REVIEW EMAIL
Today
Analyst Heavy

11. © 2 0 2 0 S P L U N K I N C .
Tomorrow
Analyst Centric
Email FILE / URL
REPUTATION
DETONATE
UNKNOWN URL / FILE
HUNT FILE
HUNT URL
TASK ANALYST
PHISH / HOST
ASSESSMENTREMOVE EMAIL
INGEST EMAIL
PARSE FILES, URLS,
EMAIL HEADERS

12. © 2 0 2 0 S P L U N K I N C .
Workbook Automation Flow
Be like water….
Master Playbook
IP Enrichment
URL Enrichment
File Enrichment
Domain Enrichment
Take Ownership Process IoC(s) Document Findings

13. © 2 0 2 0 S P L U N K I N C .
Workbook Automation Demo
See it all come to fruition…

14. © 2 0 2 0 S P L U N K I N C .
Threat Hunting, Or:
How I Learned to Stop
Worrying & Love
ATT&CK
Cian Heasley / Fraser Dumayne
Security Engineers @ Adarma

15. Fraser Dumayne
Security Engineer
Adarma
Who are we?
Cian Heasley
Security Engineer
Adarma
15

16. • Why the MITRE ATT&CK Framework has made our
lives easier and can do the same for you.
• Understand the relationship between ATT&CK data
sources, technique, tactics and Splunk.
• Quick case study, how ATT&CK can help us analyze
recent world events.
• Give a demo of how ATT&CK can help inform the
creation of detections and the process of threat hunting.
Objectives
16

17. • MITRE ATT&CK is a framework made up of attack techniques which have been
discovered in the real world.
• Each technique is mapped to 1 or more of 12 tactics.
• Each technique contains information including data sources, mitigations, detection
methods, etc.
• Ideal for mapping your defenses against real world attacks for increased resilience.
What is MITRE ATT&CK?
17

18. • Techniques are organized by adversary tactic, these tactics align with the last five
kill-chain phases.
What is MITRE ATT&CK?
18
Comparing ATT&CK
& the
Cyber Kill-Chain

19. • When we talk about tactics, techniques and procedures (TPS) we are talking about
the top of the “Pyramid of Pain”, a visualisation of attack indicators and the pain
caused to adversaries by their detection.
What is MITRE ATT&CK?
19

20. • ATT&CK Enterprise techniques are broken down by tactic and by Windows, Linux
or MacOS platforms.
• Each technique has associated data sources, platforms, and a wealth of other
information.
What is MITRE ATT&CK?
20
Spearphishing
Attachment

21. • Procedures are the specific implementation the adversary uses for techniques or
sub-techniques “in the wild”.
What is MITRE ATT&CK?
21

22. • MITRE ATT&CK is constantly being updated & refined.
• Large, active open source research and dev community.
• Common language to describe complex technical attacks.
• Gives granularity when examining adversary behavior.
• Can benefit Red and Blue teams.
Why MITRE ATT&CK?
22

23. Need we say more:
Why MITRE ATT&CK?
23
Cisco Onion ->
<- ?? Artichoke ??

24. • Each technique in MITRE ATT&CK is well
documented (data sources, APTs, detection,
etc)
• You should also research online outside of
ATT&CK as much as possible
• ATT&CK Navigator is an ideal tool for
recording & visualizing your analysis
Research, research, research!
24

25. • MITRE ATT&CK contains detailed information on 94 groups & APTs which is
perfect for identifying potential attackers. Examples include:
– Darkhotel
– APT39
– Deep Panda
– Lazarus Group
• Each group has a list of associated techniques which have been seen in the wild
as well as details of procedural usage of these techniques.
• These threat group descriptions can be an ideal starting place for your threat
detection.
Advanced Persistent Threats
25

26. Who are Darkhotel?
26
“WHO Targeted in Espionage Attempt, COVID-19
Cyberattacks Spike” - Threatpost, March 14th, 2020
• “The attack appeared to be aimed at achieving a
foothold at the agency rather than being an end
unto itself...”
• “... unnamed sources told Reuters that the
DarkHotel group, an APT associated with carrying
out cyberespionage efforts in China, North Korea,
Japan and the United States, could be the culprit
behind the attack”

27. The Magic Formula!
27
+

28. • ATT&CK assigns group ID numbers to prominent APTs tracked by the security
community
• These group IDs are linked to group aliases, software used, technique use by
software and a host of other information.
• DarkHotel is “G0012”:
What Can ATT&CK Tell Us About DarkHotel?
28

29. What Can ATT&CK Tell Us About DarkHotel?
29

30. What Can ATT&CK Tell Us About DarkHotel?
30= DarkHotel Techniques

31. Pinpointing Techniques used by DarkHotel
31
• Based on the ATT&CK Navigator we can see that Spearphishing Attachment is a
hot technique not just for DarkHotel but for all APTs.
• We can use MITRE ATT&CK to discover more details about this technique and plan
our defenses accordingly:

32. • MITRE contains a list of 58+ standardised data sources which are used to detect the
techniques documented by ATT&CK.
• Without access to the right data sources you have no chance of detecting attacks!
• For detecting ‘Spearphishing Attachment’ we should have some of the sources shown
here:
Data Sources are Crucial
32

33. All Data Sources Are Not Created Equally
33
Diagram by Roberto
Rodriguez

34. • Splunk correlates real-time data across various log sources. This makes it an ideal
platform for correlating with ATT&CK’s data source definitions.
• Using detections covered in MITRE under each technique, we can generate
Splunk searches & alerts to uncover these attacks and protect against them.
• Even without live data you can practice on static sample datasets such as BoTS
and Mordor.
Why Use ATT&CK with Splunk?
34

35. • Learn more about the Spearphishing Attachment technique used by Darkhotel.
• Analyse the BoTSv2 dataset for examples of Spearphishing Attachment.
• Using information discovered using MITRE ATT&CK and other online resources to
successfully identify the attack and any further damage caused
Demonstration Overview
35

36. Splunk Time!
*no splunk instances were harmed during the making of this demo
36

37. ATT&CK Navigator – Generate heatmaps/visualizations of techniques found in
MITRE ATT&CK
DeTT&CT – Useful for generating JSON files which can be imported into ATT&CK
Navigator as heatmaps.
Mordor – Pre-recorded security events generated using adversarial techniques in
JSON format.
Red Canary – Small and portable detection tests for MITRE ATT&CK
Caldera – An automated adversary emulation system, built on the MITRE ATT&CK
framework
Elemental - Centralized threat library of MITRE ATT&CK techniques, Atomic Red
Team tests, and over 280 Sigma rules.
Useful Resources
37

38. • MITRE ATT&CK is an excellent framework for discovering and mitigating attacks
with its wealth of information.
• Splunk is the ideal tool for you to set up your defences or even just practice your
detections as we have shown.
• Advanced Persistent Threats can offer a great starting place for you to begin your
analysis. Staying up to date on recent events in cybersecurity is a huge boost to
your threat hunting.
• You NEED to have the correct data sources before you can begin to identify
anything!
Conclusion
38

39. BOOM! Question Time!
39

40. 40
Thank you for listening!
• If you want to learn a bit more about MITRE ATT&CK you can check out our blog
posts on the Adarma Tech Blog:
ohttps://medium.com/adarma-tech-blog/
• You can also find us on social media:
oTwitter - @frazsec1 (Fraser Dumayne)
oLinkedIn - Fraser Dumayne / Cian Heasley
• Or message us on Teams if you work with us!

41. © 2020 SPLUNK INC.
Splunk Remote
Work Insights
Support for Your Remote
Workforce
• For customers responding to
COVID-19 by moving employees to remote
work, Splunk has introduced Remote Work
Insights
• Empowers IT and Security teams
to manage applications and monitor critical
business performance from remote
locations
• Executive dashboard provides
views into business operations
and employee productivity

42. © 2 0 2 0 S P L U N K I N C .
Real-Time Visibility
Across disparate remote
systems including VPN,
Microsoft 365, and cloud-based
collaboration platforms
Available March 31
COVID-19 Response Page
on Splunk.com
Frequent Updates
Support for additional
remote work systems
coming soon
Splunk Remote
Work Insights
© 2020 SPLUNK INC.

43. © 2 0 2 0 S P L U N K I N C .
COVID-19 Response
on Splunk.com
• New RWI Autobahn lane
• Curated collection of apps
• TAs
• Blogs
• Sample Searches
• Best Practices
For Cloud
Customers
• Curated collection of apps
• TAs
• Blogs
• Sample Searches
• Best Practices
For
On-Premises
Customers

44. © 2 0 2 0 S P L U N K I N C .
Get Involved!
● Splunk 4 Rookies Security (End of May)
– Keep an eye on LinkedIn/Twitter for details or register your interest by emailing events@adarma.com.
● Splunk User Group Edinburgh
– https://usergroups.splunk.com/edinburgh-splunk-user-group/
– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group
– Register via https://splk.it/slack
– Channel: #edinburgh
● Present & Share at the User Group?
Connect:
‣ Harry McLaren | harry.mclaren@adarma.com | @cyberharibu

45. Thank You
© 2 0 2 0 S P L U N K I N C .

46. © 2 0 2 0 S P L U N K I N C .
Meet the Experts
Tom Wise & Harry McLaren
Members of SplunkTrust