Using Splunk for Information Security

2. 2 Agenda Security: Starts with Splunk Enterprise Enterprise Security 4.1/UBA 2.2 RSA 2016 Review

3. Security: Starts with Splunk Enterprise

4. 4 Story 1 - Web The VP of Pouet Inc calls you to complain about issues on the website and asks you to investigate what’s going on. Data used in examples is actual Defcon data! 4

5. 5 Web vulnerability data has a wealth of clues index=web_vuln 5

6. 6 Cross Site Scripting (XSS) attacks Cross Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Example: http://vulnerable-site.com/non_existing_page => “Not Found: /non_existing_page” http://vulnerable-site.com/<script>alert(‘Whoops’);</script> => “Not Found: /” But the pop-up ‘Whoops’ appears on user’s screen, the JavaScript code is not escaped by the server so the code is executed. 6

7. 7 Find a XSS index=web_vuln script OR alert OR cookie 7

8. 8 SQL Injection A SQL injection attack consists of insertion of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations, etc... Example: http://vuln-site.com/login.php?user=admin’ OR 1=1;--&pass=camembert  SELECT * FROM users WHERE user=‘admin’ OR 1=1;-- AND password=‘camembert’;  SELECT * FROM users WHERE user=‘admin’ OR 1=1;  Successful login as ‘admin’ without knowing the password.  The ‘OR 1=1’ is optional here for the success of the attack. 8

9. 9 Find a successful SQLi index=web_vuln SELECT AND FROM OR WHERE OR “OR” OR “AND” status < 400 | stats count by clientip status | sort – count Tip: To decode URI’s you can use | eval u = urldecode(field) 9

10. 10 Web Shell Web Shells are installed by the attackers after compromising legitimate Web applications on a server, using techniques such as SQL injection, Remote File Inclusion, unvalidated file upload, valid user's stolen credentials, etc. A Web shell is an executable code running on a server that gives attackers remote access to a variety of critical functions. It can be seen as a Remote Access Tool (RAT) or a backdoor. It can be a full featured product with a WebUI or a single script of few lines of code. Popular webshells: c99, b374k, c100, r57, 12309, …. Example of request: POST /c99.php?cmd=uname%20-ra 10

11. 11 Are we hosting a Web Shell? NO ! (see next slide) 11

12. 12 Are we hosting a Web Shell? Splunk Search: index=web_vuln c99 OR b374k OR c100 OR r57 OR 12309 We can see a request for the R57 webshell from 177.105.146.205 R57.txt exactly Don’t be confused with the “.txt”, it’s a lure this file is a PHP script. Nothing to worry much about, status code is 404/Not Found. 12

13. 13 Directory traversal Directory Traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. It can be used to un OS level commands or access sensitive files. Example (Linux) GET ../../../../../../../../../etc/passwd HTTP/1.0rn Example (Windows) http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c: %5c = 13

14. 14 How many IPs successfully exploited a Directory Traversal vulnerability? 8 clientip (see next slide) 14

15. 15 Directory Traversal index=web_vuln status<400 uri="*..*" | stats dc(uri) as n_pages count(_raw) as n_attempts by clientip | sort - n_attempts 15

16. 16 Are we the target of Bruteforce? Which page(s)? YES ! Admin page: /administrator/index.php (see next slide) 16

17. 17 Bruteforce Many requests on few pages from the same source = suspicious. index=web_vuln | stats dc(uri) as req_pages_per_client count(_raw) as n_requests by clientip | sort req_pages_per_client - n_requests This also identifies recurring requests to access to /logs/access*.log. TOP Bruteforcers are: 108.171.217.244 & 37.9.53.57 17

18. 18 Story 2 – HTTP/DNS You are part of the DEFCON organization and you are monitoring the network with Bro IDS. Hackers are everywhere… 18

19. 19 Is there any Data Exfiltration? To where? Yes! Look at Bro IDS data These were the real culprits: chickenkiller.com mooo.com 19

20. 20 index=bro sourcetype=bro_dns | `ut_parse(query)` | search ut_domain!="None" | `ut_shannon(ut_subdomain)` | eval subdomain_length = length(ut_subdomain) | stats count(ut_subdomain) as count avg(ut_shannon) as avg_sha stdev(ut_shannon) as stdev_sha avg(subdomain_length) as avg_sublen stdev(subdomain_length) as stdev_sublen by ut_domain | eval avg_sha = round(avg_sha, 1) | eval avg_sublen = round(avg_sublen, 1) | eval stdev_sha = round(stdev_sha, 2) | eval stdev_sublen = round(stdev_sublen, 1) | where avg_sha > 2 AND avg_sublen > 15 | sort - count avg_sha avg_sublen stdev_sha stdev_sublen 20 Count, Subdomain Length, Entropy = Good indicators to start digging

21. 21 Count, Subdomain length, Entropy = Good indicators to start digging 21

22. 22 Could you find any domain that looks like a DGA ? (Domain Generation Algorithm) t3l4fw-jjy5gcurq5e.com (This is not the only one in the dataset) cloudfront.net hosts are False Positives. 22

24. Enterprise Security 4.1/UBA 2.2

25. Analytics-driven Security Risk-Based Context and Intelligence Connecting Data and People 25

26. 26 Enterprise Security Provides support for security operations/command centers Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches 26

27. 27 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any) Functions: baselines behavior from log data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 27

28. 28 What’s New ? 28 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

29. Integration of Splunk UBA with Splunk ES

30. Splunk UBA and Splunk ES Integration SIEM, Hadoop Firewall, AD, DLP AWS, VM, Cloud, Mobile End-point, App, DB logs Netflow, PCAP Threat Feeds DATA SOURCES DATA SCIENCE DRIVEN THREAT DETECTION 99.99% EVENT REDUCTION UBA MACHINE LEARNING IN SIEM WORKFLOW ANOMALY-BASED CORRELATION 101111101010010001000001 111011111011101111101010 010001000001111011111011

31. 31 Behavioral Analytics in SIEM Workflow • All Splunk UBA results available in Enterprise Security • Workflows for SOC Manager, SOC analyst and Hunter/Investigator • Splunk UBA can be purchased/operated separately from Splunk Enterprise Security 31 ES 4.1 and UBA 2.2

32. Splunk Enterprise Security 4.1

33. 33 Prioritize and Speed Investigations Centralized incident review combining risk and quick search Use the new risk scores and quick searches to determine the impact of an incident quickly Use risk scores to generate actionable alerts to respond on matters that require immediate attention. ES 4.1

34. 34 Expanded Threat Intelligence ES 4.1 Supports Facebook ThreatExchange An additional threat intelligence feed that provides following threat indicators - domain names, IPs and hashes Use with ad hoc searches and investigations Extends Splunk’s Threat Intelligence Framework

35. Splunk UBA 2.2

36. 36 Detection : Enhanced Security Analytics Visibility and baseline metrics around user, device, application and protocol 30+ new metrics USER CENTRIC DEVICE CENTRIC APPLICATION CENTRIC PROTOCOL CENTRIC Detailed Visibility, Understand Normal Behavior UBA 2.2

37. 37 Create custom threats using 60+ anomalies. Create custom threat scenarios on top of anomalies detected by machine learning. Helps with real-time threat detection and leverage to detect threats on historical data. Analysts can create many combinations and permutations of threat detection scenarios along with automated threat detection. Detection : Custom Threat Modeling Framework UBA 2.2

38. 38 Summary 38 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

39. UBA and ES Demo

40. Copyright © 2015 Splunk Inc. • September 26-29, 2016 • The Disney Swan and Dolphin, Orlando • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 3 days of Splunk University • Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education! • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and • Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! .conf2016: The 7th Annual Splunk Worldwide Users’ Conference

41. Thank You!

Using Splunk for Information Security

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Using Splunk for Information Security

Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (14)

Similaire à Using Splunk for Information Security (20)

Plus par Splunk (20)

Plus récents (20)

Using Splunk for Information Security

Notes de l'éditeur