This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
4. 4
Story 1 - Web
The VP of Pouet Inc calls you to complain about
issues on the website and asks you to
investigate what’s going on.
Data used in examples is actual Defcon data!
4
6. 6
Cross Site Scripting (XSS) attacks
Cross Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites.
Example:
http://vulnerable-site.com/non_existing_page => “Not Found: /non_existing_page”
http://vulnerable-site.com/<script>alert(‘Whoops’);</script> => “Not Found: /”
But the pop-up ‘Whoops’ appears on user’s screen, the JavaScript code is not escaped by the
server so the code is executed.
6
8. 8
SQL Injection
A SQL injection attack consists of insertion of a SQL query via the input data from the
client to the application. A successful SQL injection exploit can read sensitive data from
the database, modify database data (Insert/Update/Delete), execute administration
operations, etc...
Example:
http://vuln-site.com/login.php?user=admin’ OR 1=1;--&pass=camembert
SELECT * FROM users WHERE user=‘admin’ OR 1=1;-- AND password=‘camembert’;
SELECT * FROM users WHERE user=‘admin’ OR 1=1;
Successful login as ‘admin’ without knowing the password.
The ‘OR 1=1’ is optional here for the success of the attack.
8
9. 9
Find a successful SQLi
index=web_vuln SELECT AND FROM OR WHERE OR “OR” OR “AND” status < 400
| stats count by clientip status
| sort – count
Tip: To decode URI’s you can use | eval u = urldecode(field)
9
10. 10
Web Shell
Web Shells are installed by the attackers after compromising legitimate Web applications
on a server, using techniques such as SQL injection, Remote File Inclusion, unvalidated file
upload, valid user's stolen credentials, etc.
A Web shell is an executable code running on a server that gives attackers remote access
to a variety of critical functions. It can be seen as a Remote Access Tool (RAT) or a
backdoor. It can be a full featured product with a WebUI or a single script of few lines of
code.
Popular webshells: c99, b374k, c100, r57, 12309, ….
Example of request: POST /c99.php?cmd=uname%20-ra
10
12. 12
Are we hosting a Web Shell?
Splunk Search:
index=web_vuln c99 OR b374k OR c100 OR r57 OR 12309
We can see a request for the R57 webshell from
177.105.146.205
R57.txt exactly
Don’t be confused with the “.txt”, it’s a lure this file is a PHP
script.
Nothing to worry much about, status code is 404/Not Found.
12
13. 13
Directory traversal
Directory Traversal is a type of HTTP exploit that is used by attackers to gain
unauthorized access to restricted directories and files. It can be used to un OS level
commands or access sensitive files.
Example (Linux)
GET ../../../../../../../../../etc/passwd HTTP/1.0rn
Example (Windows)
http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:
%5c =
13
14. 14
How many IPs successfully exploited
a Directory Traversal vulnerability?
8 clientip
(see next slide)
14
16. 16
Are we the target of Bruteforce? Which page(s)?
YES !
Admin page: /administrator/index.php
(see next slide)
16
17. 17
Bruteforce
Many requests on few pages from the same source = suspicious.
index=web_vuln
| stats dc(uri) as req_pages_per_client count(_raw) as
n_requests by clientip
| sort req_pages_per_client - n_requests
This also identifies recurring requests to access to /logs/access*.log.
TOP Bruteforcers are: 108.171.217.244 & 37.9.53.57
17
18. 18
Story 2 – HTTP/DNS
You are part of the DEFCON organization and
you are monitoring the network with Bro IDS.
Hackers are everywhere…
18
19. 19
Is there any Data Exfiltration? To where?
Yes! Look at Bro IDS data
These were the real culprits:
chickenkiller.com
mooo.com
19
20. 20
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| search ut_domain!="None"
| `ut_shannon(ut_subdomain)`
| eval subdomain_length = length(ut_subdomain)
| stats count(ut_subdomain) as count avg(ut_shannon) as avg_sha stdev(ut_shannon) as stdev_sha
avg(subdomain_length) as avg_sublen stdev(subdomain_length) as stdev_sublen by ut_domain
| eval avg_sha = round(avg_sha, 1)
| eval avg_sublen = round(avg_sublen, 1)
| eval stdev_sha = round(stdev_sha, 2)
| eval stdev_sublen = round(stdev_sublen, 1)
| where avg_sha > 2 AND avg_sublen > 15 | sort - count avg_sha avg_sublen stdev_sha stdev_sublen
20
Count, Subdomain Length, Entropy = Good indicators to start digging
22. 22
Could you find any domain that looks like a DGA ?
(Domain Generation Algorithm)
t3l4fw-jjy5gcurq5e.com
(This is not the only one in the dataset)
cloudfront.net hosts are False Positives.
22
26. 26
Enterprise Security
Provides support for security operations/command centers
Functions: alert management, detects using correlation rules
(pre-built), incident response, security monitoring, breach
response, threat intelligence automation, statistical analysis,
reporting, auditing
Persona service: SOC Analyst, security teams, incident
responders, hunters, security managers
Detections: pre-built advanced threat detection using
statistical analysis, user activity tracking, attacks using
correlation searches
26
27. 27
User Behavior Analytics
Provides advanced threat detection using unsupervised machine
learning – complements SIEMs (if any)
Functions: baselines behavior from log data to detect anomalies and
threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
27
28. 28
What’s New ?
28
UBA Results Across
SIEM Workflow
Rapid Investigation of
Advanced Threats
Enhanced
Insider Threat &
Cyber Attack
Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
30. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011
31. 31
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
31
ES 4.1 and UBA 2.2
33. 33
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1
34. 34
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework
36. 36
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2
37. 37
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2
38. 38
Summary
38
UBA Results Across
SIEM Workflow
Rapid Investigation of
Advanced Threats
Enhanced
Insider Threat &
Cyber Attack
Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
Directory Traversal can be used to retrieve files or run commands on the web server.
DNS Exfil:
18k text file
- Infected host is 10.124.15.193
- Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com
- Time frame is around 1946-2134 08AUG14
20mb+ Zip file
- Infected host is 10.124.15.193
- Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com
- Time frame is around 1853-1927 08AUG14
The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape.
Operational issues and challenges. Use dashboards, alert (correlation), correlate against observables
Use them for adhoc searching and swimlanes
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
Remind what UBA
Highlight the pics on right…custom threat
Point out the fact that we now have Rules now with ML. Competitors have rules with Stats
We’re headed to the East Coast!
2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!