O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Using Splunk for Information Security

Carregando em…3

Confira estes a seguir

1 de 41 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (14)


Semelhante a Using Splunk for Information Security (20)

Mais de Splunk (20)


Mais recentes (20)

Using Splunk for Information Security

  1. 1. Copyright © 2015 Splunk Inc. Splunk: All Things Security splunklive San Diego 2016 Mark Bonsack, Staff SE Matt Poland, Senior SE
  2. 2. 2 Agenda Security: Starts with Splunk Enterprise Enterprise Security 4.1/UBA 2.2 RSA 2016 Review
  3. 3. Security: Starts with Splunk Enterprise
  4. 4. 4 Story 1 - Web The VP of Pouet Inc calls you to complain about issues on the website and asks you to investigate what’s going on. Data used in examples is actual Defcon data! 4
  5. 5. 5 Web vulnerability data has a wealth of clues index=web_vuln 5
  6. 6. 6 Cross Site Scripting (XSS) attacks Cross Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Example: http://vulnerable-site.com/non_existing_page => “Not Found: /non_existing_page” http://vulnerable-site.com/<script>alert(‘Whoops’);</script> => “Not Found: /” But the pop-up ‘Whoops’ appears on user’s screen, the JavaScript code is not escaped by the server so the code is executed. 6
  7. 7. 7 Find a XSS index=web_vuln script OR alert OR cookie 7
  8. 8. 8 SQL Injection A SQL injection attack consists of insertion of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations, etc... Example: http://vuln-site.com/login.php?user=admin’ OR 1=1;--&pass=camembert  SELECT * FROM users WHERE user=‘admin’ OR 1=1;-- AND password=‘camembert’;  SELECT * FROM users WHERE user=‘admin’ OR 1=1;  Successful login as ‘admin’ without knowing the password.  The ‘OR 1=1’ is optional here for the success of the attack. 8
  9. 9. 9 Find a successful SQLi index=web_vuln SELECT AND FROM OR WHERE OR “OR” OR “AND” status < 400 | stats count by clientip status | sort – count Tip: To decode URI’s you can use | eval u = urldecode(field) 9
  10. 10. 10 Web Shell Web Shells are installed by the attackers after compromising legitimate Web applications on a server, using techniques such as SQL injection, Remote File Inclusion, unvalidated file upload, valid user's stolen credentials, etc. A Web shell is an executable code running on a server that gives attackers remote access to a variety of critical functions. It can be seen as a Remote Access Tool (RAT) or a backdoor. It can be a full featured product with a WebUI or a single script of few lines of code. Popular webshells: c99, b374k, c100, r57, 12309, …. Example of request: POST /c99.php?cmd=uname%20-ra 10
  11. 11. 11 Are we hosting a Web Shell? NO ! (see next slide) 11
  12. 12. 12 Are we hosting a Web Shell? Splunk Search: index=web_vuln c99 OR b374k OR c100 OR r57 OR 12309 We can see a request for the R57 webshell from R57.txt exactly Don’t be confused with the “.txt”, it’s a lure this file is a PHP script. Nothing to worry much about, status code is 404/Not Found. 12
  13. 13. 13 Directory traversal Directory Traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. It can be used to un OS level commands or access sensitive files. Example (Linux) GET ../../../../../../../../../etc/passwd HTTP/1.0rn Example (Windows) http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c: %5c = 13
  14. 14. 14 How many IPs successfully exploited a Directory Traversal vulnerability? 8 clientip (see next slide) 14
  15. 15. 15 Directory Traversal index=web_vuln status<400 uri="*..*" | stats dc(uri) as n_pages count(_raw) as n_attempts by clientip | sort - n_attempts 15
  16. 16. 16 Are we the target of Bruteforce? Which page(s)? YES ! Admin page: /administrator/index.php (see next slide) 16
  17. 17. 17 Bruteforce Many requests on few pages from the same source = suspicious. index=web_vuln | stats dc(uri) as req_pages_per_client count(_raw) as n_requests by clientip | sort req_pages_per_client - n_requests This also identifies recurring requests to access to /logs/access*.log. TOP Bruteforcers are: & 17
  18. 18. 18 Story 2 – HTTP/DNS You are part of the DEFCON organization and you are monitoring the network with Bro IDS. Hackers are everywhere… 18
  19. 19. 19 Is there any Data Exfiltration? To where? Yes! Look at Bro IDS data These were the real culprits: chickenkiller.com mooo.com 19
  20. 20. 20 index=bro sourcetype=bro_dns | `ut_parse(query)` | search ut_domain!="None" | `ut_shannon(ut_subdomain)` | eval subdomain_length = length(ut_subdomain) | stats count(ut_subdomain) as count avg(ut_shannon) as avg_sha stdev(ut_shannon) as stdev_sha avg(subdomain_length) as avg_sublen stdev(subdomain_length) as stdev_sublen by ut_domain | eval avg_sha = round(avg_sha, 1) | eval avg_sublen = round(avg_sublen, 1) | eval stdev_sha = round(stdev_sha, 2) | eval stdev_sublen = round(stdev_sublen, 1) | where avg_sha > 2 AND avg_sublen > 15 | sort - count avg_sha avg_sublen stdev_sha stdev_sublen 20 Count, Subdomain Length, Entropy = Good indicators to start digging
  21. 21. 21 Count, Subdomain length, Entropy = Good indicators to start digging 21
  22. 22. 22 Could you find any domain that looks like a DGA ? (Domain Generation Algorithm) t3l4fw-jjy5gcurq5e.com (This is not the only one in the dataset) cloudfront.net hosts are False Positives. 22
  23. 23. 23 DGA domains index=bro sourcetype=bro_dns | `ut_parse(query)` | lookup cdn_lookup domain as ut_domain | where isnull(cdn_provider) | stats count by ut_domain | `ut_shannon(ut_domain)` | eval ut_shannon=round(ut_shannon,1) | sort - ut_shannon count 23
  24. 24. Enterprise Security 4.1/UBA 2.2
  25. 25. Analytics-driven Security Risk-Based Context and Intelligence Connecting Data and People 25
  26. 26. 26 Enterprise Security Provides support for security operations/command centers Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches 26
  27. 27. 27 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any) Functions: baselines behavior from log data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 27
  28. 28. 28 What’s New ? 28 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
  29. 29. Integration of Splunk UBA with Splunk ES
  30. 30. Splunk UBA and Splunk ES Integration SIEM, Hadoop Firewall, AD, DLP AWS, VM, Cloud, Mobile End-point, App, DB logs Netflow, PCAP Threat Feeds DATA SOURCES DATA SCIENCE DRIVEN THREAT DETECTION 99.99% EVENT REDUCTION UBA MACHINE LEARNING IN SIEM WORKFLOW ANOMALY-BASED CORRELATION 101111101010010001000001 111011111011101111101010 010001000001111011111011
  31. 31. 31 Behavioral Analytics in SIEM Workflow • All Splunk UBA results available in Enterprise Security • Workflows for SOC Manager, SOC analyst and Hunter/Investigator • Splunk UBA can be purchased/operated separately from Splunk Enterprise Security 31 ES 4.1 and UBA 2.2
  32. 32. Splunk Enterprise Security 4.1
  33. 33. 33 Prioritize and Speed Investigations Centralized incident review combining risk and quick search Use the new risk scores and quick searches to determine the impact of an incident quickly Use risk scores to generate actionable alerts to respond on matters that require immediate attention. ES 4.1
  34. 34. 34 Expanded Threat Intelligence ES 4.1 Supports Facebook ThreatExchange An additional threat intelligence feed that provides following threat indicators - domain names, IPs and hashes Use with ad hoc searches and investigations Extends Splunk’s Threat Intelligence Framework
  35. 35. Splunk UBA 2.2
  36. 36. 36 Detection : Enhanced Security Analytics Visibility and baseline metrics around user, device, application and protocol 30+ new metrics USER CENTRIC DEVICE CENTRIC APPLICATION CENTRIC PROTOCOL CENTRIC Detailed Visibility, Understand Normal Behavior UBA 2.2
  37. 37. 37 Create custom threats using 60+ anomalies. Create custom threat scenarios on top of anomalies detected by machine learning. Helps with real-time threat detection and leverage to detect threats on historical data. Analysts can create many combinations and permutations of threat detection scenarios along with automated threat detection. Detection : Custom Threat Modeling Framework UBA 2.2
  38. 38. 38 Summary 38 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
  39. 39. UBA and ES Demo
  40. 40. Copyright © 2015 Splunk Inc. • September 26-29, 2016 • The Disney Swan and Dolphin, Orlando • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 3 days of Splunk University • Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education! • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and • Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! .conf2016: The 7th Annual Splunk Worldwide Users’ Conference
  41. 41. Thank You!

Notas do Editor

  • Directory Traversal can be used to retrieve files or run commands on the web server.
  • DNS Exfil:
    18k text file
    - Infected host is
    - Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com
    - Time frame is around 1946-2134 08AUG14

    20mb+ Zip file
    - Infected host is
    - Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com
    - Time frame is around 1853-1927 08AUG14
  • The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape. 
  • Operational issues and challenges. Use dashboards, alert (correlation), correlate against observables
    Use them for adhoc searching and swimlanes
  • a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
    b. Describe the solution. Value of ES, Notable Events…IR. Add context
    C. Increasing Threat Intel... Mention leadership and WP. Coverage.
  • a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
    b. Describe the solution. Value of ES, Notable Events…IR. Add context
    C. Increasing Threat Intel... Mention leadership and WP. Coverage.
  • Remind what UBA
    Highlight the pics on right…custom threat
    Point out the fact that we now have Rules now with ML. Competitors have rules with Stats
  • We’re headed to the East Coast!

    2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
    165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
    30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!

    Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.

    Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!