18. 以模式分析補強規則判斷
Rules View
Breaking the speed limit
If one or more of these things
happen let me know
Watches for only what is
known
No concept of what is „normal‟
Patterns View
Watches for rhythms in your
data over time against what is
„normal‟ (normal will not be
static)
Takes advantage of „weak
signals‟ from non-traditional
security data
Watches for what you don‟t
know
Patterns + Analytics enables
decisions
19
20. Example: Patterns of Beaconing Hosts
to Command and Control
21
Pattern:
APTmalware‘beacons’to
commandandcontrolatspecific
intervals
Splunkpatternsearch
Watchingforhoststhattalktothe
sameURLatthesameinterval
everyday
…|streamstatscurrent=f
last(_time)asnext_timebysite|
evalgap=next_time-_time|stats
countavg(gap)var(gap)bysite
Whatyou’dbelookingoutforare
sitesthathavealowvar(gap)value.
21. 22
Example: Time-based Pattern-detection
Beaconing ofhosts to command and control #2
Pattern:
APTmalware‘beacons’to
commandandcontrolatspecific
intervals
Splunkpatternsearch
An abnormally high number of
same sized DNS requests
from an internal host.
sourcetype=dns | eval
Length=len(file) | stats
count(clientip) by Length | sort
- Length
27. Metadata 比 Netflow 有更多的細節
28
Netflow Record
12.34.56.78:3022 – 87.65.43.21:2525
bytes transferred 512k
Time 14:24:37 6/6/2012
Metadata Record
12.34.56.78:3022 – 87.65.43.21:2525
sender nick.fury@shield.com
recipient tony.stark@starkinc.com
subject A funny test
attachment name Unicorn0x202Egpj.scr
attachment size 511k
attachment mime application/octet-stream
body Hi Tony,
A funny pic and see if
you are color blindness.
…
28. Metadata 也比 Raw Data 更容易分析
29
Raw Data
12.34.56.78:3022 – 87.65.43.21:2525
Metadata Record
12.34.56.78:3022 – 87.65.43.21:2525
sender nick.fury@shield.com
recipient tony.stark@starkinc.com
subject A funny test
attachment name Unicorn0x202Egpj.scr
attachment size 511k
attachment mime application/octet-stream
body Hi Tony,
A funny pic and see if
you are color blindness.
…
Delivered-To: tony.stark@starkinc.com
Received: by 10.180.4.35 with SMTP id
h3csp12899wih; Thu, 6 Jun 2012 01:16:16 -0700
(PDT) Received: by 10.68.134.106 with SMTP id
pj10mr4091060pbb.112.1340266576086; Thu, 6
Jun 2012 01:16:16 -0700 (PDT)
Return-Path: <nick.fury@shield.com> Received:
from mail.shielld.com (mail.shield.com.
[12.34.56.78]); Thu, 6 Jun 2012 01:16:16 -0700
(PDT)
Received: from jarvis.starkinc.com ([172.17.1.3]);
Thu, 6 Jun 2012 16:16:04 +0800 (CST)
(envelope-from nick.fury@shield.com)
To: tony.stark@starkinc.com
<tony.stark@starkinc.com>
MIME-Version: 1.0
Subject: A funny test
…
Human behavior: I download a PDF from a site, I spend a few minutes reviewing it and then I may download another PDFMalware behavior: I download the PDF and the malware skips the human review part and sends a signal back to the site saying my systems is ownedSplunk’s analytics language can be configured to monitor for the difference in these two behaviors
Once inside the environment malware beacons back to an attacker at specific intervals.No human surfs to the same site every day at a regular interval or exactly at the same time every day.
Another way to find anomalous behaviors is to watch for DNS requests that are the same length and then group these together watching for