TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today...
Transcript of TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today...
![Page 1: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/1.jpg)
Copyright©2015SplunkInc.
EnterpriseSecurity
AdvancedThreatDetecAon&ResponseBertHayes
![Page 2: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/2.jpg)
Agenda● Agenda
● IntroducAon
● SecurityProgramCriAcalPath
● CollecAngDatatoidenAfybreaches
● IncidentResponse
2
![Page 3: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/3.jpg)
BertHayes● SeniorSoluAonsEngineer:Splunk,Inc.2013–Today
● NetworkSecurityAnalyst
● DigitalForensics&IncidentResponse– PublicSectorFocused‣ TexasEducaAonAgency‣ UniversityofTexasatAusAn‣ TexasDepartmentofInformaAonResources‣ TexasHigherEducaAonCoordinaAngBoard
3
![Page 4: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/4.jpg)
CYBERCRIMINALS
MALICIOUSINSIDERS
NATIONSTATES
4
![Page 5: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/5.jpg)
5
AdvancedThreatsAreHardtoFind
CyberCriminals
Na;onStates
InsiderThreats
Source:MandiantM-TrendsReport2012/2013/2014
100%ValidcredenAalswereused
40Average#ofsystemsaccessed
229Median#ofdaysbeforedetecAon
67%OfvicAmswerenoAfiedbyexternalenAty
![Page 6: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/6.jpg)
6
AllDataisSecurityRelevant=BigData
Servers
Storage
DesktopsEmail Web
TransacAonRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetecAon
Firewall
DataLossPrevenAon
AnA-Malware
VulnerabilityScans
Tradi;onal
AuthenAcaAon
![Page 7: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/7.jpg)
SecurityProgram:TheBigPicture
7
![Page 8: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/8.jpg)
SecurityProgram:TheBigPicture
8
It’scomplicated…
![Page 9: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/9.jpg)
ThreeInterrelatedComponentsofSecurity
9
Process
PeopleTechnology
![Page 10: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/10.jpg)
Butwhichismostimportant?
10
Process
1.PeopleTechnology
![Page 11: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/11.jpg)
Thenwhat?
11
2.Process
1.PeopleTechnology
![Page 12: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/12.jpg)
ASecurityProgram
12
![Page 13: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/13.jpg)
SecurityCriAcalPath
13
Risk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
![Page 14: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/14.jpg)
SecurityCriAcalPath
14
RiskandComplianceRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) AssetidenAficaAon Risk– Assets– Threats(Actors,AcAons,Modeling)– VulnerabiliAes(Vulnerabilitymanagement)
Compliance
Outcome:Priori;zedlistofwhattoprotect
![Page 15: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/15.jpg)
SecurityCriAcalPath
15
ThreatsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) Anextremelyimportanttopicofdiscussion Threat:Aperson,group,orthinglikelytodamageorendanger
– Internal:Maliciousinsider,whistleblower,cluelessinsider– External:NaAonstates,organizedcrime,hackAvists,scriptkiddies
UseMicrosog’sSTRIDEmodeltogenerateconversaAonalquesAons:– Spoofing(idenAty)– Tampering– RepudiaAon(proof)– InformaAonDisclosure– DenialofService– ElevaAonofPrivilege
![Page 16: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/16.jpg)
SecurityCriAcalPath
16
ThreatAc;onsandThreatActorsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
SourceVerizonDBIR2015
![Page 17: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/17.jpg)
SecurityCriAcalPath
17
ThreatAc;onsandIndustriesRisk&
Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)
SourceVerizonDBIR2015
![Page 18: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/18.jpg)
SecurityCriAcalPath
18
ThreatsandVulnerabili;esRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• CananorganizaAoncompletelyprepareforeverythreat?• No!• CananorganizaAoncompletelyeliminateeveryvulnerability
• No!• SowhereshouldanorganizaAonstart?• ByapplyingRiskAnalysis
![Page 19: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/19.jpg)
SecurityCriAcalPath
19
RiskRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• Riskisanogenmisunderstoodconceptandterm• FromaconversaAonalperspecAve,thinkofrisklikethis
– Risk=LikelihoodXImpact– Risk=ThreatsXVulnerabiliAes
• SignificantRiskonlyexistswiththepotenAalforsignificantLoss• Ifdoneproperly,riskcan(andshould)bemeasuredinmonetaryterms,
literally:$£€• Riskframeworkstoknow:
– AnnualizedLossExpectancy(ALE)tobeusedasacounter-example(andtopasstheCISSPexam!)
– FactorAnalysisofInformaAonRISK(FAIR)
![Page 20: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/20.jpg)
SecurityCriAcalPath
20
RiskTreatmentRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) • OnceriskhasbeenidenAfied,itmustbedealtwith• Avoid• Reduce• Transfer• Accept
![Page 21: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/21.jpg)
SecurityCriAcalPath
21
ComplianceRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC)• ComplianceisogenprescripAve,notdrivenpurelybyriskanalysis• ControlsandacAviAesthatdonoteffecAvelylowersecurityriskare
someAmesrequired• IfanorganizaAondoesnothaveanexperiencedsecurityteam,
someAmescomplianceismoreprominentthanriskmanagement• Complianceisdrivenby
– Region– Industry/verAcal
– AcAviAes(Creditcardprocessing,etc.)
CompliancecanbejustasimportantasRiskasadriverforfuturephasesinthesecuritycriAcalpath.
![Page 22: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/22.jpg)
SecurityCriAcalPath
22
SecurityArchitectureRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) ControlSelecAon/Design
– Defenseindepth– CIS(SANS)20CriAcalControls– ISO/IEC27002
Controlsarealsoknownascountermeasures CostofthecountermeasureshouldbelessthantheriskfacingtheorganizaAon
Networksecurityandmonitoringarchitecture Interfacewithotherteams Outcome:Whatcontrolswillbeimplemented,andwhere
![Page 23: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/23.jpg)
AdversaryPerspecAve-ArackKillChain
Reconnaissance
WeaponizaAon
Delivery
ExploitaAon
InstallaAon
CommandandControl(C2)
AcAonsonObjecAves
23
hrp://www.lockheedmarAn.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
![Page 24: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/24.jpg)
Gartner’sFiveStylesofAPTDefense
24
![Page 25: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/25.jpg)
SecurityCriAcalPath
25
SecurityEngineeringRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) Implementcontrols Maintainsecuritysystems,responsibleforupAme Changemanagementisimportant OperaAonalvisibilityforsecuritysystems Outcome:StableplaXormforsecurityopera;ons
![Page 26: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/26.jpg)
SecurityCriAcalPath
26
SecurityOpera;onsRisk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperaAons
(IncludesSOC) OperaAonalsecuritycapability– Prevent– Detect(includeshunAng!)– Respond
ThisiswheretheSecurityOperaAonCenter(SOC)lives! Outcome:Consistent,repeatable,measurablesecurityresponsecapability
![Page 27: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/27.jpg)
Getthehow-to
27
![Page 28: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/28.jpg)
Copyright©2015SplunkInc. 28
Source:MandiantM-TrendsReport2012/2013/2014
67%VicAmsnoAfiedbyexternal
enAty
100% ValidcredenAals
wereused229
Median#ofdaysbeforedetecAon
TheEver-changingThreatLandscape
![Page 29: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/29.jpg)
29
ThreatIntelligenceNetwork Endpoint Access/IdenAty
DataSourcesRequired
![Page 30: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/30.jpg)
DataSourcesRequiredPersist,Repeat
Knownrelay/C2sites,infectedsites,IOC,arack/campaignintentandarribuAon
Whotalkedtowhom,traffic,malwaredownload/delivery,C2,exfiltraAon,lateralmovement
Runningprocess,services,processowner,registrymods,filesystemchanges,patchinglevel,networkconnecAonsbyprocess/service
Accesslevel,privilegeduse/escalaAon,systemownership,user/system/servicebusinesscriAcality
30
• 3rdpartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• WebProxy• NetFlow• Network
• AV/IPS/FW• MalwaredetecAon• ConfigManagement
• Performance• OSlogs• FileSystem
• DirectoryServices• AssetMgmt• AuthenAcaAonLogs
• ApplicaAonServices• VPN,SSO
Threatintelligence
Access/Iden;ty
Endpoint
Network
![Page 31: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/31.jpg)
ExamplesofWhat’sAvailableFromtheStreamingNetwork/WireData
31
PerformanceMetrics
RoundTripTime
ClientRequestTime
ServerReplyTime
ServerSendTime
TotalTimeTaken
BaseHTMLLoadTime
PageContentLoadTime
TotalPageLoadTime
Applica;onData
POSTContent
AJAXData
SecAon
Sub-SecAon
PageTitle
SessionCookie
ProxiedIPAddress
ErrorMessage
BusinessData
ProductID
CustomerID
ShoppingCartID
CartItems
CartValues
Discounts
OrderID
Abandoned?
![Page 32: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/32.jpg)
32
Capabilities - Scoping Infections and Breach
AnalyAcs Context&Intelligence
ConnecAngDataandPeople
![Page 33: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/33.jpg)
QuesAons
![Page 34: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/34.jpg)
ExploitaAon!=GameOver
34
![Page 35: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/35.jpg)
BestPracAces–BreachResponsePosture● Bringindatafrom(minimumatleastonefromeachcategory):– Network–nextgenfirewallorwebproxy,email,dns– Endpoint–windowslogs,registrychanges,filechanges– ThreatIntelligence–opensourceorsubscripAonbased– AccessandIdenAty–authenAcaAonevents,machine-user
mapping
● Employasecurityintelligenceplawormsoanalystscan:– Contextualizeevents,analyAcsandalerts– AutomatetheiranalysisandexploraAon– Sharetechniquesandresultstolearnandimprove
35
![Page 36: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/36.jpg)
Resources
![Page 37: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/37.jpg)
Copyright©2015SplunkInc.
KillChain–BreachExample
37
hrp(web)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
WEB
DeliveryExploitaAonInstallaAonC2AcAonsonObjecAves
.pdfexecutes&unpacksmalwareoverwriAngandrunning“allowed”programs
Svchost.exeCalc.exe
Arackercreatesmalware,embedin.pdf,
emailstothetarget
Reademail,openarachment
Threatintelligence
Access/Iden;ty
Endpoint
Network
![Page 38: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/38.jpg)
Copyright©2015SplunkInc.
BreachExample–DisrupAonOpportuniAes
38
hrp(web)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
WEB
DeliveryExploitaAonInstallaAonC2AcAonsonObjecAves
.pdfexecutes&unpacksmalwareoverwriAngandrunning“allowed”programs
Svchost.exeCalc.exe
Arackercreatesmalware,embedin.pdf,
emailstothetarget
MAILReademail,openarachment
Threatintelligence
Access/Iden;ty
Endpoint
Network
![Page 39: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/39.jpg)
39
JobConAnues–NeedtoPerformIncidentInvesAgaAon
Creditcardtransmired
Adminaccountused
Hackertoolfound
EndpointSecurity
IntrusionDetec;on
![Page 40: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/40.jpg)
40
UseMulApleDataSourcestoLinkEvents
Malwaredownload
BlacklistedIP
MalwareexecuAonandinstallaAon
MaliciouscommunicaAon
![Page 41: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/41.jpg)
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
41
AdvancedThreatDetecAon&Response
WEB
ConductBusiness
Createaddi;onalenvironment
GainAccesstosystemTransac;on
.pdf Svchost.exeCalc.exe
Eventsthatcontainlinktofile
ProxylogC2communicaAontoblacklist
Howwasprocessstarted?
Whatcreatedtheprogram/process?
ProcessmakingC2traffic
WebPortal.pdf
![Page 42: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/42.jpg)
42
Connectthe“Data-Dots”toSeetheWholeStory
Persist,Repeat
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Aracker,knowrelay/C2sites,infectedsites,IOC,arack/campaignintentandarribuAon
Wheretheywentto,whotalkedtowhom,aracktransmired,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,arack/malwarearAfacts,patchinglevel,aracksuscepAbility
Accesslevel,privilegedusers,likelihoodofinfecAon,wheretheymightbeinkillchain
Delivery,ExploitInstalla;on
GainTrustedAccess
Exfiltra;onDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• MalwaredetecAon• PCLM
• DHCP• OSlogs• Patching
• AcAveDirectory• LDAP• CMDB
• OperaAngSystem• Database• VPN,AAA,SSO
![Page 43: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/43.jpg)
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Command&ControlExploita;on&Installa;onDelivery
MAIL WEB WEB FW
AccomplishMission
Connectthe“Data-Dots”toSeetheWholeStory
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
IdenAty,Roles,Privileges,LocaAon,Behavior,Risk,Auditscope,ClassificaAon,etc.
ThreatIntelligenceData
EmailDataOr
WebData
HostorETDRData
WeborFirewallData
ThreatIntelligenceData
IdenAtyData
![Page 44: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/44.jpg)
Threatintelligence
Auth-UserRoles,CorpContext
HostAc;vity/Security
NetworkAc;vity/Security
Command&ControlExploita;on&Installa;onDelivery
MAIL WEB WEB FW
AccomplishMission
StartAnywhere,AnalyzeUp-Down-Across-Backwards-Forward
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
IdenAty,Roles,Privileges,LocaAon,Behavior,Risk,Auditscope,ClassificaAon,etc.
• Third-PartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• MalwaredetecAon• PCLM
• DHCP• OSlogs• Patching
• AcAveDirectory• LDAP• CMDB
• OperaAngSystem• Database• VPN,AAA,SSO
![Page 45: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/45.jpg)
ThankYou
![Page 46: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/46.jpg)
46
RapidAscentintheGartnerSIEMMagicQuadrant*
*Gartner,Inc.,SIEMMagicQuadrant2011-2015.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublicaAonandnotadvisetechnologyuserstoselectonlythosevendorswiththehighestraAngsorotherdesignaAon.GartnerresearchpublicaAonsconsistoftheopinionsofGartner’sresearchorganizaAonandshouldnotbeconstruedasstatementsoffact.GartnerdisclaimsallwarranAes,expressorimplied,withrespecttothisresearch,includinganywarranAesofmerchantabilityorfitnessforaparAcularpurpose.
2015LeaderandtheonlyvendortoimproveitsvisionaryposiAon
2014Leader
2013Leader
2012Challenger
2011NichePlayer
2015
![Page 47: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/47.jpg)
Copyright©2015SplunkInc.
IndustryAccolades
47
BestSIEMSolu;on
BestEnterpriseSecuritySolu;on
BestSIEM
![Page 48: TX DFIR presentation - Texas · Bert Hayes Senior Soluons Engineer: Splunk, Inc. 2013 – Today bert@splunk.com Network Security Analyst Digital Forensics & Incident Response –](https://reader034.fdocuments.in/reader034/viewer/2022042200/5e9f2cc57d355926dc72c5f6/html5/thumbnails/48.jpg)
Dev.splunk.com40,000+ques;onsandanswers
800+apps LocalUserGroupsand
SplunkLive!events
48
ThrivingCommunity