Abstract image of a woman sitting on books and studying on a laptop

Threat Hunting with Splunk

Splunk, profile picture
Splunk

This document provides an overview of threat hunting using Splunk. It begins with an introduction to threat hunting and why it is important. The presentation then discusses key building blocks for driving threat hunting maturity, including search and visualization, data enrichment, ingesting data sources, and applying machine learning. It provides examples of internal data sources that can be used for hunting like IP addresses, network artifacts, DNS, and endpoint data. The presentation demonstrates hunting using the Microsoft Sysmon endpoint agent, walking through an example attack scenario matching the Cyber Kill Chain framework. It shows how to investigate a potential compromise by searching across web, DNS, proxy, firewall, and endpoint data in Splunk to trace suspicious activity back to a specific user.

Technology
1 of 112
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Threat Hunting with Splunk Presenter: Ken Westin M.Sc, OSCP, ITPM Splunk, Security Market Specialist http://www.slideshare.net/kwestin/threat-hunting-71883454
Prework for today ● Setup Splunk Enterprise Security Sandbox ● Install free Splunk on laptop ● Install ML Toolkit app https://splunkbase.splunk.com/app/2890/
3 > Ken Westin kwestin@splunk.com @kwestin • 1.5 year at Splunk – Security Strategist • Based in Portland, Oregon • 20 years in technology and security • M.Sc, OSCP, ITPM • Trained in offensive & defensive security $whoami
Agenda • Threat Hunting Basics • Threat Hunting Data Sources • Sysmon Endpoint Data • Cyber Kill Chain • Walkthrough of Attack Scenario Using Core Splunk (hands on) • Advanced Threat Hunting Techniques & Security Essentials • Enterprise Security Walkthrough • Applying Machine Learning and Data Science to Security
Log In Credentials January, February & March https://54.144.69.125 April, May & June https://52.55.68.96 July and August https://54.164.82.160 September and October https://52.23.227.212 November and December https://52.202.90.207 User: hunter Pass: pr3dat0r Birth Month
These won’t work…
Am I in the right place? Some familiarity with… ● CSIRT/SOC Operations ● General understanding of Threat Intelligence ● General understanding of DNS, Proxy, and Endpoint types of data 7
What is threat hunting, why do you need it? The What? • Threat hunting - the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain 2 8 The Why? • Threats are human. Focused and funded adversaries will not be countered by security boxes on the network alone. Threat hunters are actively searching for threats to prevent or minimize damage [before it happens] 1 2 Cyber Threat Hunting - Samuel Alonso blog, Jan 20161 The Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 “Threat Hunting is not new, it’s just evolving!”
Threat Hunting with Splunk
Threat Hunting with Splunk 10 Vs.
Search & Visualisation Enrichment Data Automation 11 Human Threat Hunter Key Building Blocks to Drive Threat Hunting Maturity Ref: The he Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 Objectives > Hypotheses > Expertise
“A good intelligence officer cultivates an awareness of what he or she does not know. You need a dose of modesty to acknowledge your own ignorance - even more, to seek out your ignorance. Then the harder part comes, trying to do something about it. This often requires an immodest determination” Henry A. Crumpton The Art of Intelligence: Lessons From A life In the CIA’s Clandestine Service 12
SANS Threat Hunting Maturity 13 Ad Hoc Search Statistical Analysis Visualization Techniques Aggregation Machine Learning/ Data Science 85% 55% 50% 48% 32% Source: SANS IR & Threat Hunting Summit 2016
Search & Visualisation Enrichment Data Automation Human Threat Hunter How Splunk helps You Drive Threat Hunting Maturity Threat Hunting Automation Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualise Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity
Hunting Tools: Internal Data 15 • IP Addresses: threat intelligence, blacklist, whitelist, reputation monitoring Tools: Firewalls, proxies, Splunk Stream, Bro, IDS • Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, ports and services Tools: Splunk Stream, Bro IDS, FPC, Netflow • DNS: activity, queries and responses, zone transfer activity Tools: Splunk Stream, Bro IDS, OpenDNS • Endpoint – Host Artifacts and Patterns: users, processes, services, drivers, files, registry, hardware, memory, disk activity, file monitoring: hash values, integrity checking and alerts, creation or deletion Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory • Vulnerability Management Data Tools: Tripwire IP360, Qualys, Nessus • User Behavior Analytics: TTPs, user monitoring, time of day location, HR watchlist Splunk UBA, (All of the above)
Persist, Repeat Threat Intelligence Access/Identity Endpoint Network Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain • Third-party threat intel • Open-source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating system • Database • VPN, AAA, SSO Typical Data Sources • Web proxy • NetFlow • Network
Endpoint: Microsoft Sysmon Primer 17 ● TA Available on the App Store ● Great Blog Post to get you started ● Increases the fidelity of Microsoft Logging Blog Post: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
Log In Credentials January, February & March https://54.144.69.125 April, May & June https://52.55.68.96 July and August https://54.164.82.160 September and October https://52.23.227.212 November and December https://52.202.90.207 User: hunter Pass: pr3dat0r Birth Month
Sysmon Event Tags 19 Maps Network Comm to process_id Process_id creation and mapping to parentprocess_id
sourcetype=X* | search tag=communicate 20
sourcetype=X* | dedup tag| search tag=process 21
Data Source Mapping
Demo Story - Kill Chain Framework Successful brute force – download sensitive pdf document Weaponize the pdf file with Zeus Malware Convincing email sent with weaponized pdf Vulnerable pdf reader exploited by malware. Dropper created on machine Dropper retrieves and installs the malware Persistence via regular outbound comm Data Exfiltration Source: Lockheed Martin
Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication Stream Investigations– chooseyour data wisely 24
APT Transaction Flow Across Data Sources 25 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Our Investigation begins by detecting high risk communications through the proxy, at the endpoint, and even a DNS call.
index=zeus_demo3 26 in search:
To begin our investigation, we will start with a quick search to familiarize ourselves with the data sources. In this demo environment, we have a variety of security relevant data including… Web DNS Proxy Firewall Endpoint Email
Take a look at the endpoint data source. We are using the Microsoft Sysmon TA. We have endpoint visibility into all network communication and can map each connection back to a process. } We also have detailed info on each process and can map it back to the user and parent process.} Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
We have multiple source IPs communicating to high risk entities identified by these 2 threat sources. We are seeing high risk communication from multiple data sources. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Let’s take closer look at the IP Address. We can now see the owner of the system (Chris Gilbert) and that it isn’t a PII or PCI related asset, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This dashboard is based on event data that contains a threat intel based indicator match( IP Address, domain, etc.). The data is further enriched with CMDB based Asset/identity information.
We are now looking at only threat intel related activity for the IP Address associated with Chris Gilbert and see activity spanning endpoint, proxy, and DNS data sources. These trend lines tell a very interesting visual story. It appears that the asset makes a DNS query involving a threat intel related domain or IP Address. ScrollDown Scroll down the dashboard to examine these threat intel events associated with the IP Address. We then see threat intel related endpoint and proxy events occurring periodically and likely communicating with a known Zeus botnet based on the threat intel source (zeus_c2s).
It’s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. Within the same dashboard, we have access to very high fidelity endpoint data that allows an analyst to continue the investigation in a very efficient manner. It is important to note that near real-time access to this type of endpoint data is not not common within the traditional SOC. The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. Proxy related threat intel matches are important for helping us to prioritize our efforts toward initiating an investigation. Further investigation into the endpoint is often very time consuming and often involves multiple internal hand-offs to other teams or needing to access additional systems. This encrypted proxy traffic is concerning because of the large amount of data (~1.5MB) being transferred which is common when data is being exfiltrated.
Exfiltration of data is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is encrypted as in this case. Lets continue the investigation. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information.
We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
This is a standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. We also can see that the parent process that created this suspicuous svchost.exe process is called calc.exe. This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. Suspected Malware Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper. Suspected Downloader/Dropper This process calls itself “svchost.exe,” a common Windows process, but the path is not the normal path for svchost.exe. …which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443.
The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. Suspected Downloader/Dropper Suspected Vulnerable AppWe have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. Click on the parent process to keep investigating.
We can see that the PDF Reader process has no identified parent and is the root of the infection. ScrollDown Scroll down the dashboard to examine activity related to the PDF reader process.
Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
Lets dig a little further into 2nd_qtr_2014_report.pdf to determine the scope of this compromise.
index=zeus_demo3 2nd_qtr_2014_report.pdf 39 in search:
Lets search though multiple data sources to quickly get a sense for who else may have have been exposed to this file. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
We have access to the email body and can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. Hold On! That’s not our Domain Name! The spelling is close but it’s missing a “t”. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris).
Root Cause Recap 42 Data Sources .pdf executes & unpacks malware overwriting and running “allowed” programs http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web .pdf Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We utilized threat intel to detect communication with known high risk indicators and kick off our investigation then worked backward through the kill chain toward a root cause. Key to this investigative process is the ability to associate network communications with endpoint process data. This high value and very relevant ability to work a malware related investigation through to root cause translates into a very streamlined investigative process compared to the legacy SIEM based approach.
43 Lets revisit the search for additional information on the 2nd_qtr_2014- _report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Select the access_combined sourcetype to investigate further.
44 The results show 54.211.114.134 has accessed this file from the web portal of buttergames.com. There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file.
45 Select the IP Address, left-click, then select “New search”. We would like to understand what else this IP Address has accessed in the environment.
46 That’s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window. This looks like a scripted action given the constant high rate of requests over the below window. ScrollDown Scroll down the dashboard to examine other interesting fields to further investigate. Notice the Googlebot useragent string which is another attempt to avoid raising attention..
47 The requests from 52.211.114.134 are dominated by requests to the login page (wp-login.php). It’s clearly not possible to attempt a login this many times in a short period of time – this is clearly a scripted brute force attack. After successfully gaining access to our website, the attacker downloaded the pdf file, weaponized it with the zeus malware, then delivered it to Chris Gilbert as a phishing email. The attacker is also accessing admin pages which may be an attempt to establish persistence via a backdoor into the web site.
Kill Chain Analysis Across Data Sources 48 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We continued the investigation by pivoting into the endpoint data source and used a workflow action to determine which process on the endpoint was responsible for the outbound communication. We Began by reviewing threat intel related events for a particular IP address and observed DNS, Proxy, and Endpoint events for a user in Sales. Investigation complete! Lets get this turned over to Incident Reponse team. We traced the svchost.exe Zeus malware back to it’s parent process ID which was the calc.exe downloader/dropper. Once our root cause analysis was complete, we shifted out focus into the web logs to determine that the sensitive pdf file was obtained via a brute force attack against the company website. We were able to see which file was opened by the vulnerable app and determined that the malicious file was delivered to the user via email. A quick search into the mail logs revealed the details behind the phishing attack and revealed that the scope of the compromise was limited to just the one user. We traced calc.exe back to the vulnerable application PDF Reader.
10 min Break!
Appendix - SQLi - DNS Exfilatration - Splunk Security Essentials
SQLi
SQL Injection ● SQL injection ● Code injection ● OS commanding ● LDAP injection ● XML injection ● XPath injection ● SSI injection ● IMAP/SMTP injection ● Buffer overflow
Imperva Web Attacks Report, 2015
Threat Hunting with Splunk
The anatomy of a SQL injection attack SELECT * FROM users WHERE email='xxx@xxx.com' OR 1 = 1 -- ' AND password='xxx'; xxx@xxx.xxx' OR 1 = 1 -- ' xxx admin@admin.sys 1234 An attacker might supply:
…and so far this year… 39
index=web_vuln password select
What have we here? Our learning environment consists of: • A bunch of publically-accessible single Splunk servers • Each with ~5.5M events, from real environments but massaged: • Windows Security events • Apache web access logs • Bro DNS & HTTP • Palo Alto traffic logs • Some other various bits
https://splunkbase.splunk.com/app/1528/ Search for possible SQL injection in your events:  looks for patterns in URI query field to see if anyone has injected them with SQL statements  use standard deviations that are 2.5 times greater than the average length of your URI query field Macros used • sqlinjection_pattern(sourcetype, uri query field) • sqlinjection_stats(sourcetype, uri query field)
Regular Expression FTW sqlinjection_rex is a search macro. It contains: (?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|([ %27|'](%20)*=(%20)*[%27|'])|w*[%27|']or) Which means: In the string we are given, look for ANY of the following matches and put that into the “injection” field. • Anything containing SELECT followed by FROM • Anything containing UNION followed by SELECT • Anything with a ‘ at the end • Anything containing DELETE followed by FROM • Anything containing UPDATE followed by SET • Anything containing ALTER followed by TABLE • A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘ • Note: %27 is encoded “’” and %20 is encoded <space> • Any amount of word characters followed by a %27 OR a ‘ and then “or”
Bonus: Try out the SQL Injection app!
Summary: Web attacks/SQL injection ● SQL injection provide attackers with easy access to data ● Detecting advanced SQL injection is hard – use an app! ● Understand where SQLi is happening on your network and put a stop to it. ● Augment your WAF with enterprise-wide Splunk searches.
DNS Exfiltration
domain=corp;user=dave;password=12345 encrypt DNS Query: ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
DNS exfil tends to be overlooked within an ocean of DNS data. Let’s fix that! DNS exfiltration
FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos- variant-exfiltrates-data-via-dns-requests “ ” … few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally- beauty-breach/#more-30872 “ ” DNS exfiltration
https://splunkbase.splunk.com/app/2734/ DNS exfil detection – tricks of the trade  parse URLs & complicated TLDs (Top Level Domain)  calculate Shannon Entropy List of provided lookups • ut_parse_simple(url) • ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word) • ut_countset(word, set) • ut_suites(word, sets) • ut_meaning(word) • ut_bayesian(word) • ut_levenshtein(word1, word2)
Examples • The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string Shannon Entropy
Detecting Data Exfiltration index=bro sourcetype=bro_dns | `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display Details
Detecting Data Exfiltration … | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display count, scores, lengths, deviations
Detecting Data Exfiltration RESULTS • Exfiltrating data requires many DNS requests – look for high counts • DNS exfiltration to mooo.com and chickenkiller.com
Summary: DNS exfiltration ● Exfiltration by DNS and ICMP is a very common technique ● Many organizations do not analyze DNS activity – do not be like them! ● No DNS logs? No Splunk Stream? Look at FW byte counts
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/ Identify bad guys in your environment:  45+ use cases common in UEBA products, all free on Splunk Enterprise  Target external attackers and insider threat  Scales from small to massive companies  Save from the app, send results to ES/UBA The most widely deployed UEBA vendor in the market is Splunk Enterprise, but no one knows it. Solve use cases you can today for free, then use Splunk UBA for advanced ML detection.
Splunk Security Essentials Time Series Analysis with Standard Deviation First Time Seen powered by stats General Security Analytics Searches Types of Use Cases
Splunk Security Essentials Data Sources Electronic Medical Record Source Code Repository
● How does the app work? – Leverages primarily | stats for UEBA – Also implements several advanced Splunk searches (URL Toolbox, etc.) ● Why call it UEBA? – These use cases are often in UEBA tools – 2/3 of use case build on a baseline, which is a hallmark of UEBA – 1/3 are advanced analytics that other vendors showcase in their UEBA ● How does it scale? – App automates the utilization of high scale techniques – Summary indexing for Time Series, caching in lookup for First Time
Splunk Enterprise Security
79 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting with Splunk Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting
Other Items To Note Items to Note Navigation - How to Get Here Description of what to click on Click
Key Security Indicators (build your own!) Sparklines Editable
Various ways to filter data Malware-Specific KSIs and Reports Security Domains -> Endpoint -> Malware Center
Filterable KSIs specific to Risk Risk assigned to system, user or other Under Advanced Threat, select Risk Analysis
(Scroll Down) Recent Risk Activity Under Advanced Threat, select Risk Analysis
Filterable, down to IoC KSIs specific to Threat Most active threat source Scroll down… Scroll Under Advanced Threat, select Threat Activity
Specifics about recent threat matches Under Advanced Threat, select Threat Activity
To add threat intel go to: Configure -> Data Enrichment -> Threat Intelligence Downloads Click
Click “Threat Artifacts” Under “Advanced Threat” Click
Artifact Categories – click different tabs… STIX feed Custom feed Under Advanced Threat, select Threat Artifacts
Review the Advanced Threat content Click
Data from asset framework Configurable Swimlanes Darker=more events All happened around same timeChange to “Today” if needed Asset Investigator, enter “192.168.56.102”
Data Science & Machine Learning In Security 92
Disclaimer: I am not a data scientist
Types of Machine Learning Supervised Learning: generalizing from labeled data
Supervised Machine Learning 95 Domain Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign log.tagcade.com 111 2 0 1 0 0 Benign go.vidprocess.com 170 2 0 0 0 0 Benign statse.webtrendslive.com 310 2 0 1 0 0 Benign cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign log.tagcade.com 111 1 0 1 0 0 Benign
Unsupervised Learning: generalizing from unlabeled data
Unsupervised Machine Learning • No tuning • Programmatically finds trends • UBA is primarily unsupervised • Rigorously tested for fit 97 AlgorithmRaw Security Data Automated Clustering
98
ML Toolkit & Showcase • Splunk Supported framework for building ML Apps – Get it for free: http://tiny.cc/splunkmlapp • Leverages Python for Scientific Computing (PSC) add-on: – Open-source Python data science ecosystem – NumPy, SciPy, scitkit-learn, pandas, statsmodels • Showcase use cases: Predict Hard Drive Failure, Server Power Consumption, Application Usage, Customer Churn & more • Standard algorithms out of the box: – Supervised: Logistic Regression, SVM, Linear Regression, Random Forest, etc. – Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc. • Implement one of 300+ algorithms by editing Python scripts
Machine Learning Toolkit Demo 100
Threat Hunting with Splunk
Splunk UBA
103 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting with Splunk Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity User Behavior Analytics - Security Data Science Platform -
104 Machine Learning Security Use Cases MachineLearningUseCases Polymorphic Attack Analysis Behavioral Peer Group Analysis User & Entity Behavior Baseline Entropy/Rare Event Detection Cyber Attack / External Threat Detection Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Statistical Analysis Data Exfiltration Models IP Reputation Analysis Insider Threat Detection User/Device Dynamic Fingerprinting
Splunk UBA Use Cases ACCOUNT TAKEOVER • Privileged account compromise • Data exfiltration LATERAL MOVEMENT • Pass-the-hash kill chain • Privilege escalation SUSPICIOUS ACTIVITY • Misuse of credentials • Geo-location anomalies MALWARE ATTACKS • Hidden malware activity BOTNET, COMMAND & CONTROL • Malware beaconing • Data leakage USER & ENTITY BEHAVIOR ANALYTICS • Suspicious behavior by accounts or devices EXTERNAL THREATSINSIDER THREATS
Splunk User Behavior Analytics (UBA) • ~100% of breaches involve valid credentials (Mandiant Report) • Need to understand normal & anomalous behaviors for ALL users • UBA detects Advanced Cyberattacks and Malicious Insider Threats • Lots of ML under the hood: – Behavior Baselining & Modeling – Anomaly Detection (30+ models) – Advanced Threat Detection • E.g., Data Exfil Threat: – “Saw this strange login & data transferfor user kwestin at 3am in China…” – Surface threat to SOC Analysts
RAW SECURITY EVENTS ANOMALIES ANOMALY CHAINS (THREATS) MACHINE LEARNING GRAPH MINING THREAT MODELS Lateral Movement Beaconing Land-Speed Violation HCI Anomalies graph Entity relationship graph Kill chain sequence Forensic artifacts Threat/Risk scoring FEEDBACK
Overall Architecture 108 Real-Time Infra (Storm-based) FilterEvents DropEvents ModelExecution& OnlineTraining Runtime Topologies Threat and Anomaly Review Hadoop/HDFS Data Receivers (flume, REST, etc.) Real-Time Updates/No tifications App/SaaS Connectors Core + ES Network Data Push/Pull Model Persistence Layer DataDistributed Kafka ETL IR Model Parsers Filters Attribution ControlPath–Resource/HealthMonitoring HBase/HDFS Direct Access Façade GraphDB SQL Access Layer Node.js Socket.io server SQL Store (Threats/ Anomalies) Time-Series DBModel Registry Model Store HBase Model N Data Model 1 Model N Model 1 Model N Neo4J (Graph visualizations) Rules Engine Anomalies + Threats Analytics Store Syslog and Other Data
Data Flow and System Requirements API CONNECTOR SYSLOG FORWARDER Explore Visualize ShareAnalyze Dashboards RESULTS THREAT & ANOMALY DATA QUERY UBA REQUEST FOR ADDITIONAL DETAILS THREATS RESULTS QUERY NOTABLE EVENTS RISK SCORING FRAMEWORK WORKFLOW MANAGEMENT VM Search head Standard RT Query VM specs: - Ubuntu/RHEL - 16 cores - 64 GB RAM - Local and network disks - GigE connectivity Performance/scale: - UBA v2.3 - E.g., 5-nodes - 25K EPS - Add nodes for near-linear scale Splunk Enterprise: - RT search capability - 8-10 concurrent searches - REST API port (8089) - SA-LDAPSEARCH Shared network storage
Splunk UBA Demo 110
Security Workshops ● Security Readiness Workshop ● Data Science Workshop ● Enterprise Security Benchmark Assessment
Security Workshop Survey https://www.surveymonkey.com/r/3T6T9TH kwestin@splunk.com Twitter: @kwestin linkedin.com/in/kwestin

More Related Content

PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
Threat Hunting Workshop
Splunk
 
PDF
Splunk Threat Hunting Workshop
Splunk
 
PPTX
Threat hunting for Beginners
SKMohamedKasim
 
PDF
Defending Against the Dark Arts of LOLBINS
Brent Muir
 
Threat Hunting with Splunk Hands-on
Splunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk Hands-on
Splunk
 
Threat Hunting Workshop
Splunk
 
Splunk Threat Hunting Workshop
Splunk
 
Threat hunting for Beginners
SKMohamedKasim
 
Defending Against the Dark Arts of LOLBINS
Brent Muir
 

What's hot (20)

PPTX
Threat hunting in cyber world
Akash Sarode
 
PDF
Threat Hunting
Splunk
 
PPTX
Splunk Security Session - .conf Go Köln
Splunk
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PDF
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
PPTX
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE - ATT&CKcon
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PPTX
Splunk Overview
Splunk
 
PPTX
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
PPTX
Crowdstrike .pptx
uthayakumar174828
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
Threat Hunting with Splunk
Splunk
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PDF
Threat Hunting with Splunk
Splunk
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
PPTX
Splunk Architecture overview
Alex Fok
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
Threat hunting in cyber world
Akash Sarode
 
Threat Hunting
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk
 
Security operation center (SOC)
Ahmed Ayman
 
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE - ATT&CKcon
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Splunk Overview
Splunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
Crowdstrike .pptx
uthayakumar174828
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Threat Hunting with Splunk
Splunk
 
OSINT for Attack and Defense
Andrew McNicol
 
Threat Hunting with Splunk
Splunk
 
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Splunk Architecture overview
Alex Fok
 
Security Information and Event Management (SIEM)
k33a
 
SIEM Primer:
Anton Chuvakin
 
Windows Threat Hunting
GIBIN JOHN
 
Ad

Similar to Threat Hunting with Splunk (20)

PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Splunk workshop-Threat Hunting
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting
Splunk
 
PDF
Threat Hunting Workshop
Splunk
 
PDF
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
PDF
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
PDF
Splunk for Security
Gabrielle Knowles
 
PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
PDF
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
PPTX
Using Big Data for Cybersecurity
Splunk
 
PDF
Applied cognitive security complementing the security analyst
Priyanka Aash
 
PPTX
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
PPTX
OpenSourceIntelligence-OSINT.pptx
anonymousanonymous428352
 
PPTX
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
PPTX
Operational Security Intelligence
Splunk
 
PPTX
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
PPTX
Why do women love chasing down bad guys?
SITA
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Splunk
 
Splunk workshop-Threat Hunting
Splunk
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting
Splunk
 
Threat Hunting Workshop
Splunk
 
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
Splunk for Security
Gabrielle Knowles
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Using Big Data for Cybersecurity
Splunk
 
Applied cognitive security complementing the security analyst
Priyanka Aash
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
OpenSourceIntelligence-OSINT.pptx
anonymousanonymous428352
 
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Operational Security Intelligence
Splunk
 
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
Why do women love chasing down bad guys?
SITA
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
zbrain.ai-Scope Key Metrics Configuration and Best Practices.pdf
ChristopherTHyatt
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
Examining Bias in AI Generated News Content.pdf
Government
 
PPTX
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
zbrain.ai-Scope Key Metrics Configuration and Best Practices.pdf
ChristopherTHyatt
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
Examining Bias in AI Generated News Content.pdf
Government
 
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
substrate PowerPoint Presentation basic one
jwaite4
 

Threat Hunting with Splunk

  • 1. Threat Hunting with Splunk Presenter: Ken Westin M.Sc, OSCP, ITPM Splunk, Security Market Specialist http://www.slideshare.net/kwestin/threat-hunting-71883454
  • 2. Prework for today ● Setup Splunk Enterprise Security Sandbox ● Install free Splunk on laptop ● Install ML Toolkit app https://splunkbase.splunk.com/app/2890/
  • 3. 3 > Ken Westin [email protected] @kwestin • 1.5 year at Splunk – Security Strategist • Based in Portland, Oregon • 20 years in technology and security • M.Sc, OSCP, ITPM • Trained in offensive & defensive security $whoami
  • 4. Agenda • Threat Hunting Basics • Threat Hunting Data Sources • Sysmon Endpoint Data • Cyber Kill Chain • Walkthrough of Attack Scenario Using Core Splunk (hands on) • Advanced Threat Hunting Techniques & Security Essentials • Enterprise Security Walkthrough • Applying Machine Learning and Data Science to Security
  • 5. Log In Credentials January, February & March https://54.144.69.125 April, May & June https://52.55.68.96 July and August https://54.164.82.160 September and October https://52.23.227.212 November and December https://52.202.90.207 User: hunter Pass: pr3dat0r Birth Month
  • 7. Am I in the right place? Some familiarity with… ● CSIRT/SOC Operations ● General understanding of Threat Intelligence ● General understanding of DNS, Proxy, and Endpoint types of data 7
  • 8. What is threat hunting, why do you need it? The What? • Threat hunting - the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain 2 8 The Why? • Threats are human. Focused and funded adversaries will not be countered by security boxes on the network alone. Threat hunters are actively searching for threats to prevent or minimize damage [before it happens] 1 2 Cyber Threat Hunting - Samuel Alonso blog, Jan 20161 The Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 “Threat Hunting is not new, it’s just evolving!”
  • 10. Threat Hunting with Splunk 10 Vs.
  • 11. Search & Visualisation Enrichment Data Automation 11 Human Threat Hunter Key Building Blocks to Drive Threat Hunting Maturity Ref: The he Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 Objectives > Hypotheses > Expertise
  • 12. “A good intelligence officer cultivates an awareness of what he or she does not know. You need a dose of modesty to acknowledge your own ignorance - even more, to seek out your ignorance. Then the harder part comes, trying to do something about it. This often requires an immodest determination” Henry A. Crumpton The Art of Intelligence: Lessons From A life In the CIA’s Clandestine Service 12
  • 13. SANS Threat Hunting Maturity 13 Ad Hoc Search Statistical Analysis Visualization Techniques Aggregation Machine Learning/ Data Science 85% 55% 50% 48% 32% Source: SANS IR & Threat Hunting Summit 2016
  • 14. Search & Visualisation Enrichment Data Automation Human Threat Hunter How Splunk helps You Drive Threat Hunting Maturity Threat Hunting Automation Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualise Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity
  • 15. Hunting Tools: Internal Data 15 • IP Addresses: threat intelligence, blacklist, whitelist, reputation monitoring Tools: Firewalls, proxies, Splunk Stream, Bro, IDS • Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, ports and services Tools: Splunk Stream, Bro IDS, FPC, Netflow • DNS: activity, queries and responses, zone transfer activity Tools: Splunk Stream, Bro IDS, OpenDNS • Endpoint – Host Artifacts and Patterns: users, processes, services, drivers, files, registry, hardware, memory, disk activity, file monitoring: hash values, integrity checking and alerts, creation or deletion Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory • Vulnerability Management Data Tools: Tripwire IP360, Qualys, Nessus • User Behavior Analytics: TTPs, user monitoring, time of day location, HR watchlist Splunk UBA, (All of the above)
  • 16. Persist, Repeat Threat Intelligence Access/Identity Endpoint Network Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain • Third-party threat intel • Open-source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating system • Database • VPN, AAA, SSO Typical Data Sources • Web proxy • NetFlow • Network
  • 17. Endpoint: Microsoft Sysmon Primer 17 ● TA Available on the App Store ● Great Blog Post to get you started ● Increases the fidelity of Microsoft Logging Blog Post: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
  • 18. Log In Credentials January, February & March https://54.144.69.125 April, May & June https://52.55.68.96 July and August https://54.164.82.160 September and October https://52.23.227.212 November and December https://52.202.90.207 User: hunter Pass: pr3dat0r Birth Month
  • 19. Sysmon Event Tags 19 Maps Network Comm to process_id Process_id creation and mapping to parentprocess_id
  • 20. sourcetype=X* | search tag=communicate 20
  • 21. sourcetype=X* | dedup tag| search tag=process 21
  • 23. Demo Story - Kill Chain Framework Successful brute force – download sensitive pdf document Weaponize the pdf file with Zeus Malware Convincing email sent with weaponized pdf Vulnerable pdf reader exploited by malware. Dropper created on machine Dropper retrieves and installs the malware Persistence via regular outbound comm Data Exfiltration Source: Lockheed Martin
  • 24. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication Stream Investigations– chooseyour data wisely 24
  • 25. APT Transaction Flow Across Data Sources 25 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Our Investigation begins by detecting high risk communications through the proxy, at the endpoint, and even a DNS call.
  • 27. To begin our investigation, we will start with a quick search to familiarize ourselves with the data sources. In this demo environment, we have a variety of security relevant data including… Web DNS Proxy Firewall Endpoint Email
  • 28. Take a look at the endpoint data source. We are using the Microsoft Sysmon TA. We have endpoint visibility into all network communication and can map each connection back to a process. } We also have detailed info on each process and can map it back to the user and parent process.} Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
  • 29. We have multiple source IPs communicating to high risk entities identified by these 2 threat sources. We are seeing high risk communication from multiple data sources. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Let’s take closer look at the IP Address. We can now see the owner of the system (Chris Gilbert) and that it isn’t a PII or PCI related asset, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This dashboard is based on event data that contains a threat intel based indicator match( IP Address, domain, etc.). The data is further enriched with CMDB based Asset/identity information.
  • 30. We are now looking at only threat intel related activity for the IP Address associated with Chris Gilbert and see activity spanning endpoint, proxy, and DNS data sources. These trend lines tell a very interesting visual story. It appears that the asset makes a DNS query involving a threat intel related domain or IP Address. ScrollDown Scroll down the dashboard to examine these threat intel events associated with the IP Address. We then see threat intel related endpoint and proxy events occurring periodically and likely communicating with a known Zeus botnet based on the threat intel source (zeus_c2s).
  • 31. It’s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. Within the same dashboard, we have access to very high fidelity endpoint data that allows an analyst to continue the investigation in a very efficient manner. It is important to note that near real-time access to this type of endpoint data is not not common within the traditional SOC. The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. Proxy related threat intel matches are important for helping us to prioritize our efforts toward initiating an investigation. Further investigation into the endpoint is often very time consuming and often involves multiple internal hand-offs to other teams or needing to access additional systems. This encrypted proxy traffic is concerning because of the large amount of data (~1.5MB) being transferred which is common when data is being exfiltrated.
  • 32. Exfiltration of data is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is encrypted as in this case. Lets continue the investigation. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information.
  • 33. We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
  • 34. This is a standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. We also can see that the parent process that created this suspicuous svchost.exe process is called calc.exe. This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. Suspected Malware Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper. Suspected Downloader/Dropper This process calls itself “svchost.exe,” a common Windows process, but the path is not the normal path for svchost.exe. …which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443.
  • 35. The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. Suspected Downloader/Dropper Suspected Vulnerable AppWe have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. Click on the parent process to keep investigating.
  • 36. We can see that the PDF Reader process has no identified parent and is the root of the infection. ScrollDown Scroll down the dashboard to examine activity related to the PDF reader process.
  • 37. Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
  • 38. Lets dig a little further into 2nd_qtr_2014_report.pdf to determine the scope of this compromise.
  • 40. Lets search though multiple data sources to quickly get a sense for who else may have have been exposed to this file. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
  • 41. We have access to the email body and can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. Hold On! That’s not our Domain Name! The spelling is close but it’s missing a “t”. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris).
  • 42. Root Cause Recap 42 Data Sources .pdf executes & unpacks malware overwriting and running “allowed” programs http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web .pdf Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We utilized threat intel to detect communication with known high risk indicators and kick off our investigation then worked backward through the kill chain toward a root cause. Key to this investigative process is the ability to associate network communications with endpoint process data. This high value and very relevant ability to work a malware related investigation through to root cause translates into a very streamlined investigative process compared to the legacy SIEM based approach.
  • 43. 43 Lets revisit the search for additional information on the 2nd_qtr_2014- _report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Select the access_combined sourcetype to investigate further.
  • 44. 44 The results show 54.211.114.134 has accessed this file from the web portal of buttergames.com. There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file.
  • 45. 45 Select the IP Address, left-click, then select “New search”. We would like to understand what else this IP Address has accessed in the environment.
  • 46. 46 That’s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window. This looks like a scripted action given the constant high rate of requests over the below window. ScrollDown Scroll down the dashboard to examine other interesting fields to further investigate. Notice the Googlebot useragent string which is another attempt to avoid raising attention..
  • 47. 47 The requests from 52.211.114.134 are dominated by requests to the login page (wp-login.php). It’s clearly not possible to attempt a login this many times in a short period of time – this is clearly a scripted brute force attack. After successfully gaining access to our website, the attacker downloaded the pdf file, weaponized it with the zeus malware, then delivered it to Chris Gilbert as a phishing email. The attacker is also accessing admin pages which may be an attempt to establish persistence via a backdoor into the web site.
  • 48. Kill Chain Analysis Across Data Sources 48 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We continued the investigation by pivoting into the endpoint data source and used a workflow action to determine which process on the endpoint was responsible for the outbound communication. We Began by reviewing threat intel related events for a particular IP address and observed DNS, Proxy, and Endpoint events for a user in Sales. Investigation complete! Lets get this turned over to Incident Reponse team. We traced the svchost.exe Zeus malware back to it’s parent process ID which was the calc.exe downloader/dropper. Once our root cause analysis was complete, we shifted out focus into the web logs to determine that the sensitive pdf file was obtained via a brute force attack against the company website. We were able to see which file was opened by the vulnerable app and determined that the malicious file was delivered to the user via email. A quick search into the mail logs revealed the details behind the phishing attack and revealed that the scope of the compromise was limited to just the one user. We traced calc.exe back to the vulnerable application PDF Reader.
  • 50. Appendix - SQLi - DNS Exfilatration - Splunk Security Essentials
  • 51. SQLi
  • 52. SQL Injection ● SQL injection ● Code injection ● OS commanding ● LDAP injection ● XML injection ● XPath injection ● SSI injection ● IMAP/SMTP injection ● Buffer overflow
  • 53. Imperva Web Attacks Report, 2015
  • 55. The anatomy of a SQL injection attack SELECT * FROM users WHERE email='[email protected]' OR 1 = 1 -- ' AND password='xxx'; [email protected]' OR 1 = 1 -- ' xxx [email protected] 1234 An attacker might supply:
  • 56. …and so far this year… 39
  • 58. What have we here? Our learning environment consists of: • A bunch of publically-accessible single Splunk servers • Each with ~5.5M events, from real environments but massaged: • Windows Security events • Apache web access logs • Bro DNS & HTTP • Palo Alto traffic logs • Some other various bits
  • 59. https://splunkbase.splunk.com/app/1528/ Search for possible SQL injection in your events:  looks for patterns in URI query field to see if anyone has injected them with SQL statements  use standard deviations that are 2.5 times greater than the average length of your URI query field Macros used • sqlinjection_pattern(sourcetype, uri query field) • sqlinjection_stats(sourcetype, uri query field)
  • 60. Regular Expression FTW sqlinjection_rex is a search macro. It contains: (?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|([ %27|'](%20)*=(%20)*[%27|'])|w*[%27|']or) Which means: In the string we are given, look for ANY of the following matches and put that into the “injection” field. • Anything containing SELECT followed by FROM • Anything containing UNION followed by SELECT • Anything with a ‘ at the end • Anything containing DELETE followed by FROM • Anything containing UPDATE followed by SET • Anything containing ALTER followed by TABLE • A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘ • Note: %27 is encoded “’” and %20 is encoded <space> • Any amount of word characters followed by a %27 OR a ‘ and then “or”
  • 61. Bonus: Try out the SQL Injection app!
  • 62. Summary: Web attacks/SQL injection ● SQL injection provide attackers with easy access to data ● Detecting advanced SQL injection is hard – use an app! ● Understand where SQLi is happening on your network and put a stop to it. ● Augment your WAF with enterprise-wide Splunk searches.
  • 65. DNS exfil tends to be overlooked within an ocean of DNS data. Let’s fix that! DNS exfiltration
  • 66. FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos- variant-exfiltrates-data-via-dns-requests “ ” … few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally- beauty-breach/#more-30872 “ ” DNS exfiltration
  • 67. https://splunkbase.splunk.com/app/2734/ DNS exfil detection – tricks of the trade  parse URLs & complicated TLDs (Top Level Domain)  calculate Shannon Entropy List of provided lookups • ut_parse_simple(url) • ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word) • ut_countset(word, set) • ut_suites(word, sets) • ut_meaning(word) • ut_bayesian(word) • ut_levenshtein(word1, word2)
  • 68. Examples • The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string Shannon Entropy
  • 69. Detecting Data Exfiltration index=bro sourcetype=bro_dns | `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display Details
  • 70. Detecting Data Exfiltration … | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display count, scores, lengths, deviations
  • 71. Detecting Data Exfiltration RESULTS • Exfiltrating data requires many DNS requests – look for high counts • DNS exfiltration to mooo.com and chickenkiller.com
  • 72. Summary: DNS exfiltration ● Exfiltration by DNS and ICMP is a very common technique ● Many organizations do not analyze DNS activity – do not be like them! ● No DNS logs? No Splunk Stream? Look at FW byte counts
  • 74. https://splunkbase.splunk.com/app/3435/ Identify bad guys in your environment:  45+ use cases common in UEBA products, all free on Splunk Enterprise  Target external attackers and insider threat  Scales from small to massive companies  Save from the app, send results to ES/UBA The most widely deployed UEBA vendor in the market is Splunk Enterprise, but no one knows it. Solve use cases you can today for free, then use Splunk UBA for advanced ML detection.
  • 75. Splunk Security Essentials Time Series Analysis with Standard Deviation First Time Seen powered by stats General Security Analytics Searches Types of Use Cases
  • 76. Splunk Security Essentials Data Sources Electronic Medical Record Source Code Repository
  • 77. ● How does the app work? – Leverages primarily | stats for UEBA – Also implements several advanced Splunk searches (URL Toolbox, etc.) ● Why call it UEBA? – These use cases are often in UEBA tools – 2/3 of use case build on a baseline, which is a hallmark of UEBA – 1/3 are advanced analytics that other vendors showcase in their UEBA ● How does it scale? – App automates the utilization of high scale techniques – Summary indexing for Time Series, caching in lookup for First Time
  • 79. 79 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting with Splunk Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting
  • 80. Other Items To Note Items to Note Navigation - How to Get Here Description of what to click on Click
  • 81. Key Security Indicators (build your own!) Sparklines Editable
  • 82. Various ways to filter data Malware-Specific KSIs and Reports Security Domains -> Endpoint -> Malware Center
  • 83. Filterable KSIs specific to Risk Risk assigned to system, user or other Under Advanced Threat, select Risk Analysis
  • 84. (Scroll Down) Recent Risk Activity Under Advanced Threat, select Risk Analysis
  • 85. Filterable, down to IoC KSIs specific to Threat Most active threat source Scroll down… Scroll Under Advanced Threat, select Threat Activity
  • 86. Specifics about recent threat matches Under Advanced Threat, select Threat Activity
  • 87. To add threat intel go to: Configure -> Data Enrichment -> Threat Intelligence Downloads Click
  • 88. Click “Threat Artifacts” Under “Advanced Threat” Click
  • 89. Artifact Categories – click different tabs… STIX feed Custom feed Under Advanced Threat, select Threat Artifacts
  • 90. Review the Advanced Threat content Click
  • 91. Data from asset framework Configurable Swimlanes Darker=more events All happened around same timeChange to “Today” if needed Asset Investigator, enter “192.168.56.102”
  • 92. Data Science & Machine Learning In Security 92
  • 93. Disclaimer: I am not a data scientist
  • 94. Types of Machine Learning Supervised Learning: generalizing from labeled data
  • 95. Supervised Machine Learning 95 Domain Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign log.tagcade.com 111 2 0 1 0 0 Benign go.vidprocess.com 170 2 0 0 0 0 Benign statse.webtrendslive.com 310 2 0 1 0 0 Benign cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign log.tagcade.com 111 1 0 1 0 0 Benign
  • 96. Unsupervised Learning: generalizing from unlabeled data
  • 97. Unsupervised Machine Learning • No tuning • Programmatically finds trends • UBA is primarily unsupervised • Rigorously tested for fit 97 AlgorithmRaw Security Data Automated Clustering
  • 98. 98
  • 99. ML Toolkit & Showcase • Splunk Supported framework for building ML Apps – Get it for free: http://tiny.cc/splunkmlapp • Leverages Python for Scientific Computing (PSC) add-on: – Open-source Python data science ecosystem – NumPy, SciPy, scitkit-learn, pandas, statsmodels • Showcase use cases: Predict Hard Drive Failure, Server Power Consumption, Application Usage, Customer Churn & more • Standard algorithms out of the box: – Supervised: Logistic Regression, SVM, Linear Regression, Random Forest, etc. – Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc. • Implement one of 300+ algorithms by editing Python scripts
  • 103. 103 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting with Splunk Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity User Behavior Analytics - Security Data Science Platform -
  • 104. 104 Machine Learning Security Use Cases MachineLearningUseCases Polymorphic Attack Analysis Behavioral Peer Group Analysis User & Entity Behavior Baseline Entropy/Rare Event Detection Cyber Attack / External Threat Detection Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Statistical Analysis Data Exfiltration Models IP Reputation Analysis Insider Threat Detection User/Device Dynamic Fingerprinting
  • 105. Splunk UBA Use Cases ACCOUNT TAKEOVER • Privileged account compromise • Data exfiltration LATERAL MOVEMENT • Pass-the-hash kill chain • Privilege escalation SUSPICIOUS ACTIVITY • Misuse of credentials • Geo-location anomalies MALWARE ATTACKS • Hidden malware activity BOTNET, COMMAND & CONTROL • Malware beaconing • Data leakage USER & ENTITY BEHAVIOR ANALYTICS • Suspicious behavior by accounts or devices EXTERNAL THREATSINSIDER THREATS
  • 106. Splunk User Behavior Analytics (UBA) • ~100% of breaches involve valid credentials (Mandiant Report) • Need to understand normal & anomalous behaviors for ALL users • UBA detects Advanced Cyberattacks and Malicious Insider Threats • Lots of ML under the hood: – Behavior Baselining & Modeling – Anomaly Detection (30+ models) – Advanced Threat Detection • E.g., Data Exfil Threat: – “Saw this strange login & data transferfor user kwestin at 3am in China…” – Surface threat to SOC Analysts
  • 107. RAW SECURITY EVENTS ANOMALIES ANOMALY CHAINS (THREATS) MACHINE LEARNING GRAPH MINING THREAT MODELS Lateral Movement Beaconing Land-Speed Violation HCI Anomalies graph Entity relationship graph Kill chain sequence Forensic artifacts Threat/Risk scoring FEEDBACK
  • 108. Overall Architecture 108 Real-Time Infra (Storm-based) FilterEvents DropEvents ModelExecution& OnlineTraining Runtime Topologies Threat and Anomaly Review Hadoop/HDFS Data Receivers (flume, REST, etc.) Real-Time Updates/No tifications App/SaaS Connectors Core + ES Network Data Push/Pull Model Persistence Layer DataDistributed Kafka ETL IR Model Parsers Filters Attribution ControlPath–Resource/HealthMonitoring HBase/HDFS Direct Access Façade GraphDB SQL Access Layer Node.js Socket.io server SQL Store (Threats/ Anomalies) Time-Series DBModel Registry Model Store HBase Model N Data Model 1 Model N Model 1 Model N Neo4J (Graph visualizations) Rules Engine Anomalies + Threats Analytics Store Syslog and Other Data
  • 109. Data Flow and System Requirements API CONNECTOR SYSLOG FORWARDER Explore Visualize ShareAnalyze Dashboards RESULTS THREAT & ANOMALY DATA QUERY UBA REQUEST FOR ADDITIONAL DETAILS THREATS RESULTS QUERY NOTABLE EVENTS RISK SCORING FRAMEWORK WORKFLOW MANAGEMENT VM Search head Standard RT Query VM specs: - Ubuntu/RHEL - 16 cores - 64 GB RAM - Local and network disks - GigE connectivity Performance/scale: - UBA v2.3 - E.g., 5-nodes - 25K EPS - Add nodes for near-linear scale Splunk Enterprise: - RT search capability - 8-10 concurrent searches - REST API port (8089) - SA-LDAPSEARCH Shared network storage
  • 111. Security Workshops ● Security Readiness Workshop ● Data Science Workshop ● Enterprise Security Benchmark Assessment