hands on security - disrupting the kill chain breakout session

Download Hands on Security - Disrupting the Kill Chain Breakout Session

Post on 16-Jul-2015




1 download

Embed Size (px)


Slide 1

Hands-On Security

Disrupting the Cyber Kill Chain using SplunkCopyright 2015 Splunk Inc.1Safe Harbor StatementDuring the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectationsandestimatesbased on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filingswith the SEC.The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. Ifreviewed afterits live presentation,this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements wemaymake. In addition, any information about ourroadmap outlines our general product direction and is subject to change at any time without notice.Itis for informational purposes only and shall notbe incorporated into any contract or other commitment.Splunk undertakes no obligation either to develop the features or functionality describedor to include any such feature or functionality in a future release.#Splunk safe harbor statement. 2AgendaSplunk & SecurityUnknown ThreatsConnect the Dots across All DataKill Chain* DisruptionOverview Exercise/Demo Security Investigation Example#3

This is a hands-on session.Please log in and follow along. Seriously.

URL #1: #2: We are going to get hands on, and I want to make sure we have enough time to go through the exercises. But I need to frame up why this is important first, so bear with me.

4No hard copy?

http://bit.ly/1FCSmxapw: splunklive

URL #1: #2: TinyURL link to student doc


Machine Data contains a definitive record of all Human Machine&Machine MachineInteraction.

Splunk is a very effective platform to collect, store, and analyze all of that data.If you could have a record of every machine to machine interaction, and every human to machine interaction, in your computing environment, what would that mean to you in terms of security?

It would mean you would have a great platform to quickly find the known and unknown threats that are working against your business.

As we all know there are plenty of adversaries out there: organized cyber criminal rings, nation states, insider threats, and we need to try and keep tabs on all of them.

Mandiant and Verizon reports updated yearly all breaches use some sort of valid credentials. A small number of systems are involved maybe an average of ~40 thats a really small footprint. And theres usually 229 days that go by before someone outside your organization (secret service, FBI, etc) tells you that you have been breached.

We need to react quickly to indicators of compromise to shut down attackers before they can do harm. So how do we do that? We collect a lot of data.

6ServersStorageDesktopsEmailWebTransactionRecordsNetworkFlowsDHCP/ DNS

HypervisorCustom Apps

PhysicalAccessBadgesThreat IntelligenceMobileCMDB

Intrusion DetectionFirewallData Loss PreventionAnti-MalwareVulnerabilityScansTraditionalAuthentication

Connect the Dots across All Data7So to find all of the known threats thats pretty simple. Were going to grab all of the data from all of the things in your environment that are regularly updated with knowledge about known threats. All the traditional security stuff. - IDS/IPS. Anti-malware defenses. DLP, Vulnerability scans. SIEM technology. And of course we will collect firewall data and auth data.

But what about unknown threats? How do we find those? Well we need to look at a much bigger set of data, and then find the unusual patterns in that data. So we want to look at things like threat intel, email, web, desktops the first four items on the top line are what well focus on in this hands-on exercise.

But note that Splunk can collect a whole lot more data that we believe is extremely security relevant especially when it comes to detecting those unknown threats.7Splunk software complements, replaces and goes beyond traditional SIEMs.Moving Past SIEM to Security Intelligence

Small Data. Big Data. Huge Data.Security & Compliance ReportingReal-time Monitoring of Known ThreatsMonitoring of Unknown ThreatsIncident Investigations & ForensicsFraud DetectionInsider Threat

#These are the main areas we see Splunk being used for security.

We can provide demos and examples and case studies for all of these, but todays hands-on will focus on8Splunk software complements, replaces and goes beyond traditional SIEMs.Moving Past SIEM to Security Intelligence

Small Data. Big Data. Huge Data.Security & Compliance ReportingReal-time Monitoring of Known ThreatsMonitoring of Unknown ThreatsIncident Investigations & ForensicsFraud DetectionInsider Threat

#incident investigation and forensics.

This is particularly interesting because even if you have a SIEM today, and you like it, Splunk can complement that SIEM by being a highly powerful and scalable investigative engine for your incident investigations group.

We often see customers that are not quite ready to get rid of their traditional SIEM, using us for this function, because we are so flexible and scalable and fast.910Disrupting the Kill Chain demo version 3.0


StrategyNew to 3.0?Demo the Splunk Hunt capabilities to a wide audience with focus on the phishing and malware use cases.

Challenge the audience to think beyond traditional SIEM data sources and show/explain how we pivot between them seamlessly.

Explain the compromise prior to jumping into demo

Make certain that is clear that we are driving toward a root cause and improved workflow

Focus on the Data Sources

Replaced Carbon Black with native Microsoft Sysmon endpoint functionality

#Hands-On Session: Kill Chain* Disruption11Your system is compromised and the adversary begins its workExploitationThe adversary works to understand your organization looking for opportunitiesReconnaissanceThe attacker steals data, disrupts your operations or causes damageAct on Intent*mostly.The phrase, Cyber Kill Chain, was coined by researchers from Lockheed Martin. For a complete list of Phases please see: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

This is how a common adversary i.e. someone that wants to steal your data, or your intellectual property, or cause downtime, or embarrass your org, sees you and plans an attack. They could be cyber criminals, they could be nation states, they could be coming from the inside.

Recon: Discover/identify a target. Maybe not even any direct communications with the target. They might be googling things to see if you have web portals that they can attack. Look at public records or proposals to see who is working on what, or what new products you are going to offer, or see who you have recently hired. Basically looking for something to exploit

which then happens via a multitude of ways. This is where the actual compromise takes place. Commonly, some artifact that is trusted is weaponized and delivered. This is also where social engineering may come in to steal credentials (100% of breaches involve stolen, valid credentials).

Then act on intent what do they want to do to you? Steal your data or IP or affect your operations or cause physical harm, like we saw with Stuxnet a few years ago with the centerfuges.

The ones we are glossing over here are weaponization, delivery, installation, command and control.

We will see those in the exercise.

11Q. How can the security analysts at Buttercup Games, Inc. discover that their systems have been compromised by way of a stolen document from their web portal?

A. They would want to discover and disrupt the kill chain:Where did the adversary start? (Recon)How did they get a foothold? (Exploitation)What was their motive and what did they take? (Actions on Intent)Security Investigation Example12

butercupgamesLets get hands-on!Splunk is the only security analytics platform that allows analysts and incident investigators to leverage these disparate data sources to disrupt the adversary kill chain.

This demo shows a real world investigation scenario for the Zeus attack. We begin the investigation by searching for events for new threat intelligence and investigate the infection and identify the complete adversary kill chain.

This hands-on exercise shows a real world investigation scenario for the Zeus malware. Q. Why zeus? A. Malware that reports into a botnet, been around since 2009

Disrupts services, acquires financial data, installs ransomware to lock up machines.

Very effective, very elusive every time we think we have a handle on it it comes back because it keeps morphing.Attempts to shut it down largely unsuccessful.

This is NOT to show you how we can perform an investigation surrounding Zeus we are only using that because its a commonly known bit of malware. These techniques can be used for any kind of security investigation within Splunk.

1213ReconnaissanceWeaponizationDeliveryExploitationInstallationCommand & ControlAct on ObjectivesWebKill ChainDemo Data Source - ActivityEmail and EndpointEndpointEndpoint, DNS, ProxyEndpoint, DNS, ProxyA brute force attack takes place on the customer web site, access is gained, and a sensitive pdf file is downloaded