splunk live! utrecht 2016 - cert eu
TRANSCRIPT
About CERT-EU
• EU Institutions’ own CERT • Defence against sophisticated, targeted cyber threats • Operational support to 60 organisations, 100.000 users • Constituents are high value targets • Decentralised, heterogeneous, environment
2
Under The Radar
• Mails appearing as originating from a trusted origin - Typo squatting - Spoofed - Compromised
• Bypassing protective layers: - Unpatched vulnerabilities (Flash, Java, MSFT) - Non-active or low-active content (JavaScript, Macros) - Encrypted, password protected, attachments
• File-less lateral movements (PowerShell, WMI…) • Removing forensic evidence after stealing legit credentials • Encrypted or legit C&C communication
Architecture
6 DNS EmailProxy
FireEye
Splunk Indexer
Constituent X
DNSEmail
Proxy
SourceFireSplunk Indexer
Constituent Y
Splunk Search Head
Cyber Threat Intelligence
Intelligence Sources- Partners- OSINT- Monitoring
CERT-EU
AbuseHelper IncidentHandling
Team
SourceFire
DNS Proxy
Splunk Indexer
Constituent Z
Architecture advantages
• Two-tier architecture, infrastructure-agnostic
• Constituents decide what to share with us
– (but we would like as much visibility as possible)
• Logs stay where they are generated
– Little impact on bandwidth
– Mitigates concerns on data protection
– Constituents stay in control 7
Log Sources Web traffic: » DNS » Proxy
Emails: » Exchange » Mimesweeper
Hosts: » Sysmon » Applocker » McAfee
Appliances: » Sourcefire » Ironport » FireEye
Future development: ► Firewalls ► Active Directory ► Servers ► Reverse Proxy
8
DNS EmailProxy Mimesweeper SourceFire
AV (McAfee)
Splunk Indexer
Sysmon:powershell, applocker, events, cmd
Constituent
Normalisation: CIM
10
● Common language and conventions to control all data
● CIM makes apps and searches much more portable
● The abstraction level helps to stay focused
● Timesaving
● Less human error
● More visibility
Intelligence Correlation
Daily / Weekly searches
BeginningLastWeek Yesterday
Today EndofWeek
Daily Logs
Logs (until last week)
Week’s IoC’s
All IoC’s
* Simplified for the presentation
Daily Report
Weekly Report
11
Processing Alerts
12
Network:· DNS· ProxyMalware:· Hash· Url· Email
Triage:· CollectCTIinfo· SearchonSplunk· SearchonIDS· QueryAnalystPortal· SearchonVTetc.· AnalyzeinSandbox
Incident?
UpdateCTI
Report
Alert
Splunk
SourceFire
Correlation Across
16
Correlation through searches on all available data.
Detection
Search:· Hash· Filename· Timestamp· C&C· DNS· Proxy· etc
Newfinding
Splunk Search Head
Constituent XSplunk Indexer
Constituent YSplunk Indexer
Constituent ZSplunk Indexer
ConstituentAConstituentA
XX
YY...
ZZ
* *
Kill Chain - Tools
Recon IDS DNS
Weaponis. DNS
Delivery IDS AV Proxy
Exploitation IDS AV Sysmon
Installation IDS AV Sysmon
Command & Control IDS Sandbox DNS/
Proxy 17
Orchestration
Incident report to the constituent: • Incident history • Incident type • Technical details (timestamp, user, hash etc) • Recommended actions
Incident file handed over to the analysts: • Incident Report. • Correlated information from other sources. • Malware sample / pcap etc. • Intelligence report related to the detection.
18
Take Aways • Infrastructure-agnostic • Logs stay where they are generated • Constituents decide what to share with us • CERT-EU App helps dramatically in detection and triage • Correlation across all constituents • Constituents benefit from:
– incident response in timely manner – cost effective / remote support – the best threat intel + the most powerful tools – a very committed team J
19