threat hunting with splunk
TRANSCRIPT
![Page 1: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/1.jpg)
ThreatHuntingwithSplunkPresenter:KenWestin,M.Sc,OSCPSplunk,SecurityMarketSpecialist
![Page 2: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/2.jpg)
Agenda
• ThreatHuting Basics
• ThreatHuntingDataSources
• Sysmon EndpointData
• CyberKillChain
• WalkthroughofAttackScenarioUsingCoreSplunk (handson)
• EnterpriseSecurityWalkthrough
• ApplyingMachineLearningandDataSciencetoSecurity
![Page 3: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/3.jpg)
LogInCredentialsJanuary,February&March https://od-how-calgary2.splunkoxygen.com
April,May&June https://od-how-calgary3.splunkoxygen.com
July,August&September https://od-how-calgary4.splunkoxygen.com
October,November&December https://od-how-calgary5.splunkoxygen.com
User:hunterPass:pr3dator
![Page 4: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/4.jpg)
Thesewon’twork…
![Page 5: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/5.jpg)
AmIintherightplace?
Somefamiliaritywith…
● CSIRT/SOCOperations
● GeneralunderstandingofThreatIntelligence
● GeneralunderstandingofDNS,Proxy,andEndpointtypesofdata
5
![Page 6: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/6.jpg)
Thisisahands-onsession.
Theoverviewslidesareimportantforbuildingyour“hunt”methodology
10minutes- Seriously.
![Page 7: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/7.jpg)
HowZeusCybercrimeWorks
![Page 8: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/8.jpg)
ThreatHuntingwithSplunk
8
Vs.
![Page 9: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/9.jpg)
SANSThreatHuntingMaturity
9
AdHocSearch
StatisticalAnalysis
VisualizationTechniques
Aggregation MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHuntingSummit2016
![Page 10: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/10.jpg)
HuntingTools:InternalData
10
• IPAddresses:threatintelligence,blacklist,whitelist,reputationmonitoringTools:Firewalls,proxies,Splunk Stream,Bro,IDS
• NetworkArtifactsandPatterns:networkflow,packetcapture,activenetworkconnections,historicnetworkconnections,portsandservicesTools:Splunk Stream,BroIDS,FPC,Netflow
• DNS:activity,queriesandresponses,zonetransferactivityTools:Splunk Stream,BroIDS,OpenDNS
• Endpoint– HostArtifactsandPatterns:users,processes,services,drivers,files,registry,hardware,memory,diskactivity,filemonitoring:hashvalues,integritycheckingandalerts,creationordeletionTools:Windows/Linux,CarbonBlack,Tanium,Tripwire,ActiveDirectory
• VulnerabilityManagementDataTools:TripwireIP360,Qualys,Nessus
• UserBehaviorAnalytics:TTPs,usermonitoring,timeofdaylocation,HRwatchlistSplunk UBA,(Alloftheabove)
![Page 11: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/11.jpg)
LogInCredentialsJanuary,February&March https://od-how-calgary2.splunkoxygen.com
April,May&June https://od-how-calgary3.splunkoxygen.com
July,August&September https://od-how-calgary4.splunkoxygen.com
October,November&December https://od-how-calgary5.splunkoxygen.com
User:hunterPass:pr3dator
![Page 12: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/12.jpg)
Endpoint:MicrosoftSysmonPrimer
12
● TAAvailableontheAppStore
● GreatBlogPosttogetyoustarted
● IncreasesthefidelityofMicrosoftLogging
BlogPost:http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
![Page 13: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/13.jpg)
LogInCredentialsJanuary,February&March https://od-how-calgary2.splunkoxygen.com
April,May&June https://od-how-calgary3.splunkoxygen.com
July,August&September https://od-how-calgary4.splunkoxygen.com
October,November&December https://od-how-calgary5.splunkoxygen.com
User:hunterPass:pr3dator
![Page 14: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/14.jpg)
SysmonEventTags
14
MapsNetworkCommtoprocess_id
Process_idcreationandmappingtoparentprocess_id
![Page 15: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/15.jpg)
sourcetype=X*|searchtag=communicate
15
![Page 16: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/16.jpg)
sourcetype=X*|deduptag|searchtag=process
16
![Page 17: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/17.jpg)
DataSourceMapping
![Page 18: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/18.jpg)
DemoStory- KillChainFrameworkSuccessfulbruteforce– downloadsensitivepdfdocument
WeaponizethepdffilewithZeusMalware
Convincingemailsentwithweaponizedpdf
Vulnerablepdfreaderexploitedbymalware.Droppercreatedonmachine
Dropperretrievesandinstallsthemalware
Persistenceviaregularoutboundcomm
DataExfiltration
Source:LockheedMartin
![Page 19: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/19.jpg)
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
StreamInvestigations– chooseyourdatawisely
19
![Page 20: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/20.jpg)
20
Let’sdigin!
Please,raisethathandifyouneedustohitthepausebutton
![Page 21: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/21.jpg)
APTTransactionFlowAcrossDataSources
21
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
OurInvestigationbeginsbydetectinghighriskcommunicationsthroughtheproxy,attheendpoint,andevenaDNScall.
![Page 22: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/22.jpg)
Tobeginourinvestigation,wewillstartwithaquicksearchtofamiliarizeourselveswiththedatasources.
Inthisdemoenvironment,wehaveavarietyofsecurityrelevantdataincluding…
WebDNSProxyFirewallEndpointEmail
![Page 23: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/23.jpg)
Takealookattheendpointdatasource.WeareusingtheMicrosoftSysmon TA.
Wehaveendpointvisibilityintoallnetworkcommunicationandcanmapeachconnectionbacktoaprocess.
}Wealsohavedetailedinfooneachprocessandcanmapitbacktotheuserandparentprocess.}
Letsgetourdaystartedbylookingusingthreatintel toprioritizeoureffortsandfocusoncommunicationwithknown highriskentities.
![Page 24: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/24.jpg)
WehavemultiplesourceIPscommunicatingtohighriskentitiesidentifiedbythese2threatsources.
Weareseeinghighriskcommunicationfrommultipledatasources.
Weseemultiplethreatintel relatedeventsacrossmultiplesourcetypesassociatedwiththeIPAddressofChrisGilbert.Let’stakecloserlookattheIPAddress.
Wecannowseetheownerofthesystem(ChrisGilbert)andthatitisn’taPIIorPCIrelatedasset,sotherearenoimmediatebusinessimplicationsthatwouldrequireinformingagenciesorexternalcustomerswithinacertaintimeframe.
Thisdashboardisbasedoneventdatathatcontainsathreatintelbasedindicatormatch(IPAddress,domain,etc.).ThedataisfurtherenrichedwithCMDBbasedAsset/identityinformation.
![Page 25: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/25.jpg)
Wearenowlookingatonlythreatintel relatedactivityfortheIPAddressassociatedwithChrisGilbertandseeactivityspanningendpoint,proxy,andDNSdatasources.
Thesetrendlinestellaveryinterestingvisualstory.ItappearsthattheassetmakesaDNSqueryinvolvingathreatintel relateddomainorIPAddress.
ScrollDo
wn
Scrolldownthedashboardtoexaminethesethreatintel eventsassociatedwiththeIPAddress.
Wethenseethreatintel relatedendpointandproxyeventsoccurringperiodicallyandlikelycommunicatingwithaknownZeusbotnetbasedonthethreatintelsource(zeus_c2s).
![Page 26: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/26.jpg)
It’sworthmentioningthatatthispointyoucouldcreateatickettohavesomeonere-imagethemachinetopreventfurtherdamageaswecontinueourinvestigationwithinSplunk.
Withinthesamedashboard,wehaveaccesstoveryhighfidelityendpointdatathatallowsananalysttocontinuetheinvestigationinaveryefficientmanner.Itisimportanttonotethatnearreal-timeaccesstothistypeofendpointdataisnotnotcommonwithinthetraditionalSOC.
Theinitialgoaloftheinvestigationistodeterminewhetherthiscommunicationismaliciousorapotentialfalsepositive.Expandtheendpointeventtocontinuetheinvestigation.
Proxyrelatedthreatintel matchesareimportantforhelpingustoprioritizeoureffortstowardinitiatinganinvestigation.Furtherinvestigationintotheendpointisoftenverytimeconsumingandofteninvolvesmultipleinternalhand-offstootherteamsorneedingtoaccessadditionalsystems.Thisencryptedproxytrafficisconcerningbecauseofthelargeamountofdata(~1.5MB)beingtransferredwhichiscommonwhendataisbeingexfiltrated.
![Page 27: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/27.jpg)
Exfiltrationofdataisaseriousconcernandoutboundcommunicationtoexternalentitythathasaknownthreatintelindicator,especiallywhenitisencryptedasinthiscase.
Letscontinuetheinvestigation.
Anotherclue.Wealsoseethatsvchost.exe shouldbelocatedinaWindowssystemdirectorybutthisisbeingrunintheuserspace.Notgood.
Weimmediatelyseetheoutboundcommunicationwith115.29.46.99viahttpsisassociatedwiththesvchost.exeprocessonthewindowsendpoint.Theprocessidis4768.ThereisagreatdealmoreinformationfromtheendpointasyouscrolldownsuchastheuserIDthatstartedtheprocessandtheassociatedCMDBenrichmentinformation.
![Page 28: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/28.jpg)
WehaveaworkflowactionthatwilllinkustoaProcessExplorerdashboardandpopulateitwiththeprocessidextractedfromtheevent(4768).
![Page 29: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/29.jpg)
ThisisastandardWindowsapp,butnotinitsusualdirectory,tellingusthatthemalwarehasagainspoofedacommonfilename.
Wealsocanseethattheparentprocessthatcreatedthissuspicuous svchost.exe processiscalledcalc.exe.
ThishasbroughtustotheProcessExplorerdashboardwhichletsusviewWindowsSysmon endpointdata.
SuspectedMalware
Letscontinuetheinvestigationbyexaminingtheparentprocessasthisisalmostcertainlyagenuinethreatandwearenowworkingtowardarootcause.
ThisisveryconsistentwithZeusbehavior.TheinitialexploitationgenerallycreatesadownloaderordropperthatwillthendownloadtheZeusmalware.Itseemslikecalc.exemaybethatdownloader/dropper.
SuspectedDownloader/Dropper
Thisprocesscallsitself“svchost.exe,”acommonWindowsprocess,butthepathisnotthenormalpathforsvchost.exe.
…whichisacommontraitofmalwareattemptingtoevadedetection.WealsoseeitmakingaDNSquery(port53)thencommunicatingviaport443.
![Page 30: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/30.jpg)
TheParentProcessofoursuspecteddownloader/dropperisthelegitimatePDFReaderprogram.Thiswilllikelyturnouttobethevulnerableappthatwasexploitedinthisattack.
SuspectedDownloader/Dropper
SuspectedVulnerableAppWehaveveryquicklymovedfromthreatintel relatednetworkandendpointactivitytothelikelyexploitationofavulnerableapp.Clickontheparentprocesstokeepinvestigating.
![Page 31: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/31.jpg)
WecanseethatthePDFReaderprocesshasnoidentifiedparentandistherootoftheinfection.
ScrollDo
wn
ScrolldownthedashboardtoexamineactivityrelatedtothePDFreaderprocess.
![Page 32: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/32.jpg)
Chrisopened2nd_qtr_2014_report.pdfwhichwasanattachmenttoanemail!
Wehaveourrootcause!Chrisopenedaweaponized .pdf filewhichcontainedtheZeusmalware.Itappearstohavebeendeliveredviaemailandwehaveaccesstoouremaillogsasoneofourimportantdatasources.Letscopythefilename2nd_qtr_2014_report.pdfandsearchabitfurthertodeterminethescopeofthiscompromise.
![Page 33: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/33.jpg)
Letsdigalittlefurtherinto2nd_qtr_2014_report.pdftodeterminethescopeofthiscompromise.
![Page 34: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/34.jpg)
Letssearchthoughmultipledatasourcestoquicklygetasenseforwhoelsemayhavehavebeenexposedtothisfile.
Wewillcomebacktothewebactivitythatcontainsreferencetothepdf filebutletsfirstlookattheemaileventtodeterminethescopeofthisapparentphishingattack.
![Page 35: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/35.jpg)
Wehaveaccesstotheemailbodyandcanseewhythiswassuchaconvincingattack.Thesenderapparentlyhadaccesstosensitiveinsiderknowledgeandhintedatquarterlyresults.
Thereisourattachment.
HoldOn!That’snotourDomainName!Thespellingisclosebutit’smissinga“t”.TheattackerlikelyregisteredadomainnamethatisveryclosetothecompanydomainhopingChriswouldnotnotice.
Thislookstobeaverytargetedspearphishingattackasitwassenttoonlyoneemployee(Chris).
![Page 36: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/36.jpg)
RootCauseRecap
36
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
.pdfSvchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Weutilizedthreatintel todetectcommunicationwithknownhighriskindicatorsandkickoffourinvestigationthenworkedbackwardthroughthekillchaintowardarootcause.
Keytothisinvestigativeprocessistheabilitytoassociatenetworkcommunicationswithendpointprocessdata.
ThishighvalueandveryrelevantabilitytoworkamalwarerelatedinvestigationthroughtorootcausetranslatesintoaverystreamlinedinvestigativeprocesscomparedtothelegacySIEMbasedapproach.
![Page 37: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/37.jpg)
37
Letsrevisitthesearchforadditionalinformationonthe2nd_qtr_2014-_report.pdffile.
Weunderstandthatthefilewasdeliveredviaemailandopenedattheendpoint.Whydoweseeareferencetothefileintheaccess_combined (webserver)logs?
Selecttheaccess_combinedsourcetype toinvestigatefurther.
![Page 38: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/38.jpg)
38
Theresultsshow54.211.114.134hasaccessedthisfilefromthewebportalofbuttergames.com.
ThereisalsoaknownthreatintelassociationwiththesourceIPAddressdownloading(HTTPGET)thefile.
![Page 39: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/39.jpg)
39
SelecttheIPAddress,left-click,thenselect“Newsearch”.WewouldliketounderstandwhatelsethisIPAddresshasaccessedintheenvironment.
![Page 40: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/40.jpg)
40
That’sanabnormallylargenumberofrequestssourcedfromasingleIPAddressina~90minutewindow.
Thislookslikeascriptedactiongiventheconstanthighrateofrequestsoverthebelowwindow.
ScrollDo
wn
Scrolldownthedashboardtoexamineotherinterestingfieldstofurtherinvestigate.
NoticetheGooglebotuseragent string whichisanotherattempttoavoidraisingattention..
![Page 41: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/41.jpg)
41
Therequestsfrom52.211.114.134aredominatedbyrequeststotheloginpage(wp-login.php).It’sclearlynotpossibletoattemptaloginthismanytimesinashortperiodoftime– thisisclearlyascriptedbruteforceattack.
Aftersuccessfullygainingaccesstoourwebsite,theattackerdownloadedthepdf file,weaponized itwiththezeusmalware,thendeliveredittoChrisGilbertasaphishingemail.
Theattackerisalsoaccessingadminpageswhichmaybeanattempttoestablishpersistenceviaabackdoorintothewebsite.
![Page 42: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/42.jpg)
KillChainAnalysisAcrossDataSources
42
http(proxy)sessiontocommand&controlserver
RemotecontrolStealdataPersistincompanyRentasbotnet
Proxy
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
ThreatIntelligence
Endpoint
NetworkEmail,Proxy,DNS,andWeb
DataSources
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exe(malware)
Calc.exe(dropper)
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
emailstothetarget
Reademail,openattachment
Wecontinuedtheinvestigationbypivotingintotheendpointdatasourceandusedaworkflowactiontodeterminewhichprocessontheendpointwasresponsiblefortheoutboundcommunication.
WeBeganbyreviewingthreatintel relatedeventsforaparticularIPaddressandobservedDNS,Proxy,andEndpointeventsforauserinSales.
Investigationcomplete!LetsgetthisturnedovertoIncidentReponse team.
Wetracedthesvchost.exeZeusmalwarebacktoit’sparentprocessIDwhichwasthecalc.exedownloader/dropper.
Onceourrootcauseanalysiswascomplete,weshiftedoutfocusintotheweblogstodeterminethatthesensitivepdffilewasobtainedviaabruteforceattackagainstthecompanywebsite.
Wewereabletoseewhichfilewasopenedbythevulnerableappanddeterminedthatthemaliciousfilewasdeliveredtotheuserviaemail.
Aquicksearchintothemaillogsrevealedthedetailsbehindthephishingattackandrevealedthatthescopeofthecompromisewaslimitedtojusttheoneuser.
Wetracedcalc.exe backtothevulnerableapplicationPDFReader.
![Page 43: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/43.jpg)
WanttoFollowAlong?Optional– ForMachineLearningComponent
● DownloadSplunkhttp://www.splunk.com/en_us/download-21.html
● InstalltheMachineLearningToolkithttp://tiny.cc/splunkmlapp
● InstallthePythonforScientificComputingapphttps://splunkbase.splunk.com/app/2881/ (Mac)https://splunkbase.splunk.com/app/2883/ (Windows)
![Page 44: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/44.jpg)
Break!
![Page 45: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/45.jpg)
Splunk EnterpriseSecurity
![Page 46: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/46.jpg)
SANSThreatHuntingMaturity
46
AdHocSearch
StatisticalAnalysis
VisualizationTechniques
Aggregation MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHuntingSummit2016
![Page 47: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/47.jpg)
SplunkistheSecurityNerveCenter
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Identity
Endpoints
![Page 48: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/48.jpg)
GartnerMagicQuadrantforSIEM
48
IncidentResponse
UserMonitoring
Data&AppMonitoring
AdvancedAnalytics
BasicSecurityMonitoring
AdvancedThreatDetection
Forensic&IncidentResponse
Real-TimeMonitoring
AdvancedThreatDefense
BusinessContext&SecurityIntelligence
Deployment&SupportSimplicity
![Page 49: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/49.jpg)
Homework
![Page 50: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/50.jpg)
OtherItemsToNote
ItemstoNote
Navigation- HowtoGetHere
Descriptionofwhattoclickon
Click
![Page 51: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/51.jpg)
KeySecurityIndicators(buildyourown!)
Sparklines
Editable
![Page 52: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/52.jpg)
Variouswaystofilterdata
Malware-SpecificKSIsandReports
SecurityDomains->Endpoint->MalwareCenter
![Page 53: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/53.jpg)
Filterable
KSIsspecifictoRisk
Riskassignedtosystem,userorother
UnderAdvancedThreat,selectRiskAnalysis
![Page 54: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/54.jpg)
(ScrollDown)
RecentRiskActivity
UnderAdvancedThreat,selectRiskAnalysis
![Page 55: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/55.jpg)
Filterable,downtoIoC
KSIsspecifictoThreat
Mostactivethreatsource
Scrolldown… Scroll
UnderAdvancedThreat,selectThreatActivity
![Page 56: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/56.jpg)
Specificsaboutrecentthreatmatches
UnderAdvancedThreat,selectThreatActivity
![Page 57: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/57.jpg)
Toaddthreatintelgoto:Configure->DataEnrichment->ThreatIntelligenceDownloads
Click
![Page 58: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/58.jpg)
Click“ThreatArtifacts”Under“AdvancedThreat”
Click
![Page 59: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/59.jpg)
ArtifactCategories–clickdifferenttabs…
STIXfeed
Customfeed
UnderAdvancedThreat,selectThreatArtifacts
![Page 60: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/60.jpg)
ReviewtheAdvancedThreatcontent
Click
![Page 61: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/61.jpg)
DatafromassetframeworkConfigurableSwimlanes
Darker=moreevents
AllhappenedaroundsametimeChangeto“Today”ifneeded
AssetInvestigator,enter“192.168.56.102”
![Page 62: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/62.jpg)
DataScience&MachineLearningInSecurity
62
![Page 63: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/63.jpg)
EvolutionofSecurityCorrelationtoAdvancedAnalytics
63
Two-Dimensional- Correlation:Useofregexandpatternmatchingforstrings.Usedinanti-malware,IDS/IPS,DLPandbasicSIEM.Useofstringmatchingtosearchabinaryfiletoidentifytypeofthreat.Enhancedcapabilitytoidentifypreviouslyknownthreatsandhostenumerationwithinanenvironment.Multi-Dimensional- Analytics:Hybridmodeldevelopedasadversarieslearnedtocircumventbasiccorrelationandtoreducefalsepositives.Thresholdsandcombinationsofrulesdeveloped.Startingtocreatebehavioralmodels,statisticalanalysisandpatternidentificationnotjustbasedonsignatures.
One-Dimensional- Correlation:Fastandefficientbasicmatchingofdomains,IPaddresses,user-agent,MD5filehashes.UseofBooleanoperatorstoidentifyifsignatureisonablack/whitelist.CommonusageinmostfirewallandIDStools.
N-DimensionalAdvanced- Analytics:Shiftawayfromheavymanualtaggingandrulebuildingalone,leveragesadvancedandpredictiveanalytics,machinelearning,graphanalysisandelementsofdatasciencetoenhancetheanalysttoidentifypreviouslyunknownthreats,shiftfromcorrelationtocausation.
![Page 64: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/64.jpg)
SANSThreatHuntingMaturity
64
AdHocSearch
StatisticalAnalysis
VisualizationTechniques
Aggregation MachineLearning/DataScience
85%55%50%48%32%
Source:SANSIR&ThreatHuntingSummit2016
![Page 65: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/65.jpg)
Disclaimer:Iamnotadatascientist
![Page 66: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/66.jpg)
TypesofMachineLearningSupervised Learning:generalizingfromlabeled data
![Page 67: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/67.jpg)
SupervisedMachineLearning
67
DomainName TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Maliciousjjeyd2u37an30.com 6192 5.05 0 1 0 0 Maliciouscdn4s.steelhousemedia.com 107 3 0 0 0 0 Benignlog.tagcade.com 111 2 0 1 0 0 Benigngo.vidprocess.com 170 2 0 0 0 0 Benignstatse.webtrendslive.com 310 2 0 1 0 0 Benigncdn4s.steelhousemedia.com 107 1 0 0 0 0 Benignlog.tagcade.com 111 1 0 1 0 0 Benign
![Page 68: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/68.jpg)
Unsupervised Learning:generalizingfromunlabeled data
![Page 69: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/69.jpg)
UnsupervisedMachineLearning
• Notuning
• Programmaticallyfindstrends
• UBAisprimarilyunsupervised
• Rigorouslytestedforfit
69
AlgorithmRawSecurityData AutomatedClustering
![Page 70: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/70.jpg)
70
![Page 71: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/71.jpg)
MLToolkit&Showcase• SplunkSupportedframeworkforbuildingMLApps
– Getitforfree:http://tiny.cc/splunkmlapp
• LeveragesPythonforScientificComputing (PSC)add-on:– Open-sourcePythondatascienceecosystem– NumPy,SciPy,scitkit-learn,pandas,statsmodels
• Showcaseusecases:PredictHardDriveFailure,ServerPowerConsumption,ApplicationUsage,CustomerChurn&more
• Standardalgorithms outofthebox:– Supervised:LogisticRegression,SVM,LinearRegression,RandomForest,etc.– Unsupervised: KMeans,DBSCAN,SpectralClustering,PCA,KernelPCA,etc.
• Implementoneof300+algorithmsbyeditingPythonscripts
![Page 72: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/72.jpg)
MachineLearningToolkitDemo
72
![Page 73: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/73.jpg)
![Page 74: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/74.jpg)
Splunk UBA
![Page 75: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/75.jpg)
Splunk UBAUseCases
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataexfiltration
LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation
SUSPICIOUSACTIVITY• Misuseofcredentials• Geo-locationanomalies
MALWAREATTACKS• Hiddenmalwareactivity
BOTNET,COMMAND&CONTROL• Malwarebeaconing• Dataleakage
USER&ENTITYBEHAVIORANALYTICS• Suspiciousbehaviorbyaccountsor
devices
EXTERNALTHREATSINSIDERTHREATS
![Page 76: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/76.jpg)
SplunkUserBehaviorAnalytics(UBA)• ~100%ofbreachesinvolvevalidcredentials(Mandiant Report)• Needtounderstandnormal&anomalousbehaviorsforALLusers• UBAdetectsAdvancedCyberattacks andMaliciousInsiderThreats• LotsofMLunderthehood:
– BehaviorBaselining&Modeling– AnomalyDetection(30+models)– AdvancedThreatDetection
• E.g.,DataExfil Threat:– “Sawthisstrangelogin&datatransferfor userkwestin
at3aminChina…”– SurfacethreattoSOCAnalysts
![Page 77: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/77.jpg)
Workflow
Raw Events
1
Statistical methods
Security semantics
2Threat Models
Lateralmovement
ML
Patterns
Sequences
Beaconing
Land-speedviolation
Threats
Kill chain sequence
5
Supporting evidence
Threat scoring
Graph Mining
4
Con
tinuo
us s
elf-l
earn
ing
Anomalies graph
Entity relationship graph
3
Anomalies
![Page 78: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/78.jpg)
Splunk UBADemo
78
![Page 79: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/79.jpg)
SecurityWorkshops
● SecurityReadinessAssessments(CSC20)● Splunk UBADataScienceWorkshop● EnterpriseSecurityBenchmarkAssessment● InsiderThreat
![Page 80: Threat Hunting with Splunk](https://reader034.vdocuments.net/reader034/viewer/2022042500/589aa87f1a28abfc1a8b68f3/html5/thumbnails/80.jpg)
SecurityWorkshopSurvey
https://www.surveymonkey.com/r/KFVLF37