Automating your organization’s security operations is no longer optional. It’s essential. Increasing analyst productivity and decreasing response time can mean the difference between successfully containing an attack, and suffering a devastating breach. This talk will focus on
ten practical automation techniques—each implemented in either Python or PowerShell—
that extend the functionality of a popular commercial SIEM. Each technique will demonstrate how to automatically gather additional context on an alert, make configuration changes in an operational environment, or retrieve and analyze forensic evidence. Proof of concept code samples and live/recorded demonstrations will be provided.
10(?) holiday gifts for the SOC who has everything
1. Ten(?) Holiday Gift Ideas for the
SOC Who Has Everything
Dave Ryan
@ SANS SIEM &
Tactical Analytics
Summit
November 2017
2. Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding
future events or the expected performance of the company. I often lie. Maybe this is a lie.
Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes
The wøndërful telephøne system And mäni interesting furry animals The characters and
incidents portrayed and the names used in this Presentation are fictitious and any similarity
to the names, characters, or history of any person is entirely accidental and unintentional.
Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...
No realli! He was Karving his initials on the møøse with the sharpened end of an
interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and
star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our
roadmap outlines our general product direction and is subject to change at any time
without notice. Splunk undertakës no øbligation either to develøp the features or
functionality described or to include any such feature or functionality in a future release.
3. • 17 years of cyber security
experience
• Current role on Security
Practice team focuses on
incident/breach response,
threat intelligence, and
research
• Also investigating why
printers are so
insubordinate ಠ_ಠ
3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan Kovar
CISSP,MSc(Dist)
4. - 20+ years IT and security
- Information security
officer, security architect,
pen tester, consultant, SE,
system/network engineer
- Former SANS Mentor
- Co-creator of Splunk Boss
of the SOC
Security Architect @splunk
@daveherrald
# whoami > Dave Herrald
CISSP, GIAC G*, GSE #79
12. BOTS Data Is Free
• Splunk Boss of the SOC is a realistic,
blue-team CTF
• BOTS Version 1 debuted in September
2016
• Data set has been open-sourced. (CCO
license)
• Available as pre-indexed Splunk data,
JSON, and CSV
https://github.com/daveherrald/botsv
1
13. BOTS Data Is Realistic
• Realistic attack data
• Realistic background noise
• Includes 22 data types
• Windows events
• Microsoft Sysmon
• Windows registry
• Wire data (HTTP, DNS, DHCP, etc.)
• Suricata
• Firewall
15. SIGMA
Generic Signature Format for SIEM
• Developed by Florian Roth and Thomas
Patzke
• https://github.com/Neo23x0/sigma
What’s in the box?
• Rule specification
• Open repository of signatures
• A Python converter for different SIEM
systems
16. SIGMA – Preparing to test against BOTSv1
data
• Focus on Sysmon data for this test
- About 46 of 148 Sigma rules at time of test
• Need to convert Sigma Sysmon rules to
Splunk searches
• I used sigmac.py manually, included with
Sigma
• Recommend the excellent TA-Sigma-
Searches add-on for Splunk
- https://github.com/dstaulcu/TA-Sigma-
Searches
- Finished product
- Also includes the PowerShell wrapper for
sigmac.py that takes care of a lot of messy
details
17. SIGMA – Test against BOTSv1 data set
Success!
• sysmon_office_macro_cmd.yml
• sysmon_office_shell.yml
• sysmon_susp_execution_path_webserver.yml
• sysmon_susp_net_execution.yml
• sysmon_webshell_spawn.yml
Follow-up
• More hits with other Sigma rules?
• Contribute new rules to Sigma
37. Supertimeline in a SIEMStore and search
over multiple
timelines
Extract the
Supertimeline
Source Types
38. Supertimeline in a SIEMStore and search
over multiple
timelines
Extract the
Supertimeline
Source Types
Specify time ranges
39. Supertimeline in a SIEMStore and search
over multiple
timelines
Extract the
Supertimeline
Source Types
Specify time ranges
Ad-hoc search
40. Supertimeline in a SIEMStore and search
over multiple
timelines
Extract the
Supertimeline
Source Types
Specify time ranges
Ad-hoc search
Familiar color
coding
41. Resources
Supertimeline(Plaso) Splunk Apps
• https://github.com/daveherrald/TA_plaso-add-on-for-splunk
• https://github.com/daveherrald/SA_plaso-app-for-splunk
Earlier work from Nick Klein
• https://www.youtube.com/watch?v=xe0qJriD7aM
47. • “4” Indicates it is in the 4th stage of the kill chain
• “002” Indicates it is the 2nd rule written in ”4”
category
• “EXP” Indicates it is in the ’Exploit’ category
• Lastly, the name of the rule
Don’t reinvent the wheel
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
48. Don’t reinvent the wheel
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
51. Current osquery Capability with Splunk
•Schedule osquery queries
•Log results locally
•Monitor with Universal Forwarder
•Analyze with Splunk
•We include this in BOTS v2 if you want
to see it in action
•https://splunkbase.splunk.com/app/3278
/
66. OK… So what’s a TIP again?
YETIAn open source malware and
threat repository that
leverages other open source
software to create a unified
tool for analysts and security
experts engaged in threat
defense.
Malware Information Sharing
Platform (MISP) allows
organizations to share
information about malware
and their indicators. MISP
users benefit from the
collaborative knowledge
about existing malware or
threats.
Yeti is a platform meant
to organize
observables, indicators of
compromise, TTPs,
and knowledge on threats in
a single, unified repository
“Threat Intelligence Platform”
72. Optimizing Analysis with CyberChef
• Developed and maintained by GCHQ
• Open source, Apache 2.0 License and
Crown Copyright
• https://github.com/gchq/CyberChef
• Convert virtually any data format to
any other
• Web based
• Processing is performed locally using
JavaScript in the browser
• Easy to use, powerful,
programmable, extensible
79. Takeaways
• Get some “SIEMsipration”!
• Think outside of “Alerts and Events
• Use third-party open source tools t
“accelerate” your bicycle
• Automate the mundane. Investigat
the interesting.
Learned System Administration in the US Navy
Worked in the UK/US in public/private sector
Most recently at DARPA using Splunk
Has a masters degree from University of Westminster
Focuses on Incident response, Threat intel, dry humor,
Some gifts are better than others
Car vs SOC(k)
“Abstract different than talk? Why? Research! People needed the stuff we talk about here more than they needed ADPS (another damn (powershell|python) script”
“We’re here to inspire you not give you answers”
Forensics detail if can add context to a SIEM investigation
Triggering forensics gathering as a workflow
I constantly hear that customers want to manage their threat intelligence with their SIEM. They want their SIEM to act as a TIP
But… it never ends up well…. Think about using TIPS