Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bechtel Customer Presentation

974 views

Published on

Bechtel Customer Presentation

Published in: Technology
  • Be the first to comment

Bechtel Customer Presentation

  1. 1. Copyright © 2014 Splunk Inc. Security Opera;ons Use Cases: 'Cause Bears, Pandas, and Sandworms Live! Edi)on Ryan Chapman (& Lisa Tawfall) Bechtel Corpora;on
  2. 2. 2 Disclaimer During the course of this presenta;on, we may make forward looking statements regarding future events or the expected performance of the company. We cau;on you that such statements reflect our current expecta;ons and es;mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in the this presenta;on are being made as of the ;me and date of its live presenta;on. If reviewed aXer its live presenta;on, this presenta;on may not contain current or accurate informa;on. We do not assume any obliga;on to update any forward looking statements we may make. In addi;on, any informa;on about our roadmap outlines our general product direc;on and is subject to change at any ;me without no;ce. It is for informa;onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga;on either to develop the features or func;onality described or to include any such feature or func;onality in a future release.
  3. 3. 3 Agenda •  Intro to Bechtel •  Who’s This Guy? •  Overview of Security @ Bechtel •  Why Splunk? •  Use Cases
  4. 4. 4 Bechtel Corpora;on •  Largest Construc;on & Civil Engineering Company in the U.S. •  58,000 colleagues | 25,000 projects | 160 countries | 7 con;nents •  Target Rich Environment – Global Threats •  2012 Goal: Develop World-Class SOC
  5. 5. 5 Ryan J. Chapman •  Network Security Monitoring Analyst •  Incident Handler •  CIRT / SOC Liaison •  “Did You Check Splunk?” Guy ê  No, Really. Did You Check Splunk? @rj_chap
  6. 6. Security @ Bechtel
  7. 7. 7 Post Remedia;on Structure
  8. 8. 8 APT Events Use Case BEFORE SPLUNK AFTER SPLUNK Event EscalaAon to CIRT • 99% of Events • 2013-2014: < 3% • 2015: < 1% APT Events Detected •  1 APT Event •  2013: 269 APT Events •  2014: 82 APT Events
  9. 9. 9 The Security Stack External Intense Monitoring Full Packet Capture DNS ProtecAon Network Event Parsing Firewall ApplicaAon Firewall Email Blocking Behavior Analysis APT DetecAon Forensics AV Log Forwarding Remediate Detect Respond Deter
  10. 10. 10 Why Splunk? •  Berer than GREP? •  Parsing Individual Logs? –  2.35TB/day License •  Primary Uses: –  Alert Genera;on –  Response! ê  The “5 W’s” Because it’s Awesome!
  11. 11. 11 Why Splunk? Bechtel is Target Rich!
  12. 12. 12 Obligatory Splunk Quote “We wouldn’t be able to do our jobs without Splunk.”
  13. 13. Use Case One
  14. 14. 14 •  Saved Searches Are Awesome! ê  25%+ of SOC Tickets •  Alert: PowerShell Using “ -enc” ê  Also Alerted: “ -exec bypass” ê  Not Caught by Security Stack Tools •  Used to Base64 Encode ê  Detec;on Avoidance Mechanism Use Case 1 “Tripping Over The Needle”
  15. 15. 15 Saved Search index=wls* EventID=4688 BaseFileName="powershell.exe" CommandLine="* -enc*" NOT ([REDACTED]) | sort 0 _time | table _time, Computer, SubjectDomainName, SubjectUserName, BaseFileName, CommandLine, CompanyName, CreatorProcessName, NewProcessName, FileDescription, FileVersion, MD5 No Encoding For You!
  16. 16. 16 Saved Search Results [Most Columns Removed] _Ame Computer CommandLine 11/9/15 15:35 [REDACTED] powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkAT wAuAE0AZQBtAG…AKQA7AA== 11/9/15 15:49 [REDACTED] powershell -nop -exec bypass -EncodedCommand 'SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMA dAAgAG4AZQB0A…AKQA7AA=='
  17. 17. 17 Saved Search Results Decoded Base64 – MOAR Base64 + Zipped! $s=New-Object IO.MemoryStream(, [Convert]::FromBase64String(“H4sIAAAAAAAAAL1We2/aSBD/ Gz7FqopkW+UZuJREi…DAAA")); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  18. 18. 18 Saved Search Results Decoding Con;nued •  Secondary PowerShell Script ê $var_code == Shellcode •  Shellcode Creates Named Pipe ê Inter-Process Communica;on •  Errrrrr…. No ê ALL HANDS ON DECK
  19. 19. 19 Addi;onal Splunkage index=wls* EventID=4688 Computer="[REDACTED]" BaseFileName="cmd.exe" CommandLine="*" | sort 0 _time | table _time, Computer, SubjectDomainName, SubjectUserName, BaseFileName, CommandLine, CompanyName, CreatorProcessName, NewProcessName, FileDescription, FileVersion, MD5 Event Code 4688 = Process Execu;on
  20. 20. 20 Addi;onal Splunkage •  c:windowssystem32windowspowershell v1.0powershell.exe -ex bypass -noni -w hidden -nop Get- GPPPassword •  net user 'Domain Admins' /domain •  reg query '[REDACTED]HKLMSoXwareMicrosoXWindows NTCurrentVersion' •  net sessions •  wmic qfe list brief Event Code 4688 – CommandLine Examples
  21. 21. 21 Addi;onal Splunkage Event Code 4688 – CreatorProcessName Oddity _Ame Computer CommandLine CreatorProcessName NewProcessName 11/9/15 17:06:6 [REDACTED] net user [REDACTED] /domain txt2adobe C:Windows SysWOW64cmd.exe 11/9/15 18:00:01 [REDACTED] systeminfo txt2adobe C:Windows SysWOW64cmd.exe 11/9/15 18:11:36 [REDACTED] dir 10.[REDACTED] c$ txt2adobe C:Windows SysWOW64cmd.exe
  22. 22. 22 Correla;ng Tool Results FTW! •  NSM (Splunk) + DFIR (Memory Analysis w/Vola;lity) •  PSTREE ê hrpd.exe launched txt2adobe.exe •  NETSCAN 0x23d23ccf0 TCPv4 10.[REDACTED]:80 10.[REDACTED]:34752 CLOSED 1432 httpd.exe 0x23c6c2170 TCPv4 10.[REDACTED]:52382 10.[REDACTED]:443 ESTABLISHED 3644 txt2adobe.exe No 4688 Events for “txt2adobe”
  23. 23. 23 Wait A Second… •  Addi;onal Pivo;ng: ê IP/MAC Addresses, etc. ê Found a Kali-based Host …Iden;fied Aggressor… •  Red Team Pentest! ê 0x0000FF > 0xFF0000 ê Thanks Splunk! NOT IN OUR HOUSE!
  24. 24. Use Case Two
  25. 25. 25 Use Case 2 •  Intel is Now Ubiquitous ê  Paid Feeds ê  Open Source (Blogs/Twirer) ê  That Girl You Worked with Two Companies Ago •  Indicators of Compromise ê  IOCs Everywhere! ê  How Do We Process Them All? Ve†ng Threat Intel
  26. 26. 26 You Get Intel… and YOU Get Intel!
  27. 27. 27 Automate All the Things
  28. 28. 28 IOC Triage (IOCSaw, WAM, TRAC) INDICATOR # LAST FIRST COMMENT CATEGORY CREATED TRAC bad.site.cc     Ticket #54728 OSINT (India Breach) Targeted 2013-03-14T 01:37:15 #54728 palace.malware .net       More dynamic DNS blocks Dynamic DNS 2013-09-03T 20:19:09 #78508, #53939 test-user123. crime.com       Ticket #54728 OSINT (India Breach) Targeted 2013-03-14T 01:37:15 #54728 securelist. com 223 07/14/2015 21:46:03 07/16/2014 22:53:45     32 Matched Tickets [Par;al Results]
  29. 29. 29 Hash Triage (NSRL* Lookup and TRAC) HASH NSRL_FNAME NSRL_MFG NSRL_PROD TICKET 214AD74511D23EAA51AE82EDC3760AE2 RDS_250.iso NIST NSRL DVD #12345 E9A87BB87BB87BB6DC053238B0A87B33       #80000 EDCD313791506EDCD318A2A88B9E0HH1       72EDCD31A7AAD3102C5AA7758EEDBEEF       #84507 AAA62D5F0E348F0E8AAAAAADDDDDDEAD       #22222, #33333 5A22E5AEE4DA2FE363B77F1A22E5AE93       21C46A95329F3F168888888880000000       #thisisfake D41D8CD98F00B204E9800998ECF8427E       J *Na;onal SoXware Reference Library [Par;al Results]
  30. 30. 30 Macros Rock Hard •  `hash_indices` Macro: This is a S;ck-Up! Gimmie Those Hashes! (index=wls* OR index=bro_files OR index=bro_http OR index=bro_notice OR index=bro_smtp_entities OR index=fe OR index=fireeye OR sourcetype=sep12:risk OR sourcetype=sep12:proactive OR sourcetype=sep12:behavior) AND file_hash!="-"
  31. 31. 31 Macros Rock Hard •  `hash_indices` Macro: This is a S;ck-Up! Gimmie Those Hashes! earliest=12/15/2015:00:00:00 latest=12/15/2015:17:30:41 `hash_indices` (file_hash="B9A4DAC2192FD78CDA097BFA79F6E7B2" OR file_hash="E7B2ED6FF40DAB2F235000B0299E7B23" OR file_hash="E7B2B87136E2DC22F8D2740F3E6EE7B2”)
  32. 32. 32 Another Useful Macro •  `web_traffic` Macro: (index=isa* OR index=bro_http OR index=bro_conn OR index=websense OR sourcetype=pan_traffic OR sourcetype=pan_threat)
  33. 33. 33 `web_traffic` wdmycloud.device2479816.wd2go.com Another Useful Macro •  `web_traffic` Macro: •  Palo Alto •  ISA Proxy •  BRO
  34. 34. 34 Recap & Takeaways •  Saved Searches are Your Friend •  Catalogue Your Saved Searches •  Enable Command Line Audi;ng! ê  See Resources •  Macros are Your Friend •  CIM is Your Friend •  Troll Splunk>Answers, Splunk>Blogs and Splunkbase ‘Member These Things
  35. 35. 35 Resources •  Michael Gogh’s Splunk/Windows Logging Cheat Sheets ê  h`p://www.malwarearchaeology.com/cheat-sheets ê  Provide Key Event Codes ê  Explain How to Setup Logging •  Check out Cassava! ê  h`ps://github.com/BechtelCIRT/cassava •  “Forensic Inves;gator” by TekDefense ê  h`ps://splunkbase.splunk.com/app/2895/
  36. 36. Thank You Security Opera;ons Use Cases: 'Cause Bears, Pandas, and Sandworms Live! Edi)on Ryan Chapman – @rj_chap Bechtel QUESTIONS?

×