Jeremy Hopkins at SplunkLive! Charlotte

1. Splunk@Duke
Presented by: Jeremy Hopkins, Sr. IT Analyst

2. Agenda
Introductions
Early Operational Usage and Reactive
Analysis
Moving from Reactive to Proactive

3. • 15,000 Students
• 3,300 Faculty
• 36,000 Staff
• Total of 68,000+ Active Users
• University and Medical Center
• Worldwide Presence

4. Splunk @ Duke University
200+ Indices & Sourcetypes
• Syslog
• OS (Win & *nix)
• Web
• Network
• IPS/IDS/Firewall
• Shibboleth
• Mail
• LDAP
• VPN
• Many More
Departments & Uses
• IT Security Office
• System Admin
• Messaging
• Network
• Database
• Emergency Notification
Tracking
• Departmental IT Groups
• Many uses by many groups

5. Forwarders set to
"autoLB = true"
Distributed Search
Indexing Tier
• 4 x Indexer
• 5 TB local storage each
Collection Tier
• Various systems with
forwarders
• Syslog aggregator w/
Universal Forwarder for
syslog events
Search Tier
• 2 x Search Head
• Search Head Pooling enabled
• Looking forward to Clustering
LS
Shared License
• Department
quotas
Department Instance
• Multiple "all-in-
one" instance for
different
department needs
Splunk @ Duke University

6. But I barely know you…
“Who has authenticated the most in the last hour?” --Your Manager
These questions become distractions, because we know it isn’t just one question…
Where are the users logging in from?
Where is SPAM coming from?
Where is legit mail coming from?
Log analysis from a shell prompt using the ancient sysadmin combo of: grep | awk | sort |
uniq
grep sasl_username logfile | awk '{print $9}' | sort | uniq -c | sort -n | tail -5
7 sasl_username=user1@oit.duke.edu
7 sasl_username=user2@oit.duke.edu
8 sasl_username=user3@oit.duke.edu
10 sasl_username=user4@oit.duke.edu
58 sasl_username=user5@oit.duke.edu

7. Dashboards to the Rescue
Top 10 SMTP Logins using previous search example

8. Take NULL locations
and puts a custom
label on them
Creates a Location label such
as “Charlotte, NC” instead of
a column for city and state.
Top SMTP Logins
Finds SMTP logins and builds a table with username, login count, and location
eventtype=smtpauth | iplocation client_ip
| eval Location= if(CountryCode == "US",if(City=="",if(Region=="","Unknown Location,
"+Country,Region),if(Region=="",City+", ?? "+Country,City+",
"+Region)),if(City=="",Country,City+", "+Country))
| eval Location=
if(isnotnull(Location),
Location,
if(cidrmatch(”10.0.0.0/8",client_ip),
"Duke - Private”,
client_ip
)
)
| stats values(Location) count(netid) by netid | rename … | table netid Count Location | sort -
Count

9. Event types
– SMTP Auth Converted to a Splunk eventtype
 index=mail host=mail* process=postfix/smtpd sasl_username=*
– Duke created event types for various login events from various
sources:
 VPN – eventtype=vpnlogin
index=network sourcetype=vpn vpn_user=* vpn_inner_ipv4=*
vpn_source_ip=*
 Shibboleth (single sign on) - eventtype=shiblogin
index=idms_shib sourcetype=idp-process
(shib_success=“[password]” OR SSO=“true”)

10. Play nicely with others
In theory, we can join the various login types
together to find all login events
– eventtype=dukelogin is defined with the following
search
 eventtype=vpnlogin OR eventtype=smtpauth
OR eventtype=shiblogin
Event types allow others to use your logs without
knowing the specifics of your application
aka: Collaboration

11. https://xkcd.com/208/

12. Fun with Maps
Source of the mail we accepted as “not spam”

13. Guess Where our Spam Originates…

14. Was this really a DDOS?
| inputlookup ddos_20150123.csv | geoip src_ip

15. Neat, but how did it help?
• Plotting mail sources on maps provided a
visual for management which allow
implementation of geographically isolated
mail flow and acceptance rules
• Dashboards and eventtypes allowed the
ITSO to quickly see account abuse and
provided the groundwork for collaboration
with other teams

16. And then this happened…
Phishing to Fraud
• Phish targeting 600+ faculty/staff
• Typical phish emails (nothing
overly sophisticated)
– Pay Raise, Login Verification,
etc.
– Cloned Login Page
• Compromised accounts used to
access HR/Payroll sites
• After successful login, bank
routing numbers for direct
deposit changed
• Reports of monthly salaries not
received
Source: The News & Observer

17. Example of Phishing Email Received
Clicking here leads to URL on next
slide
A pay rise… interesting.

18. Link from Phish in Previous Slide
Believe
it or
not,
Duke
does
not
own
nl-
tour.ru

19. Gone phishin’
Example of Dashboard to Record Email into Phish Tracking Lookup Table
Search Duration
Actual Subject of Email
How we identify a particular
campaign
Your DUKE Pay Increase
Pay Increase - 20141006
Adds to PhishList lookup table

20. User Lookup in the PhishList
| inputlookup PhishList.csv | search To=dukeuser@duke.edu

21. Phishing DashboardAggregate of PhishList Data with Search Panel

22. Once the Bleeding Stopped…
• How do we utilize Splunk to become more proactive?
1. Look for “non-Duke” IPs with multiple user logins to
HR/Payroll system
2. Non-Duke IPs with multiple user logins regardless of
destination
3. Query the number of cities an account has logged in from in
past 24 hrs
4. Query the number of countries an account has logged in
from in past 24 hrs

23. • Multiple Iterations of Direct Deposit Phish
• Team moves forward from authentication only investigations
• Chum Accounts to help locate attackers early
This type of visibility into logs just did not exist for the ITSO prior
to Splunk
The Fight Continues…
It becomes organizational, and not just the responsibility of
security
• App developments
• MFA

24. The attackers respond

25. User Investigation Form

26. Example Using Radio Buttons
<fieldset>
<input type="text" token="search_netid">
<label>NetID</label>
<suffix/>
</input>
<input type=”radio” token=”mail_button”>
<label>Mail Logins</label>
<default>YES</default>
<choice value=”index=mail”>YES</choice>
<choice value=”index=NONESUCH”>NO</choice>
</input>
<input type="time">
<default>Last 7 days</default>
<label>Time</label>
</input>
<fieldset>
~
<searchString>$mail_button$ host=”mail-gw-*” user=$search_netid$</searchString>

27. Example of Combining Details Using Case
| eval combined_event_type=case(
isnotnull( vpn_login ), “VPN Login”,
isnotnull( sasl_username ), “Email”,
match( event_action, “lock” ), “Account Lock”,
match( event_action, “unlock” ), “Account Unlock”,
isnotnull( clientip ) AND isnotnull( user ), “WEB HIT”,
1=1, “-”
)

28. Benefits of Splunk to Duke
• Splunk allowed Duke to begin leveraging multiple data
sources almost immediately with very little ramp up time
• Detailed information on recipients of phishing messages
is now available to Security in minutes instead of hours
• Splunk has allowed Duke to more than double the
number of compromised accounts we detect and lock
each month
• Splunk provided the ability to create a custom SIEM like
solution tailored to Duke’s needs

29. • Use Splunk to bridge the gap between teams and
log knowledge
• Use event types, macros, and saved searches to
make your long crazy searches usable by others
• Use the eval command to create custom
algorithms
• Continue to educate your users about Phishing
Key Takeaways

30. Thanks for Listening!
Email: Jeremy.Hopkins@duke.edu
Socials: hopkeno
Lets Go Duke!