Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework

706 views

Published on

Threat Models and Methodologies such as MITRE’s ATT&CK knowledge base are growing in popularity to help track adversaries and map Tactics, Techniques and Procedures (TTP’s) to build and measure security defence profiles. This session will provide an introduction to MITRE’s ATT&CK Methodology and show how Splunk Enterprise Security (ES) and Splunk content updates can help you leverage MITRE ATT&CK in your defensive strategies.

Published in: Technology
  • Be the first to comment

Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework

  1. 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. ATT&CK your ES & SSE Leveraging Splunk Enterprise Security & Security Essentials with MITRE ATT&CK Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer May 2019 | v1.0
  2. 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. 3. © 2019 SPLUNK INC. ► 20+ years IT & Security ► Security Consultant, Security Manager, Information Security Officer, Technical Specialist (Networks. & Security), Cisco Network Engineer, Programmer, Sys Admin ► But mostly wondering what the world would look like if only I could use GREP, SED & AWK proficiently ► Co-author Splunk Security Essentials, Contributor to BOTs & Author of Security Monitoring AppStaff Sales Engineer @network_slayer # whoami > Derek King CISSP, GIAC G*, MSc InfoSec(Dist)
  4. 4. © 2019 SPLUNK INC. ► 5 years at Splunk ► Splunk Security SME for the UK ► Active contributor to the Splunk community and Splunkbase ► Co-author of Splunk Security Essentials ► Author of Splunk App for Web Analytics Principal Sales Engineer johan@splunk.com # whoami > Johan Bjerke CISSP, MSc
  5. 5. © 2019 SPLUNK INC. 1. Introduction 2. What exactly is a framework 3. MITRE ATT&CK explained 4. Good, Bad & Ugly for ATT&CK 5. ATT&CK in ES,ESCU,SSE (Demo) 6. Measuring up using Analytics Advisor (Demo) 7. Q&A Agenda
  6. 6. © 2019 SPLUNK INC. Tell me about these Frameworks
  7. 7. © 2019 SPLUNK INC. Colonel John Boyd
  8. 8. © 2019 SPLUNK INC. Lockheed Martin Cyber KillChain
  9. 9. © 2019 SPLUNK INC. Lockheed Martin Cyber Kill Chain
  10. 10. © 2019 SPLUNK INC.
  11. 11. © 2019 SPLUNK INC. Diamond Model
  12. 12. © 2019 SPLUNK INC. • Nation-state sponsored adversary • Located (+8.5 timezone) • Uses Korean encoded language • Uses Hancom Thinkfree Office • European VPS servers • Western innovative Brewers and Home Brewing companies • PowerShell Empire • Spearphishing • Seeking to obtain high end Western Beers for production in their breweries • Documents with .hwp suffix • PS exec lateral movement • YMLP • Self signed SSL/TLS certificates • +8.5 hour time zone • Korean fonts for English • Korean text google translated to English • Naenara useragent string A special thanks to
  13. 13. © 2019 SPLUNK INC.
  14. 14. © 2019 SPLUNK INC. So cyber looked for something different
  15. 15. © 2019 SPLUNK INC.
  16. 16. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
  17. 17. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
  18. 18. © 2019 SPLUNK INC.
  19. 19. © 2019 SPLUNK INC.
  20. 20. © 2019 SPLUNK INC.
  21. 21. © 2019 SPLUNK INC. So what is MITRE ATT&CK framework then?
  22. 22. © 2019 SPLUNK INC. ATT&CK is a collection of “techniques, tactics, and procedures” manually curated from APT reports. It helps: • Identify where you have gaps in knowledge • Compare adversaries to each other • Compare adversary behavior to
  23. 23. © 2019 SPLUNK INC. When is MITRE ATT&CK useful? • Tracking adversaries at a detailed level • Sharing TTPs with defenders in a common taxonomy • Measuring your defenses against your adversaries capabilities
  24. 24. © 2019 SPLUNK INC. What are limitations of ATT&CK • It has inherent biases of being based on APT reporting • It is tactical NOT strategic • Mapping Techniques/Tactics can be… hard • It doesn’t cover everything (no cloud)
  25. 25. © 2019 SPLUNK INC.
  26. 26. © 2019 SPLUNK INC.
  27. 27. © 2019 SPLUNK INC.
  28. 28. © 2019 SPLUNK INC. Who is APT 10?
  29. 29. © 2019 SPLUNK INC. Am I a target?
  30. 30. © 2019 SPLUNK INC. What is a MenuPass?
  31. 31. © 2019 SPLUNK INC. How do I defend my org?
  32. 32. © 2019 SPLUNK INC. One screen. All the answers*
  33. 33. © 2019 SPLUNK INC. Who and am I a target?
  34. 34. © 2019 SPLUNK INC. What’s a menuPass?
  35. 35. © 2019 SPLUNK INC. How do I defend my org?
  36. 36. © 2019 SPLUNK INC. Discovering Accounts menuPass uses a tool called csvde.exe to export AD data
  37. 37. © 2019 SPLUNK INC. csvde.exe will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
  38. 38. © 2019 SPLUNK INC. menuPass uses a global service provider for a c2
  39. 39. © 2019 SPLUNK INC. C2 is in network traffic ▶ Stream/Zeek/Wiredata ▶ DNS ▶ Firewall traffic ▶ Netflow traffic
  40. 40. © 2019 SPLUNK INC. menuPass uses stages data in the Recylcing Bin
  41. 41. © 2019 SPLUNK INC. Files written to disk ▶ Sysmon logging ▶ Carbon Black/EDR
  42. 42. © 2019 SPLUNK INC. menuPass collects data with “net use” and robocopy
  43. 43. © 2019 SPLUNK INC. “net use” will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
  44. 44. © 2019 SPLUNK INC. When Does ATT&CK go off the rails
  45. 45. © 2019 SPLUNK INC. Don’t assume all techniques are equal https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  46. 46. © 2019 SPLUNK INC. Don’t misunderstand your coverage and the bias of the data https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  47. 47. © 2019 SPLUNK INC. Don’t stay in the matrix https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  48. 48. © 2019 SPLUNK INC.
  49. 49. © 2019 SPLUNK INC. That said….Johan….
  50. 50. © 2019 SPLUNK INC.
  51. 51. © 2019 SPLUNK INC. Demo Time
  52. 52. © 2019 SPLUNK INC. ► 12 Threat Hunts with Sysmon, Suricata, Palo Alto, Stream, Windows Events… ► Workshop Logistics • In Your Organization • 5-12 Participants • 16-20 Hours, Modularized to shorten possible • Ask Your Splunk Contact Person. Don‘t know? Inquery: sales@splunk.com and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Hands-On Workshop Advanced APT Hunting
  53. 53. © 2019 SPLUNK INC. Q&A
  54. 54. © 2019 SPLUNK INC. Thank You Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer

×