Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.

1. Copyright © 2016 Splunk Inc.
Splunk Enterprise for
Information Security
Hands-On
Presenter: Rene Aguero

2. 2
A – 1
B – 1
C – 1
D – 2
E – 2
F – 2
G – 3
H – 3
I – 3
J – 4
K – 4
L – 4
M – 5
N – 5
O – 5
P – 6
Q – 6
R – 6
S – 7
T – 7
U – 7
V – 8
W – 8
X – 9
Y – 9
Z – 9
? – 10
SSID: attwifi Code: Splunk2016
https://od-sl-charlotte0#.splunkoxygen.com/ Username: splunklive
Password: security

3. Copyright © 2016 Splunk Inc.
Intro

4. 4
Agenda
Intro
Web Attacks
Lateral Movement
DNS Exfiltration
Wrap-up / Q&A

5. 5
A – 1
B – 1
C – 1
D – 2
E – 2
F – 2
G – 3
H – 3
I – 3
J – 4
K – 4
L – 4
M – 5
N – 5
O – 5
P – 6
Q – 6
R – 6
S – 7
T – 7
U – 7
V – 8
W – 8
X – 9
Y – 9
Z – 9
? – 10
SSID: attwifi Code: Splunk2016
https://od-sl-charlotte0#.splunkoxygen.com/ Username: splunklive
Password: security

6. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

7. Platform for Operational Intelligence
The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP
IoT
Devices
Network
Wire Data
Hadoop
https://od-sl-charlotte10.splunkoxygen.com/

8. 8
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or
service depicted in its research publication and not advise technology users to select only those
vendors with the highest ratings or other designation. Gartner research publications consist of the
opinions of Gartner’s research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, express or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

9. 9
A – 1
B – 1
C – 1
D – 2
E – 2
F – 2
G – 3
H – 3
I – 3
J – 4
K – 4
L – 4
M – 5
N – 5
O – 5
P – 6
Q – 6
R – 6
S – 7
T – 7
U – 7
V – 8
W – 8
X – 9
Y – 9
Z – 9
? – 10
SSID: attwifi Code: Splunk2016
https://od-sl-charlotte0#.splunkoxygen.com/ Username: splunklive
Password: security

10. Copyright © 2016 Splunk Inc.
Web Attacks

11. 11
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-site request forgery
[7] Missing function level access control
[6] Sensitive data exposure
[5] Security misconfiguration
[4] Insecure direct object reference
[3] Cross-site scripting (XSS)
[2] Broken authentication and session management

12. 12
[1] Injection
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow

13. 13
Our focus
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow
SQL injection is a massive
headache for all companies
who have a database and a
web interface.

14. 14
The anatomy of a SQL injection attack
SELECT * FROM users WHERE email='xxx@xxx.com'
OR 1 = 1 -- ' AND password='xxx';
xxx@xxx.xxx' OR 1 = 1 -- '
xxx
admin@admin.sys
1234
An attacker might supply:
https://od-sl-charlotte10.splunkoxygen.com/

15. 15
Simple SQL Injection
index=web_vuln password select
(Starting with a simple, full-text search)

16. 16

17. 17
Simple SQL Injection
index=web_vuln password select
(administrator OR root OR system OR sa)
| iplocation clientip
| search Country=Ukraine
(Furthermore, search for a privileged user and
isolate the traffic from a specific country)

18. 18

19. 19
https://splunkbase.splunk.com/app/1528/
Search for possible SQL injection in your events:
 looks for patterns in URI query field to see if
anyone has injected them with SQL
statements
 use standard deviations that are 2.5 times
greater than the average length of your URI
query field
Macros used
• sqlinjection_pattern(sourcetype, uri query field)
• sqlinjection_stats(sourcetype, uri query field)

20. 20
Advanced SQL Injection
index=web_vuln …
TIP: To decode URIs you can use: | eval u = urldecode(field)

21. 21
Advanced SQL Injection
index=web_vuln
| rex field=uri `sqlinjection_rex`
| search injection=*
| stats count by clientip status

22. 22

23. 23

24. 24
Summary: Web attacks/SQL injection
SQL injection provide attackers with easy access to data
Detecting advanced SQL injection is hard – use an app!
Augment your WAF with enterprise-wide Splunk searches
Other scenarios? Come see us at the Security Answers Booth

25. Copyright © 2016 Splunk Inc.
Lateral Movement

26. 26
Poking around
An attacker hacks a non-privileged user system.
So what?

27. 27
Lateral Movement
Lateral Movement is the expansion of systems
controlled, and data accessed.

28. 28
Most famous Lateral Movement attack?
(excluding password re-use)
Pass the Hash!

29. 29
Detecting Legacy PtH
Look for Windows Events:
Event ID: 4624 or 4625
Logon type: 3
Auth package: NTLM
User account is not a domain logon, or Anonymous Logon

30. 30
LM Detection: Pass the Hash
source=WinEventLog:Security
EventCode=4624
Authentication_Package=NTLM
Type=Information

31. 31

32. 32
Then it got harder
• Pass the Hash tools have improved
• Tracking of jitter, other metrics
• So let’s detect lateral movement differently

33. 33
Network traffic provides source of truth
I usually talk to 10 hosts
Then one day I talk to 10,000 hosts
ALARM!

34. 34
LM Detection: Network Destinations
sourcetype="pan:traffic"
| stats count dc(dest) sparkline(dc(dest)) by
src_ip

35. 35
Consistently large
Inconsistent!

36. 36
LM Detection: Network Destinations
sourcetype="pan:traffic"
| bucket _time span=1d
| stats count dc(dest) as NumDests by src_ip _time
| stats avg(NumDests) as avg stdev(NumDests) as
stdev latest(NumDests) as latest by src_ip
| where latest > 2 * stdev + avg
Find daily average, standard deviation, and most recent

37. 37

38. 38
LM Detection: Network Destinations – Bonus
… | stats avg( eval( if(_time < relative_time(now(), “-
1d@d”), NumDests, null))) as avg ….
If you are fancy, use stats, eval and the relative_time
functions to ignore our recent spike.
With a valid avg and stdev, yesterday’s value becomes 28
standard deviations away from normal!

39. 39
iz so hard… u haz magic?

40. 40
Summary: Lateral Movement
Attacker success defines scope of a breach
High difficulty, high importance
Worth doing in Splunk
Easy with UBA

41. Copyright © 2016 Splunk Inc.
DNS Exfiltration

42. 42
domain=corp;user=dave;password=12345
encrypt
DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

43. 43
DNS exfil tends to be
overlooked within an
ocean of DNS data.
Let’s fix that!
DNS exfiltration

44. 44
FrameworkPOS: a card-stealing program that exfiltrates data from the
target’s network by transmitting it as domain name system (DNS) traffic
But the big difference is the way how stolen data is
exfiltrated: the malware used DNS requests!
https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“
”
… few organizations actually keep detailed logs or records
of the DNS traffic traversing their networks — making it an
ideal way to siphon data from a hacked network.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-
beauty-breach/#more-30872
“
”
DNS exfiltration

45. 45
https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade
 parse URLs & complicated TLDs (Top Level Domain)
 calculate Shannon Entropy
List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)

46. 46
Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s definition: a score reflecting the randomness or measure of
uncertainty of a string
Shannon Entropy

47. 47
Detecting Data Exfiltration
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| `ut_shannon(ut_subdomain)`
| eval sublen =
length(ut_subdomain)
| table ut_domain ut_subdomain
ut_shannon sublen
TIPS
 Leverage our Bro DNS data
 Calculate Shannon Entropy scores
 Calculate subdomain length
 Display Details

48. 48

49. 49
Detecting Data Exfiltration
… | stats
count
avg(ut_shannon) as avg_sha
avg(sublen) as avg_sublen
stdev(sublen) as stdev_sublen
by ut_domain
| search avg_sha>3 avg_sublen>20
stdev_sublen<2
TIPS
 Leverage our Bro DNS data
 Calculate Shannon Entropy scores
 Calculate subdomain length
 Display count, scores, lengths,
deviations

50. 50
Detecting Data Exfiltration
RESULTS
• Exfiltrating data requires many DNS requests – look for high counts
• DNS exfiltration to mooo.com and chickenkiller.com

51. 51
Summary: DNS exfiltration
Exfiltration by DNS and ICMP is a very common technique
Many organizations do not analyze DNS activity – do not be like them!
No DNS logs? No Splunk Stream? Look at FW byte counts

52. Copyright © 2016 Splunk Inc.
Wrap-up / Q&A

53. 53
Summary
Multiple phases to modern attacks
Deploy detection across all phases
Also consider adaptive response!
Stay abreast of modern advancements

54. 54
Northern Cal Tech Talks!
Monthly WebEx Sessions
– Ted Talk style presentation
– Q&A chat forum
So what’s next on the agenda?
– April 20th @ 10AM PST
 Top 5 most useful search
commands
http://live.splunk.com/NorCalTechTalks

55. 55
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

56. THANK YOU