Splunk Enterprise for InfoSec Hands-On

1. 1
Aquarius – 01
Pisces (A~M) – 02
Pisces (N~Z) – 03
Aries – 04
Taurus (A~M) – 05
Taurus (N~Z) – 06
Gemini (A~M) – 07
Gemini (N~Z) – 08
Cancer (A~M) – 09
Cancer (N~Z) – 10
Leo – 11
Virgo (A~M) – 12
Virgo (N~Z) – 13
Libra (A~M) – 14
Libra (N~Z) – 15
Scorpio (A~M) – 16
Scorpio (N~Z) – 17
Sagittarius – 18
Capricorn (A~M) – 19
Capricorn (N~Z) – 20
https://od-splunklivesantaclara-XX.splunkoxygen.com
Username: splunklive Password: security
Security Hands-On: What’s Your Sign?

2. Copyright © 2016 Splunk Inc.
Splunk Enterprise for
Information Security
Hands-On
Santa Clara | November 10, 2016
Presenters: Chris Shobert & Lily Lee

3. 3
Safe Harbor Statement
During the course of this presentation, we may make forward-looking statements regarding
future events or the expected performance of the company. We caution you that such
statements reflect our current expectations and estimates based on factors currently known
to us and that actual events or results could differ materially. For important factors that may
cause actual results to differ from those contained in our forward-looking statements, please
review our filings with the SEC. The forward-looking statements made in this presentation
are being made as of the time and date of its live presentation. If reviewed after its live
presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward-looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be
incorporated into any contract or other commitment. Splunk undertakes no obligation either
to develop the features or functionality described or to include any such feature or
functionality in a future release.

4. 4
Agenda
Intro
Web Attacks
Lateral Movement
DNS Exfiltration
Wrap-up / Q&A

5. Copyright © 2016 Splunk Inc.
Intro

6. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

7. Mainframe
Data
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Relational
Databases
MobileForwarders
Syslog /
TCP / Other
Sensors &
Control Systems
Across Data Sources, Use Cases & Consumption Models
Wire
Data
Splunk Premium Solutions & Apps Rich Ecosystem of Apps
VMware Exchange PCISecurity
ITSI
IT Svc Int
UBA
UBA Cisco PAN SNOW AWS

8. Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant
for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Ø Four years in a row as a leader
Ø Furthest overall in
Completeness of Vision
Ø Splunk also scores highest in
2016 Critical Capabilities for
SIEM report in all three use cases

9. 9
Gartner Critical Capabilities for SIEM
9
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
1. Basic Security Monitoring 2. Advanced Threat Detection 3. Forensics & Incident Response

10. Copyright © 2016 Splunk Inc.
Web Attacks

11. 11
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-site request forgery
[7] Missing function level access control
[6] Sensitive data exposure
[5] Security misconfiguration
[4] Insecure direct object reference
[3] Cross-site scripting (XSS)
[2] Broken authentication and session management

12. 12
[1] Injection
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow
Why did I get breached?
SQLi has been around a very,
very long time …

13. 13
Source: Imperva Web Attacks Report, 2015

14. 14
TalkTalk: PII/financial data for 4M customers
VTech: PII for 5M adults+kids

15. 15
…and so far this year… 45

16. 16
Little Bobby Tables

17. 17
Why Did Bobby’s School Lose Their Records?
$sql = "INSERT INTO Students (Name)
VALUES ('" . $studentName . "');";
execute_sql($sql);
$studentName
1
2

18. 18
INSERT INTO Students (Name)
VALUES ('John');
Why Did Bobby’s School Lose Their Records?
John
$studentName

19. 19
Why Did Bobby’s School Lose Their Records?
Robert'); DROP TABLE Students;--
INSERT INTO Students (Name)
VALUES ('Robert'); DROP TABLE Students;--');

20. Let’s get hands-on!

21. 21
Aquarius – 01
Pisces (A~M) – 02
Pisces (N~Z) – 03
Aries – 04
Taurus (A~M) – 05
Taurus (N~Z) – 06
Gemini (A~M) – 07
Gemini (N~Z) – 08
Cancer (A~M) – 09
Cancer (N~Z) – 10
Leo – 11
Virgo (A~M) – 12
Virgo (N~Z) – 13
Libra (A~M) – 14
Libra (N~Z) – 15
Scorpio (A~M) – 16
Scorpio (N~Z) – 17
Sagittarius – 18
Capricorn (A~M) – 19
Capricorn (N~Z) – 20
https://od-splunklivesantaclara-XX.splunkoxygen.com
Username: splunklive Password: security
Security Hands-On: What’s Your Sign?

22. 22
A Little About Our Environment
Our learning environment consists
of ~5.5M events, from real
environments, but sanitized:
• Windows Security events
• Apache web access logs
• Bro DNS & HTTP
• Palo Alto traffic logs
• Some other various bits

23. 23
OR
Are You a Newbie or Ninja?

24. Let’s get hands-on!
Web Attacks

25. 25
https://splunkbase.splunk.com/app/1528/
Search for possible SQL injection in your events:
ü looks for patterns in URI query field to see if
anyone has injected them with SQL
statements
ü use standard deviations that are 2.5 times
greater than the average length of your URI
query field
Macros used
• sqlinjection_pattern(sourcetype, uri query field)
• sqlinjection_stats(sourcetype, uri query field)

26. 26
`sqlinjection_rex` is a search macro. It contains:
(?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?se
t|alter.*?table|([%27|'](%20)*=(%20)*[%27|'])|w*[%27|']or)
Which means: In the string we are given, look for ANY of the following matches
and put that into the “injection” field.
Anything containing SELECT followed by FROM
Anything containing UNION followed by SELECT
Anything with a ‘ at the end
Anything containing DELETE followed by FROM
Anything containing UPDATE followed by SET
Anything containing ALTER followed by TABLE
A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘
Note: %27 is encoded “’” and %20 is encoded <space>
Any amount of word characters followed by a %27 OR a ‘ and then “or”
Regular Expressions FTW

27. 27
Bonus: Try out the SQL Injection Search app!

28. 28
Summary: Web Attacks/SQL Injection
SQL injection provide attackers with easy access to data
Detecting advanced SQL injection is hard – use an app!
Understand where SQLi is happening on your network
and put a stop to it
Augment your WAF with enterprise-wide Splunk
searches

29. Copyright © 2016 Splunk Inc.
Lateral Movement

30. 30
Poking Around
An attacker hacks a non-privileged user system.
So what?

31. 31
Lateral Movement
Lateral Movement is the expansion of systems
controlled, and data accessed.

32. 32
Most Famous Lateral Movement Attack?
(excluding password re-use)
Pass the Hash!

33. 33
This and other techniques used in destructive Sands breach…
… and at Sony, too.

34. 34
Detecting Legacy PtH
Look for Windows Events:
Event ID: 4624 or 4625
Logon type: 3
Auth package: NTLM
User account is not a domain logon, or Anonymous
Logon
…this is trivially easy in Splunk

35. Let’s get hands-on!
Lateral Movement: Legacy

36. 36
Then It Got Harder
Pass the Hash tools have improved
Tracking of jitter, other metrics
So let’s detect lateral movement differently

37. 37
Network Traffic Provides Source of Truth
I usually talk to 10 hosts
Then one day I talk to 10,000 hosts
ALARM!

38. Let’s get hands-on!
Lateral Movement: Network Traffic

39. 39
iz so hard… u haz magic?

40. 40
iz so hard… u haz magic?
Come see…
at the demo booths
UBA

41. 41
Summary: Lateral Movement
Attacker success defines scope of a breach
High difficulty, high importance
Worth doing in Splunk
Easy with UBA

42. Copyright © 2016 Splunk Inc.
DNS Exfiltration

43. 43
domain=corp;user=dave;password=12345
encrypt
DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

44. 44
DNS exfil tends to be
overlooked within an
ocean of DNS data.
Let’s fix that!
DNS Exfiltration

45. 45
FrameworkPOS: a card-stealing program that exfiltrates data from the
target’s network by transmitting it as domain name system (DNS) traffic
But the big difference is the way how stolen data is
exfiltrated: the malware used DNS requests!
https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“
”
… few organizations actually keep detailed logs or records
of the DNS traffic traversing their networks — making it an
ideal way to siphon data from a hacked network.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-
beauty-breach/#more-30872
“
”
DNS Exfiltration

46. 46
https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade
ü parse URLs & complicated TLDs (Top Level Domain)
ü calculate Shannon Entropy
List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)

47. 47
Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s definition: a score reflecting the randomness or measure of
uncertainty of a string
Shannon Entropy

48. 48
Detecting Data Exfiltration
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| `ut_shannon(ut_subdomain)`
| eval sublen =
length(ut_subdomain)
| table ut_domain ut_subdomain
ut_shannon sublen
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display Details

49. Let’s get hands-on!
Lateral Movement: DNS Exfiltration

50. 50
Detecting Data Exfiltration
… | stats
count
avg(ut_shannon) as avg_sha
avg(sublen) as avg_sublen
stdev(sublen) as stdev_sublen
by ut_domain
| search avg_sha>3 avg_sublen>20
stdev_sublen<2
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display count, scores, lengths,
deviations

51. 51
Detecting Data Exfiltration
RESULTS
• Exfiltrating data requires many DNS requests – look for high counts
• DNS exfiltration to mooo.com and chickenkiller.com

52. 52
Summary: DNS Exfiltration
Exfiltration by DNS and ICMP is a very
common technique
Many organizations do not analyze DNS
activity – do not be like them!
No DNS logs? No Splunk Stream? Look at FW
byte counts

53. Copyright © 2016 Splunk Inc.
Wrap-up / Q&A

54. 54
Summary
Multiple phases to modern attacks
Deploy detection across all phases
Also consider adaptive response!
Stay abreast of modern advancements
Today’s content (PDF):
https://splunk.box.com/v/SplunkLive-Security-Handout

55. • 5,000+ IT and Business Professionals
• 175+ Sessions
• 80+ Customer Speakers
PLUS Splunk University
• Three days: Sept 23-25, 2017
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
CONF.SPLUNK.COM
The 8th Annual Splunk Worldwide Users’ Conference

56. Thank You