Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Threat	Hunting	with	Splunk
Presenter:		Ken	Westin,	M.Sc,	OSCP	
Splunk,	Security	 Market	Specialist
Agenda
• Threat	HutingBasics
• Threat	Hunting	Data	Sources
• Sysmon Endpoint	Data
• Cyber	Kill	Chain	
• Walkthrough	of	Att...
Log	In	Credentials
January,	February	&	March	 https://od-norcal-2.splunkoxygen.com
April,	May	&	June https://od-norcal-3.s...
These	won’t	work…
Am	I	in	the	right	place?
Some	familiarity	with…
● CSIRT/SOC	Operations
● General	understanding	of	Threat	Intelligence
● Ge...
This	is	a	hands-on	session.
The	overview	slides	are	important	for	building	your	
“hunt”	methodology
10	minutes	- Seriously.
Threat	Hunting	with	Splunk
7
Vs.
SANS	Threat	Hunting	Maturity
8
Ad	Hoc	
Search
Statistical	
Analysis
Visualization
Techniques
Aggregation Machine	 Learning...
Hunting	Tools:	Internal	Data	
9
• IP	Addresses:	threat	intelligence,	blacklist,	whitelist,	reputation	monitoring
Tools:	Fi...
Log	In	Credentials
January,	February	&	March	 https://od-norcal-2.splunkoxygen.com
April,	May	&	June https://od-norcal-3.s...
Endpoint:	Microsoft	Sysmon	Primer
11
● TA	Available	on	the	App	Store
● Great	Blog	Post	to	get	you	started
● Increases	the	...
Show	app	to	click	on
12
January,	February	&	March	 https://od-norcal-2.splunkoxygen.com
April,	May	&	June https://od-norcal-3.splunkoxygen.com
Jul...
Sysmon	Event	Tags
14
Maps	Network	Comm	to	process_id
Process_id	 creation	and	mapping	to	parentprocess_id
sourcetype=X*	|	search	tag=communicate
15
sourcetype=X*	|	dedup	tag|	search	tag=process
16
Data	Source	Mapping
Demo	Story	- Kill	Chain	Framework
Successful	brute	force	
– download	sensitive	
pdf	document
Weaponize	the	pdf	file	
with	...
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/	DNS
Hypervisor
Custom	
Apps
T
Physical
Access
Ba...
20
Let’s	dig	in!
Please,	raise	that	hand	if	you	need	us	to	hit	the	pause	button
APT	Transaction	Flow	Across	Data	Sources
21
http	(proxy)	session	
to
command	&	control
server	
Remote	control
Steal	data
P...
To	begin	our	
investigation,	we	will	
start	with	a	quick	search	
to	familiarize	ourselves	
with	the	data	sources.
In	this	...
Take	a	look	at	the	
endpoint	data	source.		
We	are	using	the	
Microsoft	Sysmon TA.
We	have	endpoint	
visibility	into	all	n...
We	have	multiple	source	
IPs	communicating	to	
high	risk	entities	
identified	by	these	2	
threat	sources.
We	are	seeing	hi...
We	are	now	looking	at	only	threat	
intel related	activity	for	the	IP	
Address	associated	with	Chris	
Gilbert	and	see	activ...
It’s	worth	mentioning	that	at	this	point	
you	could	create	a	ticket	to	have	
someone	re-image	the	machine	to	
prevent	furt...
Exfiltration	of	data	is	a	serious	
concern	and	outbound	
communication	to	external	entity	
that	has	a	known	threat	intel
i...
We	have	a	workflow	action	that	will	
link	us	to	a	Process	Explorer	
dashboard	and	populate	it	with	the	
process	id	extract...
This	is	a	standard	Windows	app,	but	
not	in	its	usual	directory,	telling	us	
that	the	malware	has	again	spoofed	
a	common	...
The	Parent	Process	of	our	suspected	
downloader/dropper	 is	the	legitimate	PDF	
Reader	program.		This	will	likely	turn	out...
We	can	see	that	the	PDF	
Reader	process	has	no	
identified	parent	and	is	the	
root	of	the	infection.	
Scroll	Down
Scroll	d...
Chris	opened	2nd_qtr_2014_report.pdf	
which	was	an	attachment	to	an	email!
We	have	our	root	cause!		Chris	opened	a	
weapon...
Lets	dig	a	little	further	into	
2nd_qtr_2014_report.pdf	 to	determine	the	scope	
of	this	compromise.
Lets	search	though	multiple	data	sources	to	
quickly	get	a	sense	for	who	else	may	have	
have	been	exposed	to	this	file.	
W...
We	have	access	to	the	email	
body	and	can	see	why	this	was	
such	a	convincing	attack.		The	
sender	apparently	had	access	t...
Root	Cause	Recap
36
Data	Sources
.pdf executes	&	unpacks	malware
overwriting	and	running	“allowed”	programs
http	(proxy)	s...
37
Lets	revisit	the	search	for	additional	
information	on	the	2nd_qtr_2014-
_report.pdf	file.		
We	understand	that	the	fil...
38
The	results	show	54.211.114.134	has	
accessed	this	file	from	the	web	portal	
of	buttergames.com.	 	
There	is	also	a	kno...
39
Select	the	IP	Address,	left-click,	then	
select	“New	search”.		We	would	like	to	
understand	what	else	this	IP	Address	
...
40
That’s	an	abnormally	large	
number	of	requests	sourced	
from	a	single	IP	Address	in	a	
~90	minute	window.
This	looks	li...
41
The	requests	from	52.211.114.134	are	
dominated	by	requests	to	the	login	page	
(wp-login.php).		It’s	clearly	not	possib...
Kill	Chain	Analysis	Across	Data	Sources
42
http	(proxy)	session	
to
command	&	control
server	
Remote	control
Steal	data
Pe...
Want	to	Follow	Along?
● Download	Splunk
6.4.2http://www.splunk.com/en_us/download-21.html
● Download	&	Install	the	Machine...
Break!
Splunk Enterprise	
Security
Other	Items	To	Note
Items	to	Note
Navigation	- How	to	Get	Here
Description	of	what	to	click	on
Click
Key	Security	Indicators	(build	your	own!)
Sparklines
Editable
Various	ways	to	filter	data
Malware-Specific	 KSIs	and	Reports
Security	Domains	->	Endpoint	->	Malware	Center
Filterable
KSIs	specific	to	Risk
Risk	assigned	to	system,	
user	or	other
Under	Advanced	Threat,	
select	Risk	Analysis
(Scroll	Down)
Recent	Risk	Activity
Under	Advanced	Threat,	
select	Risk	Analysis
Filterable,	down	to	IoC
KSIs	specific	to	Threat
Most	active	threat	source
Scroll	down…
Scroll
Under	Advanced	Threat,	
sele...
Specifics	about	recent	threat	matches
Under	Advanced	Threat,	
select	Threat	Activity
To	add	threat	intel	go	to:
Configure	->	Data	Enrichment	->	
Threat	Intelligence	 Downloads
Click
Click	“Threat	Artifacts”
Under	“Advanced	Threat”
Click
Artifact	Categories	–
click	different	tabs…
STIX	feed
Custom	feed
Under	Advanced	Threat,	
select	Threat	Artifacts
Review	the	Advanced	Threat	
content
Click
Data	from	asset	framework
Configurable	Swimlanes
Darker=more	 events
All	happened	around	same	timeChange	to	
“Today”	if	ne...
Data	Science	&	
Machine	Learning	In	
Security
58
Disclaimer:	I	am	not	a	data	scientist
Types	of	Machine	Learning
Supervised Learning:		generalizing	from	labeled data
Supervised Machine	Learning
61
Domain	Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com ...
UnsupervisedLearning:		generalizing	from	unlabeled data
Unsupervised Machine	Learning
• No	tuning
• Programmatically	finds	trends
• UBA	is	primarily	unsupervised
• Rigorously	tes...
64
ML	Toolkit	&	Showcase
• Splunk	Supported	framework	for	building	ML	Apps
– Get	it	for	free:	http://tiny.cc/splunkmlapp
• Le...
Machine	Learning	
Toolkit	Demo
66
Splunk UBA
Splunk UBA	Use	Cases
ACCOUNT	TAKEOVER
• Privileged	account	compromise
• Data	exfiltration
LATERAL	 MOVEMENT
• Pass-the-has...
Splunk	User	Behavior	Analytics	(UBA)
• ~100%	of	breaches	involve	valid	credentials	(Mandiant Report)
• Need	to	understand	...
Workflow
Raw Events
1
Statistical methods
Security semantics
2
Threat Models
Lateral	movement
ML
Patterns
Sequences
Beacon...
Splunk UBA	Demo
72
Security	Workshops
● Security	Readiness	Assessments
● Splunk UBA	Data	Science	Workshop	
● Enterprise	Security	Benchmark	As...
Security	Workshop	Survey
https://www.surveymonkey.com/r/8BCWHSF
Threat Hunting Workshop
Upcoming SlideShare
Loading in …5
×

Threat Hunting Workshop

3,400 views

Published on

Ken Westin, Splunk

Published in: Technology

Threat Hunting Workshop

  1. 1. Threat Hunting with Splunk Presenter: Ken Westin, M.Sc, OSCP Splunk, Security Market Specialist
  2. 2. Agenda • Threat HutingBasics • Threat Hunting Data Sources • Sysmon Endpoint Data • Cyber Kill Chain • Walkthrough of Attack Scenario Using Core Splunk (hands on) • Enterprise Security Walkthrough • Applying Machine Learning and Data Science to Security
  3. 3. Log In Credentials January, February & March https://od-norcal-2.splunkoxygen.com April, May & June https://od-norcal-3.splunkoxygen.com July, August & September https://od-norcal-4.splunkoxygen.com October, November & December https://od-norcal-5.splunkoxygen.com User: hunter Pass: pr3dator Birth Month
  4. 4. These won’t work…
  5. 5. Am I in the right place? Some familiarity with… ● CSIRT/SOC Operations ● General understanding of Threat Intelligence ● General understanding of DNS, Proxy, and Endpoint types of data 5
  6. 6. This is a hands-on session. The overview slides are important for building your “hunt” methodology 10 minutes - Seriously.
  7. 7. Threat Hunting with Splunk 7 Vs.
  8. 8. SANS Threat Hunting Maturity 8 Ad Hoc Search Statistical Analysis Visualization Techniques Aggregation Machine Learning/ Data Science 85% 55% 50% 48% 32% Source: SANS IR & Threat Hunting Summit 2016
  9. 9. Hunting Tools: Internal Data 9 • IP Addresses: threat intelligence, blacklist, whitelist, reputation monitoring Tools: Firewalls, proxies, Splunk Stream, Bro, IDS • Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, ports and services Tools: Splunk Stream, Bro IDS, FPC, Netflow • DNS: activity, queries and responses, zone transfer activity Tools: Splunk Stream, Bro IDS, OpenDNS • Endpoint – Host Artifacts and Patterns: users, processes, services, drivers, files, registry, hardware, memory, disk activity, file monitoring: hash values, integrity checking and alerts, creation or deletion Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory • Vulnerability Management Data Tools: Tripwire IP360, Qualys, Nessus • User Behavior Analytics: TTPs, user monitoring, time of day location, HR watchlist Splunk UBA, (All of the above)
  10. 10. Log In Credentials January, February & March https://od-norcal-2.splunkoxygen.com April, May & June https://od-norcal-3.splunkoxygen.com July, August & September https://od-norcal-4.splunkoxygen.com October, November & December https://od-norcal-5.splunkoxygen.com User: hunter Pass: pr3dator
  11. 11. Endpoint: Microsoft Sysmon Primer 11 ● TA Available on the App Store ● Great Blog Post to get you started ● Increases the fidelity of Microsoft Logging Blog Post: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
  12. 12. Show app to click on 12
  13. 13. January, February & March https://od-norcal-2.splunkoxygen.com April, May & June https://od-norcal-3.splunkoxygen.com July, August & September https://od-norcal-4.splunkoxygen.com October, November & December https://od-norcal-5.splunkoxygen.com User: hunter Pass: pr3dator
  14. 14. Sysmon Event Tags 14 Maps Network Comm to process_id Process_id creation and mapping to parentprocess_id
  15. 15. sourcetype=X* | search tag=communicate 15
  16. 16. sourcetype=X* | dedup tag| search tag=process 16
  17. 17. Data Source Mapping
  18. 18. Demo Story - Kill Chain Framework Successful brute force – download sensitive pdf document Weaponize the pdf file with Zeus Malware Convincing email sent with weaponized pdf Vulnerable pdf reader exploited by malware. Dropper created on machine Dropper retrieves and installs the malware Persistence via regular outbound comm Data Exfiltration Source: Lockheed Martin
  19. 19. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps T Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication Stream Investigations – choose your data wisely 19
  20. 20. 20 Let’s dig in! Please, raise that hand if you need us to hit the pause button
  21. 21. APT Transaction Flow Across Data Sources 21 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Our Investigation begins by detecting high risk communications through the proxy, at the endpoint, and even a DNS call.
  22. 22. To begin our investigation, we will start with a quick search to familiarize ourselves with the data sources. In this demo environment, we have a variety of security relevant data including… Web DNS Proxy Firewall Endpoint Email
  23. 23. Take a look at the endpoint data source. We are using the Microsoft Sysmon TA. We have endpoint visibility into all network communication and can map each connection back to a process. } We also have detailed info on each process and can map it back to the user and parent process.} Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
  24. 24. We have multiple source IPs communicating to high risk entities identified by these 2 threat sources. We are seeing high risk communication from multiple data sources. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Let’s take closer look at the IP Address. We can now see the owner of the system (Chris Gilbert) and that it isn’t a PII or PCI related asset, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This dashboard is based on event data that contains a threat intel based indicator match( IP Address, domain, etc.). The data is further enriched with CMDB based Asset/identity information.
  25. 25. We are now looking at only threat intel related activity for the IP Address associated with Chris Gilbert and see activity spanning endpoint, proxy, and DNS data sources. These trend lines tell a very interesting visual story. It appears that the asset makes a DNS query involving a threat intel related domain or IP Address. Scroll Down Scroll down the dashboard to examine these threat intel events associated with the IP Address. We then see threat intel related endpoint and proxy events occurring periodically and likely communicating with a known Zeus botnet based on the threat intel source (zeus_c2s).
  26. 26. It’s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. Within the same dashboard, we have access to very high fidelity endpoint data that allows an analyst to continue the investigation in a very efficient manner. It is important to note that near real-time access to this type of endpoint data is not not common within the traditional SOC. The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. Proxy related threat intel matches are important for helping us to prioritize our efforts toward initiating an investigation. Further investigation into the endpoint is often very time consuming and often involves multiple internal hand-offs to other teams or needing to access additional systems. This encrypted proxy traffic is concerning because of the large amount of data (~1.5MB) being transferred which is common when data is being exfiltrated.
  27. 27. Exfiltration of data is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is encrypted as in this case. Lets continue the investigation. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information.
  28. 28. We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
  29. 29. This is a standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. We also can see that the parent process that created this suspicuous svchost.exe process is called calc.exe. This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. Suspected Malware Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper. Suspected Downloader/Dropper This process calls itself “svchost.exe,” a common Windows process, but the path is not the normal path for svchost.exe. …which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443.
  30. 30. The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. Suspected Downloader/Dropper Suspected Vulnerable AppWe have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. Click on the parent process to keep investigating.
  31. 31. We can see that the PDF Reader process has no identified parent and is the root of the infection. Scroll Down Scroll down the dashboard to examine activity related to the PDF reader process.
  32. 32. Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
  33. 33. Lets dig a little further into 2nd_qtr_2014_report.pdf to determine the scope of this compromise.
  34. 34. Lets search though multiple data sources to quickly get a sense for who else may have have been exposed to this file. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
  35. 35. We have access to the email body and can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. Hold On! That’s not our Domain Name! The spelling is close but it’s missing a “t”. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris).
  36. 36. Root Cause Recap 36 Data Sources .pdf executes & unpacks malware overwriting and running “allowed” programs http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web .pdf Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We utilized threat intel to detect communication with known high risk indicators and kick off our investigation then worked backward through the kill chain toward a root cause. Key to this investigative process is the ability to associate network communications with endpoint process data. This high value and very relevant ability to work a malware related investigation through to root cause translates into a very streamlined investigative process compared to the legacy SIEM based approach.
  37. 37. 37 Lets revisit the search for additional information on the 2nd_qtr_2014- _report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Select the access_combined sourcetype to investigate further.
  38. 38. 38 The results show 54.211.114.134 has accessed this file from the web portal of buttergames.com. There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file.
  39. 39. 39 Select the IP Address, left-click, then select “New search”. We would like to understand what else this IP Address has accessed in the environment.
  40. 40. 40 That’s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window. This looks like a scripted action given the constant high rate of requests over the below window. Scroll Down Scroll down the dashboard to examine other interesting fields to further investigate. Notice the Googlebot useragent string which is another attempt to avoid raising attention..
  41. 41. 41 The requests from 52.211.114.134 are dominated by requests to the login page (wp-login.php). It’s clearly not possible to attempt a login this many times in a short period of time – this is clearly a scripted brute force attack. After successfully gaining access to our website, the attacker downloaded the pdf file, weaponized it with the zeus malware, then delivered it to Chris Gilbert as a phishing email. The attacker is also accessing admin pages which may be an attempt to establish persistence via a backdoor into the web site.
  42. 42. Kill Chain Analysis Across Data Sources 42 http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment We continued the investigation by pivoting into the endpoint data source and used a workflow action to determine which process on the endpoint was responsible for the outbound communication. We Began by reviewing threat intel related events for a particular IP address and observed DNS, Proxy, and Endpoint events for a user in Sales. Investigation complete! Lets get this turned over to Incident Reponse team. We traced the svchost.exe Zeus malware back to it’s parent process ID which was the calc.exe downloader/dropper. Once our root cause analysis was complete, we shifted out focus into the web logs to determine that the sensitive pdf file was obtained via a brute force attack against the company website. We were able to see which file was opened by the vulnerable app and determined that the malicious file was delivered to the user via email. A quick search into the mail logs revealed the details behind the phishing attack and revealed that the scope of the compromise was limited to just the one user. We traced calc.exe back to the vulnerable application PDF Reader.
  43. 43. Want to Follow Along? ● Download Splunk 6.4.2http://www.splunk.com/en_us/download-21.html ● Download & Install the Machine Learning Toolkit http://tiny.cc/splunkmlapp
  44. 44. Break!
  45. 45. Splunk Enterprise Security
  46. 46. Other Items To Note Items to Note Navigation - How to Get Here Description of what to click on Click
  47. 47. Key Security Indicators (build your own!) Sparklines Editable
  48. 48. Various ways to filter data Malware-Specific KSIs and Reports Security Domains -> Endpoint -> Malware Center
  49. 49. Filterable KSIs specific to Risk Risk assigned to system, user or other Under Advanced Threat, select Risk Analysis
  50. 50. (Scroll Down) Recent Risk Activity Under Advanced Threat, select Risk Analysis
  51. 51. Filterable, down to IoC KSIs specific to Threat Most active threat source Scroll down… Scroll Under Advanced Threat, select Threat Activity
  52. 52. Specifics about recent threat matches Under Advanced Threat, select Threat Activity
  53. 53. To add threat intel go to: Configure -> Data Enrichment -> Threat Intelligence Downloads Click
  54. 54. Click “Threat Artifacts” Under “Advanced Threat” Click
  55. 55. Artifact Categories – click different tabs… STIX feed Custom feed Under Advanced Threat, select Threat Artifacts
  56. 56. Review the Advanced Threat content Click
  57. 57. Data from asset framework Configurable Swimlanes Darker=more events All happened around same timeChange to “Today” if needed Asset Investigator, enter “192.168.56.102”
  58. 58. Data Science & Machine Learning In Security 58
  59. 59. Disclaimer: I am not a data scientist
  60. 60. Types of Machine Learning Supervised Learning: generalizing from labeled data
  61. 61. Supervised Machine Learning 61 Domain Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign log.tagcade.com 111 2 0 1 0 0 Benign go.vidprocess.com 170 2 0 0 0 0 Benign statse.webtrendslive.com 310 2 0 1 0 0 Benign cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign log.tagcade.com 111 1 0 1 0 0 Benign
  62. 62. UnsupervisedLearning: generalizing from unlabeled data
  63. 63. Unsupervised Machine Learning • No tuning • Programmatically finds trends • UBA is primarily unsupervised • Rigorously tested for fit 63 AlgorithmRaw Security Data Automated Clustering
  64. 64. 64
  65. 65. ML Toolkit & Showcase • Splunk Supported framework for building ML Apps – Get it for free: http://tiny.cc/splunkmlapp • Leverages Python for Scientific Computing(PSC) add-on: – Open-source Python data science ecosystem – NumPy, SciPy, scitkit-learn, pandas, statsmodels • Showcase use cases: Predict Hard Drive Failure, Server Power Consumption, Application Usage, Customer Churn & more • Standard algorithmsout of the box: – Supervised: Logistic Regression, SVM, Linear Regression, Random Forest, etc. – Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc. • Implement one of 300+ algorithms by editing Python scripts
  66. 66. Machine Learning Toolkit Demo 66
  67. 67. Splunk UBA
  68. 68. Splunk UBA Use Cases ACCOUNT TAKEOVER • Privileged account compromise • Data exfiltration LATERAL MOVEMENT • Pass-the-hash kill chain • Privilege escalation SUSPICIOUS ACTIVITY • Misuse of credentials • Geo-location anomalies MALWARE ATTACKS • Hidden malware activity BOTNET, COMMAND & CONTROL • Malware beaconing • Data leakage USER & ENTITY BEHAVIOR ANALYTICS • Suspicious behavior by accounts or devices EXTERNAL THREATSINSIDER THREATS
  69. 69. Splunk User Behavior Analytics (UBA) • ~100% of breaches involve valid credentials (Mandiant Report) • Need to understand normal & anomalous behaviors for ALL users • UBA detects Advanced Cyberattacksand Malicious Insider Threats • Lots of ML under the hood: – Behavior Baselining & Modeling – Anomaly Detection (30+ models) – Advanced Threat Detection • E.g., Data Exfil Threat: – “Saw this strange login & data transferfor user kwestin at 3am in China…” – Surface threat to SOC Analysts
  70. 70. Workflow Raw Events 1 Statistical methods Security semantics 2 Threat Models Lateral movement ML Patterns Sequences Beaconing Land-speed violation Threats Kill chain sequence 5 Supporting evidence Threat scoring Graph Mining 4 Continuousself-learning Anomalies graph Entity relationship graph 3 Anomalies
  71. 71. Splunk UBA Demo 72
  72. 72. Security Workshops ● Security Readiness Assessments ● Splunk UBA Data Science Workshop ● Enterprise Security Benchmark Assessment
  73. 73. Security Workshop Survey https://www.surveymonkey.com/r/8BCWHSF

×