Splunking Lebahnet

•

0 likes•126 views

Fathi Kamil Mohad Zainuddin

Splunking Lebahnet presented by Zuhair Abdul Rahman

Technology

Copyright © 2018 CyberSecurity Malaysia
Copyright © 2018 CyberSecurity Malaysia
SPLUNKING
LEBAHNET
(HONEYNET)

Copyright © 2018 CyberSecurity Malaysia
Content
• Background
• Problem
• Architecture Design
• Case Study
• Moving Forward
2

Copyright © 2018 CyberSecurity Malaysia
/usr/bin/whoami
Zuhair
• Executive turned Analyst
(recently) at MyCERT.
• Working on Mobile Threat
Research.
• Also happen to “play” with
honeypot technology.
Fathi Kamil @ Fatah
• Acting Manager at Cyber Threat
Research Center, MyCERT.
• Technical Lead for Malware
Mitigation WG
• LebahNET Honeypot Project
• Coordinated Malware
Eradication and Remediation
Platform.

Copyright © 2018 CyberSecurity Malaysia
Background
LebahNET - MyCERT’s Honeypot project - to study on how
exploits function as well as to collect malware binaries.
Honeypot is a computer software mechanism setup to mimic a
legitimate site to lure malicious software into believing the
system is a legitimate site, vulnerable for attacks.
Honeypot allow researchers to detect, monitor and
counterattack malicious activity by understanding the activities
during intrusion phase and from the payload attack.
4

Copyright © 2018 CyberSecurity Malaysia
Current Architecture Design
5

Copyright © 2018 CyberSecurity Malaysia
Problem Statement
• Tons of fixed structure data – Important data is not
represented as an attribute
6

Copyright © 2018 CyberSecurity Malaysia
What We Do?
• In short, throw everything in Splunk.
• Make query and show what actually in it.
7

Copyright © 2018 CyberSecurity Malaysia 8

Copyright © 2018 CyberSecurity Malaysia 9

Copyright © 2018 CyberSecurity Malaysia
Case Study
• Enrich IP to Geolocation directly
– sensor.protocol=httpd AND metadata.http_method=GET | rex
field=metadata.url_path "http(s)*://(?<domain>[^/]+)/[^?s]+" |
iplocation domain | top Country
10

Copyright © 2018 CyberSecurity Malaysia
Case Study
• Extract list of drop site URI, POST_DATA
– host=lebahnetv2 AND sensor.protocol=httpd AND
metadata.http_method=POST AND metadata.headers.Host=*| top
limit=20 "metadata.headers.Host"
11

Copyright © 2018 CyberSecurity Malaysia
Case Study
• Top MySQL attack by country
– attack_type=mysqlcmd AND sys_eval AND http | rex field=metadata.args
"http(s)*://(?<domain>[^/]+)/[^?s]+" | iplocation domain | top Country
12

Copyright © 2018 CyberSecurity Malaysia
MySQL Attack
13

Copyright © 2018 CyberSecurity Malaysia
Binary Collected
• attack_type=fileupload | timechart count by metadata.md5
usenull=f useother=f
14

Copyright © 2018 CyberSecurity Malaysia
IOT – Mirai Variant
15
Search for keyword “Shinka”
in your honeypot data!

Copyright © 2018 CyberSecurity Malaysia
Mirai
variant
• shinka AND metadata.http_method=GET | rex
field=metadata.url_path "http(s)*://(?<domain>[^/]+)/[^?s]+" |
iplocation domain | top Country
16

Copyright © 2018 CyberSecurity Malaysia
IOT – Mirai Variant
Search for keyword “ecchi”
17

Copyright © 2018 CyberSecurity Malaysia
Caveat
• Splunk does not “Auto-magically” solve your data
correlation problem.
18

Copyright © 2018 CyberSecurity Malaysia
What is Next after Splunk
• Continue paying the license if still affordable or…
• …Go for ELK
• More detail analysis on LebahNET data.
– Better statistic to show attacks
– Extract more information from the metadata
19

Copyright © 2018 CyberSecurity Malaysia
LebahNET Participation
• Part of Malware Mitigation Working Group in APCERT.
20

Copyright © 2018 CyberSecurity Malaysia
Copyright © 2018 CyberSecurity Malaysia 21

Similar to Splunking Lebahnet

HeartBleed Bug, by Megat Muazzam [APNIC 38]

APNIC

You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.

Operational Security Intelligence

Splunk

Microservices and APIs

Puneet Sachdev

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Adam Pennington

The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence. To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp

Get Real-Time Cyber Threat Protection with Risk Management and SIEM

Rapid7

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining

OWASP

Segurdad de red para la generacion de la nube symantec

CSA Argentina

Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.

Rahul Sasi

G017424448

IOSR Journals

Hta t07-did-you-read-the-news-http-request-hijacking

Комсс Файквэе

CASB — Your new best friend for safe cloud adoption?

Digital Transformation EXPO Event Series

David Bianco - Enterprise Security Monitoring

bsidesaugusta

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...

MitchellClarke14

Automation: The Wonderful Wizard of CTI (or is it?)

MITRE ATT&CK

Sensor Data in InfluxDB by David Simmons, IoT Developer Evangelist | InfluxData

InfluxData

Drupalgeddon 2 – Yet Another Weapon for the Attacker

DefCamp

Automating Big Data with the Automic Hadoop Agent

CA | Automic Software

From Mirai to Monero – One Year’s Worth of Honeypot Data

DefCamp

IRJET- Preventing Phishing Attack using Evolutionary Algorithms

IRJET Journal

Pivotal Data Lake Architecture & its role in security analytics

EMC

Similar to Splunking Lebahnet (20)

HeartBleed Bug, by Megat Muazzam [APNIC 38]

Operational Security Intelligence

Microservices and APIs

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Get Real-Time Cyber Threat Protection with Risk Management and SIEM

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining

Segurdad de red para la generacion de la nube symantec

Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.

G017424448

Hta t07-did-you-read-the-news-http-request-hijacking

CASB — Your new best friend for safe cloud adoption?

David Bianco - Enterprise Security Monitoring

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...

Automation: The Wonderful Wizard of CTI (or is it?)

Sensor Data in InfluxDB by David Simmons, IoT Developer Evangelist | InfluxData

Drupalgeddon 2 – Yet Another Weapon for the Attacker

Automating Big Data with the Automic Hadoop Agent

From Mirai to Monero – One Year’s Worth of Honeypot Data

IRJET- Preventing Phishing Attack using Evolutionary Algorithms

Pivotal Data Lake Architecture & its role in security analytics

Recently uploaded

At its core, the challenge of managing Human Resources data is an integration challenge: estimates range from 2-3 HR systems in use at a typical SMB, up to a few dozen systems implemented amongst enterprise HR departments, and these systems seldom integrate seamlessly between themselves. Providing a multi-tenant, cloud-native solution to integrate these hundreds of HR-related systems, normalize their disparate data models and then render that consolidated information for stakeholder decision making has been a substantial undertaking, but one significantly eased by leveraging Ballerina. In this session, we’ll cover: The overall software architecture for VHR’s Cloud Data Platform Critical decision points leading to adoption of Ballerina for the CDP Ballerina’s role in multiple evolutionary steps to the current architecture Roadmap for the CDP architecture and plans for Ballerina WSO2’s partnership in bringing continual success for the CD

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform

WSO2

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...

WSO2

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

How to Check CNIC Information Online with Pakdata cf

danishmna97

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

In today's digital world, trust is key to customer relationships, but keeping it is a huge challenge. Customers are well-informed and empowered, quick to change brands if their trust is broken, even if it costs them more. This puts a lot of pressure on organizations to handle trust and safety issues with great care and transparency. The challenge, however, is real. Fragmented solutions have left privacy, legal, and security teams in a perpetual cycle of catch-up, struggling to update privacy notices, manage customer data rights, and answer lengthy security questionnaires—all while trying to prove ROI to the business. It's a thankless job, filled with repetition, tedious tasks, and constant interdepartmental coordination. Combine this with fast regulatory changes and the quick evolution of AI, and it becomes overwhelming. Join this webinar to learn more about TrustArc's new innovative solution Trust Center, the only unified, no-code online hub for trust and safety information built for privacy, security, compliance, and legal teams. Trust Center streamlines your path to compliance, shortens the pre-sales cycle, and reduces both legal and regulatory risks, saving time, effort, and cost. This webinar will review: - Why companies are building unified Trust Centers for a robust privacy program. - How unified Trust Centers streamline sales cycles, ensure regulatory compliance, and reduce operational bottlenecks. - How compliance, legal, security, GRC, and privacy teams benefit from a unified Trust Center in terms of needs, pains, and outcomes. - How TrustArc Trust Center saves time and work while reducing legal, reputational, and compliance risk by effectively managing policies, notices, terms, and disclosures, and providing real-time updates on subprocessors.

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

TrustArc

In this session, we will discuss the journey of API governance from its initial, ungoverned state to the development of sophisticated models that tackle contemporary challenges. We'll explore how APIs have become essential in the intersection of business and technology, adapting to advancements and evolving needs. We'll focus on how organizations have moved from launching to monetizing APIs, using models like pay-per-use and subscriptions, and finding the right balance between technical implementation and business strategy. We'll also highlight the impact of governance on monetization strategies, especially how data security, compliance, and service quality influence pricing. Real-world examples will demonstrate the effective integration of governance with monetization, including AI's role in dynamic pricing. Looking ahead, we'll share insights into future trends in API governance and monetization, emphasizing the importance of adaptability, continuous learning, and innovation.

API Governance and Monetization - The evolution of API governance

WSO2

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

Key topics covered: - Real-world examples of Choreo's comprehensive coverage from application design and deployment, security, scaling, and monitoring - Running different types of workloads, such as web applications, APIs, microservices, integrations, and tasks at scale, and wire them together to deliver seamless omnichannel digital experiences - How Choreo improves the developer experience by eliminating repetition, silos, and redundancy through enhanced discoverability and self-serviceability

Choreo: Empowering the Future of Enterprise Software Engineering

WSO2

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Recently uploaded (20)

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Introduction to Multilingual Retrieval Augmented Generation (RAG)

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...

JohnPollard-hybrid-app-RailsConf2024.pptx

How to Check CNIC Information Online with Pakdata cf

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

AWS Community Day CPH - Three problems of Terraform

Vector Search -An Introduction in Oracle Database 23ai.pptx

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

API Governance and Monetization - The evolution of API governance

Introduction to use of FHIR Documents in ABDM

Design and Development of a Provenance Capture Platform for Data Science

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Choreo: Empowering the Future of Enterprise Software Engineering

Why Teams call analytics are critical to your entire business

CNIC Information System with Pakdata Cf In Pakistan

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Splunking Lebahnet

3. Copyright © 2018 CyberSecurity Malaysia /usr/bin/whoami Zuhair • Executive turned Analyst (recently) at MyCERT. • Working on Mobile Threat Research. • Also happen to “play” with honeypot technology. Fathi Kamil @ Fatah • Acting Manager at Cyber Threat Research Center, MyCERT. • Technical Lead for Malware Mitigation WG • LebahNET Honeypot Project • Coordinated Malware Eradication and Remediation Platform.

4. Copyright © 2018 CyberSecurity Malaysia Background LebahNET - MyCERT’s Honeypot project - to study on how exploits function as well as to collect malware binaries. Honeypot is a computer software mechanism setup to mimic a legitimate site to lure malicious software into believing the system is a legitimate site, vulnerable for attacks. Honeypot allow researchers to detect, monitor and counterattack malicious activity by understanding the activities during intrusion phase and from the payload attack. 4

10. Copyright © 2018 CyberSecurity Malaysia Case Study • Enrich IP to Geolocation directly – sensor.protocol=httpd AND metadata.http_method=GET | rex field=metadata.url_path "http(s)*://(?<domain>[^/]+)/[^?s]+" | iplocation domain | top Country 10

11. Copyright © 2018 CyberSecurity Malaysia Case Study • Extract list of drop site URI, POST_DATA – host=lebahnetv2 AND sensor.protocol=httpd AND metadata.http_method=POST AND metadata.headers.Host=*| top limit=20 "metadata.headers.Host" 11

12. Copyright © 2018 CyberSecurity Malaysia Case Study • Top MySQL attack by country – attack_type=mysqlcmd AND sys_eval AND http | rex field=metadata.args "http(s)*://(?<domain>[^/]+)/[^?s]+" | iplocation domain | top Country 12

19. Copyright © 2018 CyberSecurity Malaysia What is Next after Splunk • Continue paying the license if still affordable or… • …Go for ELK • More detail analysis on LebahNET data. – Better statistic to show attacks – Extract more information from the metadata 19

Editor's Notes

Dionaea, cowrie, glastoph

Splunking Lebahnet

Recommended

Recommended

More Related Content

Similar to Splunking Lebahnet

Similar to Splunking Lebahnet (20)

Recently uploaded

Recently uploaded (20)

Splunking Lebahnet

Editor's Notes