Splunk For Apt Tech Brief


Published on

Splunk for Advanced Persistent Threat

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Splunk For Apt Tech Brief

  1. 1. TECH BRIEFDetecting Advanced Persistent ThreatsUsing Splunk for APTWhat is an Advanced Persistent Threat? Seeing MalwareAn advanced persistent threat (APT) is a targeted effort to Host Based Evidence of Possible Malware – According toobtain or change information by means that are difficult to Mandiant – Monitor for the following changes to hosts (assumesdiscover, difficult to remove and difficult to attribute. a Splunk Universal Forwarder is resident on the host):So, what’s the data that attackers are after, how are they looking Potential email theftto obtain or change it and why are their attacks so difficult todiscover, remove and attribute? Monitor hosts for the existence of executable named with a single letter (g.exe or m.exe)How Attacks are Perpetrated Watch for the creation or changes to C:WindowsHelp help<user>In Search of Victim Zero – Using data from social networkssuch as LinkedIn or Facebook, attackers can craft an email to Watch for the creation or rapid growth in size of filesa targeted user containing some attachment (PDF or ZIP) that and directories in the C:WindowsHelpHelpuserentices the user to open it. subdirectory Watch for changes to the Windows registry fileThis attachment could be named “Organizational Changes”<insert boss’s name here>. The employee clicks on the Watching for the spread of malwareattachment, the malware is inserted onto the users system andsends a signal outbound to a specific domain. This process is Watch for changes to enablement or changes to Wirelesscontinuously repeated with slight differences tailored to the Zero Configuration Service (wzcsvc)individual receiving the email. Watch for changes to enablement or changes to RIP Listener Service (IPRIP)High Value Targets Watch for changes to enablement or changes to Background Intelligent Transfer Service (BITS)Email – Emails (and attachments) are a rich source of data thatmay be of high value. Emails can contain discussion threads that Watch for changes to the task list for at.exe. (SchedLau.can point to other high value targets in the IT infrastructure. txt)The emails can be a source of intelligence that can lead to spear- Other indicators of system compromisephishing emails that contain malicious attachments or links to Watch for changes to Services.exeattacks. Windows users keep a significant amount of email ontheir machines in a local .PST file—in many instances this file can Monitor that Windows File Protection is enabledbe as large as a gigabyte. Monitor for changes to the group policy object at C:Attachments can contain financial data or other highly sensitive WindowsSystem 32GroupPolicyUserScriptsscripts.iniinformation. In addition to going after the emails on a users local Network based evidence of Malware – Mandiant’s reportmachine, attacks can also target the email server itself. is less specific here so we’ve come up with a few of our own:Public Key Infrastructure Data – According to Mandiant™ Inc.’s DNS (If using Active Directory’s DNS functionality, turnM-Trends Report 2011, while the majority of APT cases started on debug mode to get the URLs into the log data.)with an email as an attack vector, “Attackers have increasinglyfocused on obtaining PKI-related data resident within a Baseline DNS requests and watch for too many from acompromised network.” PKI data can be used to authenticate to particular client. The malware may be network mappinga client VPN as well as decrypt SSL traffic from servers. from the inside out Monitor for hosts that are making the same DNS requestMandiant’s investigations discovered that “victim zero in a at a consistent interval (watching for ‘beaconing hosts’)current investigation was actually victim 127 in an intrusiondating back several years.” Monitor for the same sized DNS requests from internal hostsThe Spread of APT – The proliferation of APT is accomplishedin a variety of ways but the most prevalent is via Windows Web Proxyservices. Again according to Mandiant, RIP Listener Service Monitor for mismatches between the extension of a(IPRIP), the Wireless Zero Configuration service (wzcsvc) and requested file and the mime type of the file returnedBackground Intelligent Transfer Service (BITS) are all either usedor replaced by a rogue service. Victim zero uploads the malware Monitor and investigate visits to sites that are listed to beto a remote computer file share, which is executed using the of a ‘None’ or ‘unknown’ category by a reputation serviceat.exe command. or category filter
  2. 2. TECH BRIEF Monitor for fast requests following the download of a SOFTWAREMicrosoftWindowsCurrentVersionRun. PDF, java, or exe. If a download is preceded by rapid Here the attacker wants to restart his code each time requests for more files this is a potential indicator of a Windows starts. dropper createKey | stats count(process_image) by process_ Monitor accesses to web mail services – watch for IPs image key_path host outside of your allowed pool accessing outbound – possible exfiltration of data Network Based Too many DNS lookups occurring from a particular client.Firewall Use ‘allowed’ ingress and egress traffic to determine sourcetype=dns | stats count(clientip) AS Requests how many internal systems may be communicating with by clientip | sort - Requests a malicious IP addresses to know how much data was Too many same-sized DNS requests from an internal host, transferred and the time(s) the activity occurred indicating a possible exfiltration. Monitor for abnormal amounts of out-bound traffic to sourcetype=dns | eval Length=len(query) | stats certain domains. Use a ‘look-up’ to a watch-list (see count(clientip) by Length | sort - Length Splunkbase for information on how to perform a look-up to a database or .CSV file of ‘bad sites’). Watch for hosts that talk to the same URL at the same interval every day (“Beaconing” of servers to websites). Sites with a low Watch for mismatches of a known protocol to an var(gap) value are discovered. uncommon port or unknown protocol on a common port (e.g., FTP traffic on TCP 22 should at least initiate on TCP … | streamstats current=f last(_time) as next_time by 21 or unknown protocol on TCP 22 – TCP 22 is generally site | eval gap = next_time - _time | stats count avg(gap) used for SSH). Watch for potential false positives for var(gap) by site Skype and streaming media. Site visits that are listed as a ‘none’ or ‘unknown’ by a reputation service or category filter.Using Splunk source=proxy sc_filter_category=None OR sc_filter_Monitoring a combination of network data and host file integrity category=unknown| stats count(clientip) by s_hostname,monitoring data can be key for detecting APTs. Unlike many clientipcurrent solutions, Splunk Enterprise is uniquely suited to monitorpatterns of activity in data over the very long periods of time Fast requests following the download of a .PDF, java, or exe. If arequired to see a potential attack. In addition, Splunk’s analytics download is proceeded by rapid requests for more files this is aand numeric functions can be used to create complex searches potential indicator of a dropper.that employ user defined risk-based thresholds customized to source=proxy [search file=*.pdf OR file=*.exe | dedupthe enterprise architecture. clientip | table clientip] | transaction maxspan=60sThe information contained in search suggestions and examples maxpause=5s clientip | eval Length=len(_raw) | sortbelow represents only a starting point for observing anomalous -Lengthactivity on hosts and on the networks and is not meant as a The internal systems identified during an investigation that werecomplete APT program. The searches have not been tested in communicating with a malicious IP address.an active environment. Attack vectors are constantly changingand it is up to the reader to stay abreast of conditions that may source=firewall action=Permit | lookup malicious clientipwarrant changes in APT strategy. as dst | stats sum(byes) by dstSplunk: Sample Searches for APT Free DownloadHost based (Splunk Universal Forwarder on Host) Download Splunk for free. You’ll automatically get all ofMonitor hosts for particular executables. the Enterprise features of Splunk for 60 days and you can index up to 500 megabytes of data per day. Or if you …| eval file_length=len(file) | where file_length == 4 want to get started right away with an Enterprise license Watch for the creation or rapid growth in size of files contact sales@splunk.com. and directories in the C:WindowsHelpHelpuser subdirectory. index=helpchanges | delta filesize AS Size_Change | table _time filesize Size_Change | sort - _time Watch for changes to the HKEY_LOCAL_MACHINE 250 Brannan St, San Francisco, CA, 94107 info@splunk.com | sales@splunk.com 866-438-7758 | 415-848-8400 www.splunkbase.com listen to your data www.splunk.comCopyright © 2012 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws.Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentionedherein may be trademarks of their respective companies. Item # TB-Splunk-Persistent Threats-101