Threat Hunting with Splunk Slides

1. Threat Hun+ng with Splunk
Presenter: Ken Wes+n M.Sc, OSCP, ITPM
Splunk, Security Market Specialist

2. Prework for today
● Setup Splunk Enterprise Security Sandbox
● Install free Splunk on laptop
● Install ML Toolkit app
hEps://splunkbase.splunk.com/app/2890/

3. 3
> Ken Wes+n kwestin@splunk.com @kwestin
• 1.5 year at Splunk – Security Strategist
• Based in Portland, Oregon
• 20 years in technology and security
• M.Sc, OSCP, ITPM
• Trained in offensive & defensive security
$whoami

4. Agenda
• Threat Hun+ng Basics
• Threat Hun+ng Data Sources
• Sysmon Endpoint Data
• Cyber Kill Chain
• Walkthrough of ACack Scenario Using Core Splunk (hands on)
• Advanced Threat Hun+ng Techniques & Security Essen+als
• Enterprise Security Walkthrough
• Applying Machine Learning and Data Science to Security

5. Log In Creden+als
January, February & March hEps://54.144.69.125
April, May & June hEps://52.55.68.96
July and August hEps://54.164.82.160
September and October hEps://52.23.227.212
November and December hEps://52.202.90.207
User: hunter
Pass: pr3dat0r
Birth Month

6. These won’t work…

7. Am I in the right place?
Some familiarity with…
● CSIRT/SOC Opera+ons
● General understanding of Threat Intelligence
● General understanding of DNS, Proxy, and Endpoint types of data
7

8. What is threat hun+ng, why do you need it?
The What?
• Threat hun+ng - the
act of aggressively
intercep+ng,
tracking and
elimina+ng cyber
adversaries as early
as possible in the
Cyber Kill Chain 2
8
The Why?
• Threats are human.
Focused and funded
adversaries will not be
countered by security
boxes on the network
alone. Threat hunters are
ac+vely searching for
threats to prevent or
minimize damage [before
it happens] 1
2 Cyber Threat Hun+ng - Samuel Alonso blog, Jan 2016
1 The Who, What, Where, When, Why and How of Effec+ve Threat Hun+ng, SANS Feb 2016
“Threat Hun,ng is not new, it’s
just evolving!”

10. Threat Hun+ng with Splunk
10
Vs.

11. Search &
Visualisa+on
Enrichment
Data
Automa+on
11
Human Threat
Hunter
Key Building Blocks to Drive Threat Hun+ng Maturity
Ref: The he Who, What, Where, When, Why and How of Effec+ve Threat Hun+ng, SANS Feb 2016
Objec+ves > Hypotheses > Exper+se

12. “A good intelligence officer cul,vates an
awareness of what he or she does not know. You
need a dose of modesty to acknowledge your own
ignorance - even more, to seek out your
ignorance. Then the harder part comes, trying to
do something about it. This oFen requires an
immodest determina,on”
Henry A. Crumpton
The Art of Intelligence: Lessons From A life In the CIA’s Clandes+ne Service
12

13. SANS Threat Hun+ng Maturity
13
Ad Hoc
Search
Sta+s+cal
Analysis
Visualiza+on
Techniques
Aggrega+on Machine Learning/
Data Science
85% 55% 50% 48% 32%
Source: SANS IR & Threat Hun+ng Summit 2016

14. Search &
Visualisa+on
Enrichment
Data
Automa+on
Human Threat
Hunter
How Splunk helps You Drive Threat Hun+ng Maturity
Threat Hun+ng Automa+on
Integrated & out of the box automa+on tooling from ar+fact
query, contextual “swim-lane analysis”, anomaly & +me series
analysis to advanced data science leveraging machine learning
Threat Hun+ng Data Enrichment
Enrich data with context and threat-intel across the stack or +me
to discern deeper paEerns or rela+onships
Search & Visualise Rela+onships for Faster Hun+ng
Search and correlate data while visually fusing results for faster
context, analysis and insight
Ingest & Onboard Any Threat Hun+ng Machine Data Source
Enable fast inges+on of any machine data through efficient
indexing, a big data real +me architecture and ‘schema on the
read’ technology
Hypotheses
Automated
Analy+cs
Data Science &
Machine
Learning
Data &
Intelligence
Enrichment
Data Search
Visualisa+on
Maturity

15. Hun+ng Tools: Internal Data
15
• IP Addresses: threat intelligence, blacklist, whitelist, reputa+on monitoring
Tools: Firewalls, proxies, Splunk Stream, Bro, IDS
• Network Ar+facts and PaCerns: network flow, packet capture, ac+ve network connec+ons, historic network connec+ons, ports
and services
Tools: Splunk Stream, Bro IDS, FPC, Neplow
• DNS: ac+vity, queries and responses, zone transfer ac+vity
Tools: Splunk Stream, Bro IDS, OpenDNS
• Endpoint – Host Ar+facts and PaCerns: users, processes, services, drivers, files, registry, hardware, memory, disk ac+vity, file
monitoring: hash values, integrity checking and alerts, crea+on or dele+on
Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Ac+ve Directory
• Vulnerability Management Data
Tools: Tripwire IP360, Qualys, Nessus
• User Behavior Analy+cs: TTPs, user monitoring, +me of day loca+on, HR watchlist
Splunk UBA, (All of the above)

16. Persist, Repeat
Threat Intelligence
Access/Iden+ty
Endpoint
Network
AEacker, know relay/C2 sites, infected sites, IOC,
aEack/campaign intent and aEribu+on
Where they went to, who talked to whom, aEack
transmiEed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, aEack/malware
ar+facts, patching level, aEack suscep+bility
Access level, privileged users, likelihood of infec+on,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detec+on
• PCLM
• DHCP
• OS logs
• Patching
• Ac+ve Directory
• LDAP
• CMDB
• Opera+ng system
• Database
• VPN, AAA, SSO
Typical Data Sources
• Web proxy
• NetFlow
• Network

17. Endpoint: Microsov Sysmon Primer
17
● TA Available on the App Store
● Great Blog Post to get you started
● Increases the fidelity of Microsov
Logging
Blog Post:
hEp://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

18. Log In Creden+als
January, February & March hEps://54.144.69.125
April, May & June hEps://52.55.68.96
July and August hEps://54.164.82.160
September and October hEps://52.23.227.212
November and December hEps://52.202.90.207
User: hunter
Pass: pr3dat0r
Birth Month

19. Sysmon Event Tags
19
Maps Network Comm to process_id
Process_id crea+on and mapping to parentprocess_id

20. sourcetype=X* | search tag=communicate
20

21. sourcetype=X* | dedup tag| search tag=process
21

22. Data Source Mapping

23. Demo Story - Kill Chain Framework
Successful brute force
– download sensi+ve
pdf document
Weaponize the pdf file
with Zeus Malware
Convincing email
sent with
weaponized pdf
Vulnerable pdf reader
exploited by malware.
Dropper created on machine
Dropper retrieves
and installs the
malware
Persistence via regular
outbound comm
Data Exfiltra+on
Source: Lockheed Mar,n

24. Servers
Storage
Desktops Email Web
Transac+on
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
The image
cannot be
displayed.
Your
computer
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
The
imag
e
cann
ot be
displ
Intrusion
Detec+on
Firewall
Data Loss
Preven+on
An+-
Malware
Vulnerability
Scans
Tradi+onal
Authen+ca+on
Stream Inves+ga+ons – choose your data wisely
24

25. APT Transac+on Flow Across Data Sources
25
hEp (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create addi+onal
environment
Gain Access
to system Transac+on
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwri+ng and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
AEacker hacks website
Steals .pdf files
Web
Portal .pdf
AEacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open aEachment
Our Inves+ga+on begins by
detec+ng high risk
communica+ons through the
proxy, at the endpoint, and
even a DNS call.

26. index=zeus_demo3
26
in search:

27. To begin our
inves+ga+on, we will
start with a quick search
to familiarize ourselves
with the data sources.
In this demo
environment, we have a
variety of security
relevant data including…
Web
DNS
Proxy
Firewall
Endpoint
Email Click

28. Take a look at the
endpoint data source.
We are using the
Microsov Sysmon TA.
We have endpoint
visibility into all network
communica+on and can
map each connec+on
back to a process.
}
We also have detailed
info on each process and
can map it back to the
user and parent process.
}
Lets get our day started by looking
using threat intel to priori+ze our
efforts and focus on communica+on
with known high risk en++es.

29. We have mul+ple source
IPs communica+ng to
high risk en++es
iden+fied by these 2
threat sources.
We are seeing high risk
communica+on from
mul+ple data sources.
We see mul+ple threat intel related
events across mul+ple source types
associated with the IP Address of
Chris Gilbert. Let’s take closer look
at the IP Address.
We can now see the owner of the system
(Chris Gilbert) and that it isn’t a PII or PCI
related asset, so there are no immediate
business implica+ons that would require
informing agencies or external customers
within a certain +meframe.
This dashboard is based on event
data that contains a threat intel
based indicator match( IP Address,
domain, etc.). The data is further
enriched with CMDB based Asset/
iden+ty informa+on.

30. We are now looking at only threat
intel related ac+vity for the IP
Address associated with Chris
Gilbert and see ac+vity spanning
endpoint, proxy, and DNS data
sources.
These trend lines tell a very
interes+ng visual story. It appears
that the asset makes a DNS query
involving a threat intel related
domain or IP Address.
Scroll Down
Scroll down the dashboard to
examine these threat intel events
associated with the IP Address.
We then see threat intel related
endpoint and proxy events
occurring periodically and likely
communica+ng with a known Zeus
botnet based on the threat intel
source (zeus_c2s).

31. It’s worth men+oning that at this point
you could create a +cket to have
someone re-image the machine to
prevent further damage as we con+nue
our inves+ga+on within Splunk.
Within the same dashboard, we have
access to very high fidelity endpoint
data that allows an analyst to con+nue
the inves+ga+on in a very efficient
manner. It is important to note that
near real-+me access to this type of
endpoint data is not not common within
the tradi+onal SOC.
The ini+al goal of the inves+ga+on is
to determine whether this
communica+on is malicious or a
poten+al false posi+ve. Expand the
endpoint event to con+nue the
inves+ga+on.
Proxy related threat intel matches are
important for helping us to priori+ze our
efforts toward ini+a+ng an inves+ga+on.
Further inves+ga+on into the endpoint
is oven very +me consuming and oven
involves mul+ple internal hand-offs to
other teams or needing to access
addi+onal systems.
This encrypted proxy traffic is concerning
because of the large amount of data
(~1.5MB) being transferred which is
common when data is being exfiltrated.

32. Exfiltra+on of data is a serious
concern and outbound
communica+on to external en+ty
that has a known threat intel
indicator, especially when it is
encrypted as in this case.
Lets con+nue the inves+ga+on.
Another clue. We also see that
svchost.exe should be located in a
Windows system directory but this is
being run in the user space. Not
good.
We immediately see the outbound
communica+on with 115.29.46.99 via
hEps is associated with the svchost.exe
process on the windows endpoint. The
process id is 4768. There is a great deal
more informa+on from the endpoint as
you scroll down such as the user ID that
started the process and the associated
CMDB enrichment informa+on.

33. We have a workflow ac+on that will
link us to a Process Explorer
dashboard and populate it with the
process id extracted from the event
(4768).

34. This is a standard Windows app, but
not in its usual directory, telling us
that the malware has again spoofed
a common file name.
We also can see that the parent
process that created this
suspicuous svchost.exe process is
called calc.exe.
This has brought us to the Process
Explorer dashboard which lets us
view Windows Sysmon endpoint
data.
Suspected Malware
Lets con+nue the inves+ga+on by
examining the parent process as this
is almost certainly a genuine threat
and we are now working toward a
root cause.
This is very consistent with Zeus
behavior. The ini+al exploita+on
generally creates a downloader or
dropper that will then download the
Zeus malware. It seems like calc.exe
may be that downloader/dropper.
Suspected Downloader/Dropper
This process calls itself “svchost.exe,”
a common Windows process, but the
path is not the normal path for
svchost.exe.
…which is a common trait of
malware aEemp+ng to evade
detec+on. We also see it making a
DNS query (port 53) then
communica+ng via port 443.

35. The Parent Process of our suspected
downloader/dropper is the legi+mate PDF
Reader program. This will likely turn out to
be the vulnerable app that was exploited
in this aEack.
Suspected Downloader/Dropper
Suspected Vulnerable App We have very quickly moved from
threat intel related network and
endpoint ac+vity to the likely
exploita+on of a vulnerable app.
Click on the parent process to keep
inves+ga+ng.

36. We can see that the PDF
Reader process has no
iden+fied parent and is the
root of the infec+on.
Scroll Down
Scroll down the dashboard to
examine ac+vity related to the PDF
reader process.

37. Chris opened 2nd_qtr_2014_report.pdf
which was an aEachment to an email!
We have our root cause! Chris opened a
weaponized .pdf file which contained the Zeus
malware. It appears to have been delivered via
email and we have access to our email logs as one
of our important data sources. Lets copy the
filename 2nd_qtr_2014_report.pdf and search a
bit further to determine the scope of this
compromise.

38. Lets dig a liEle further into
2nd_qtr_2014_report.pdf to determine the scope
of this compromise.

39. index=zeus_demo3 2nd_qtr_2014_report.pdf
39
in search:

40. Lets search though mul+ple data sources to
quickly get a sense for who else may have
have been exposed to this file.
We will come back to the web
ac+vity that contains reference to
the pdf file but lets first look at the
email event to determine the scope
of this apparent phishing aEack.

41. We have access to the email
body and can see why this was
such a convincing aEack. The
sender apparently had access to
sensi+ve insider knowledge and
hinted at quarterly results.
There is our aEachment.
Hold On! That’s not our
Domain Name! The spelling is
close but it’s missing a “t”. The
aEacker likely registered a
domain name that is very close
to the company domain hoping
Chris would not no+ce.
This looks to be a very
targeted spear phishing
aEack as it was sent to
only one employee (Chris).

42. Root Cause Recap
42
Data Sources
.pdf executes & unpacks malware
overwri+ng and running “allowed” programs
hEp (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create addi+onal
environment
Gain Access
to system Transac+on
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
.pdf
Svchost.exe
(malware)
Calc.exe
(dropper)
AEacker hacks website
Steals .pdf files
Web
Portal .pdf
AEacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open aEachment
We u+lized threat intel to detect
communica+on with known high risk
indicators and kick off our inves+ga+on
then worked backward through the kill
chain toward a root cause.
Key to this inves+ga+ve process is the
ability to associate network
communica+ons with endpoint process
data.
This high value and very relevant ability to
work a malware related inves+ga+on
through to root cause translates into a very
streamlined inves+ga+ve process compared
to the legacy SIEM based approach.

43. 43
Lets revisit the search for addi+onal
informa+on on the 2nd_qtr_2014-
_report.pdf file.
We understand that the file was delivered
via email and opened at the endpoint. Why
do we see a reference to the file in the
access_combined (web server) logs?
Click
Select the access_combined
sourcetype to inves+gate
further.

44. 44
The results show 54.211.114.134 has
accessed this file from the web portal
of buEergames.com.
There is also a known threat intel
associa+on with the source IP
Address downloading (HTTP GET)
the file.

45. 45
Click
Select the IP Address, lev-click, then
select “New search”. We would like to
understand what else this IP Address
has accessed in the environment.

46. 46
That’s an abnormally large
number of requests sourced
from a single IP Address in a
~90 minute window.
This looks like a scripted
ac+on given the constant
high rate of requests over
the below window.
Scroll Down
Scroll down the dashboard to
examine other interes+ng fields to
further inves+gate.
No+ce the Googlebot
useragent string which is
another aEempt to avoid
raising aEen+on..

47. 47
The requests from 52.211.114.134 are
dominated by requests to the login page
(wp-login.php). It’s clearly not possible to
aEempt a login this many +mes in a short
period of +me – this is clearly a scripted
brute force aEack.
Aver successfully gaining access to our
website, the aEacker downloaded the
pdf file, weaponized it with the zeus
malware, then delivered it to Chris
Gilbert as a phishing email.
The aEacker is also accessing admin
pages which may be an aEempt to
establish persistence via a backdoor into
the web site.

48. Kill Chain Analysis Across Data Sources
48
hEp (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create addi+onal
environment
Gain Access
to system Transac+on
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwri+ng and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
AEacker hacks website
Steals .pdf files
Web
Portal .pdf
AEacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open aEachment
We con+nued the inves+ga+on
by pivo+ng into the endpoint
data source and used a
workflow ac+on to determine
which process on the endpoint
was responsible for the
outbound communica+on.
We Began by reviewing
threat intel related events
for a par+cular IP address
and observed DNS, Proxy,
and Endpoint events for a
user in Sales.
Inves+ga+on complete! Lets get this
turned over to Incident Reponse team.
We traced the svchost.exe
Zeus malware back to it’s
parent process ID which was
the calc.exe downloader/
dropper.
Once our root cause analysis
was complete, we shived out
focus into the web logs to
determine that the sensi+ve pdf
file was obtained via a brute
force aEack against the
company website.
We were able to see which
file was opened by the
vulnerable app and
determined that the
malicious file was delivered
to the user via email.
A quick search into the mail
logs revealed the details
behind the phishing aEack
and revealed that the scope
of the compromise was
limited to just the one user.
We traced calc.exe back to
the vulnerable applica+on
PDF Reader.

49. 10 min Break!

50. Appendix
- SQLi
- DNS Exfilatra+on
- Splunk Security Essen+als

51. SQLi

52. SQL Injec+on
● SQL injec+on
● Code injec+on
● OS commanding
● LDAP injec+on
● XML injec+on
● XPath injec+on
● SSI injec+on
● IMAP/SMTP injec+on
● Buffer overflow

53. Imperva Web ACacks Report, 2015

55. The anatomy of a SQL injec+on aEack
SELECT * FROM users WHERE email='xxx@xxx.com'
OR 1 = 1 -- ' AND password='xxx';
xxx@xxx.xxx' OR 1 = 1 -- '
xxx
admin@admin.sys
1234
An aEacker might supply:

56. …and so far this year… 39

57. index=web_vuln password select

58. What have we here?
Our learning environment consists of:
• A bunch of publically-accessible single
Splunk servers
• Each with ~5.5M events, from real
environments but massaged:
• Windows Security events
• Apache web access logs
• Bro DNS & HTTP
• Palo Alto traffic logs
• Some other various bits

59. hEps://splunkbase.splunk.com/app/1528/
Search for possible SQL injec+on in your events:
ü looks for paEerns in URI query field to see if
anyone has injected them with SQL
statements
ü use standard devia+ons that are 2.5 +mes
greater than the average length of your URI
query field
Macros used
• sqlinjec+on_paEern(sourcetype, uri query field)
• sqlinjec+on_stats(sourcetype, uri query field)

60. Regular Expression FTW
sqlinjec+on_rex is a search macro. It contains:
(?<injec,on>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|
([%27|'](%20)*=(%20)*[%27|'])|w*[%27|']or)
Which means: In the string we are given, look for ANY of the following matches and put that
into the “injec+on” field.
• Anything containing SELECT followed by FROM
• Anything containing UNION followed by SELECT
• Anything with a ‘ at the end
• Anything containing DELETE followed by FROM
• Anything containing UPDATE followed by SET
• Anything containing ALTER followed by TABLE
• A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘
• Note: %27 is encoded “’” and %20 is encoded <space>
• Any amount of word characters followed by a %27 OR a ‘ and then “or”

61. Bonus: Try out the SQL Injec+on app!

62. Summary: Web aEacks/SQL injec+on
● SQL injec+on provide aEackers with easy access to data
● Detec+ng advanced SQL injec+on is hard – use an app!
● Understand where SQLi is happening on your network and put a
stop to it.
● Augment your WAF with enterprise-wide Splunk searches.

63. DNS Exfiltra+on

64. domain=corp;user=dave;password=12345
encrypt
DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.aEack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

65. DNS exfil tends to be
overlooked within an
ocean of DNS data.
Let’s fix that!
DNS exfiltra+on

66. FrameworkPOS: a card-stealing program that exfiltrates data from the
target’s network by transmi…ng it as domain name system (DNS) traffic
But the big difference is the way how stolen data is
exfiltrated: the malware used DNS requests!
hEps://blog.gdatasovware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“
”
… few organiza,ons actually keep detailed logs or records
of the DNS traffic traversing their networks — making it an
ideal way to siphon data from a hacked network.
hEp://krebsonsecurity.com/2015/05/deconstruc+ng-the-2014-sally-
beauty-breach/#more-30872
“
”
DNS exfiltra+on

67. hEps://splunkbase.splunk.com/app/2734/
DNS exfil detec+on – tricks of the trade
ü parse URLs & complicated TLDs (Top Level Domain)
ü calculate Shannon Entropy
List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)

68. Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s defini+on: a score reflec+ng the randomness or measure of
uncertainty of a string
Shannon Entropy

69. Detec+ng Data Exfiltra+on
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| `ut_shannon(ut_subdomain)`
| eval sublen =
length(ut_subdomain)
| table ut_domain ut_subdomain
ut_shannon sublen
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display Details

70. Detec+ng Data Exfiltra+on
… | stats
count
avg(ut_shannon) as avg_sha
avg(sublen) as avg_sublen
stdev(sublen) as stdev_sublen
by ut_domain
| search avg_sha>3 avg_sublen>20
stdev_sublen<2
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display count, scores, lengths,
devia+ons

71. Detec+ng Data Exfiltra+on
RESULTS
• Exfiltra+ng data requires many DNS requests – look for high counts
• DNS exfiltra+on to mooo.com and chickenkiller.com

72. Summary: DNS exfiltra+on
● Exfiltra+on by DNS and ICMP is a very common technique
● Many organiza+ons do not analyze DNS ac+vity – do not be like them!
● No DNS logs? No Splunk Stream? Look at FW byte counts

73. Splunk Security Essen+als

74. hEps://splunkbase.splunk.com/app/3435/
Iden+fy bad guys in your environment:
ü 45+ use cases common in UEBA products, all
free on Splunk Enterprise
ü Target external aEackers and insider threat
ü Scales from small to massive companies
ü Save from the app, send results to ES/UBA
The most widely deployed UEBA vendor in the
market is Splunk Enterprise, but no one knows it.
Solve use cases you can today for free, then use
Splunk UBA for advanced ML detec+on.

75. Splunk Security Essen+als
Time Series Analysis
with Standard Devia+on
First Time Seen
powered by stats
General Security
Analy+cs Searches
Types of Use Cases

76. Splunk Security Essen+als
Data Sources
Electronic Medical Record
Source Code Repository

77. ● How does the app work?
– Leverages primarily | stats for UEBA
– Also implements several advanced Splunk searches (URL Toolbox, etc.)
● Why call it UEBA?
– These use cases are oven in UEBA tools
– 2/3 of use case build on a baseline, which is a hallmark of UEBA
– 1/3 are advanced analy+cs that other vendors showcase in their UEBA
● How does it scale?
– App automates the u+liza+on of high scale techniques
– Summary indexing for Time Series, caching in lookup for First Time

78. Splunk Enterprise
Security

79. 79
Splunk Enterprise
- Big Data Analy+cs Plaporm -
Splunk Enterprise Security
- Security Analy+cs Plaporm -
Threat Hun+ng with Splunk
Hypotheses
Automated
Analy+cs
Data Science &
Machine
Learning
Data &
Intelligence
Enrichment
Data Search
Visualisa+on
Maturity
Threat Hun+ng Data
Enrichment
Threat Hun+ng
Automa+on
Ingest & Onboard Any
Threat Hun+ng
Machine Data Source
Search & Visualise
Rela+onships for
Faster Hun+ng

80. Other Items To Note
Items to Note
Naviga+on - How to Get Here
Descrip+on of what to click on
Click

81. Key Security Indicators (build your own!)
Sparklines
Editable

82. Various ways to filter data
Malware-Specific KSIs and Reports
Security Domains -> Endpoint -> Malware Center

83. Filterable
KSIs specific to Risk
Risk assigned to system,
user or other
Under Advanced Threat,
select Risk Analysis

84. (Scroll Down)
Recent Risk Ac+vity
Under Advanced Threat,
select Risk Analysis

85. Filterable, down to IoC
KSIs specific to Threat
Most ac+ve threat source
Scroll down…
Scroll
Under Advanced Threat,
select Threat Ac+vity

86. Specifics about recent threat matches
Under Advanced Threat,
select Threat Ac+vity

87. To add threat intel go to:
Configure -> Data Enrichment ->
Threat Intelligence Downloads
Click

88. Click “Threat Ar+facts”
Under “Advanced Threat”
Click

89. Ar+fact Categories –
click different tabs…
STIX feed
Custom feed
Under Advanced Threat,
select Threat Ar+facts

90. Review the Advanced Threat
content
Click

91. Data from asset framework
Configurable Swimlanes
Darker=more events
All happened around same +me Change to
“Today” if needed
Asset Inves+gator, enter
“192.168.56.102”

92. Data Science &
Machine Learning In
Security
92

93. Disclaimer: I am not a data scien+st

94. Types of Machine Learning
Supervised Learning: generalizing from labeled data

95. Supervised Machine Learning
95
Domain Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious
jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious
cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign
log.tagcade.com 111 2 0 1 0 0 Benign
go.vidprocess.com 170 2 0 0 0 0 Benign
statse.webtrendslive.com 310 2 0 1 0 0 Benign
cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign
log.tagcade.com 111 1 0 1 0 0 Benign

96. Unsupervised Learning: generalizing from unlabeled data

97. Unsupervised Machine Learning
• No tuning
• Programma+cally finds trends
• UBA is primarily unsupervised
• Rigorously tested for fit
97
Algorithm Raw Security Data Automated Clustering

98. 98

99. ML Toolkit & Showcase
• Splunk Supported framework for building ML Apps
– Get it for free: hEp://+ny.cc/splunkmlapp
• Leverages Python for Scien+fic Compu+ng (PSC) add-on:
– Open-source Python data science ecosystem
– NumPy, SciPy, scitkit-learn, pandas, statsmodels
• Showcase use cases: Predict Hard Drive Failure, Server Power
Consump+on, Applica+on Usage, Customer Churn & more
• Standard algorithms out of the box:
– Supervised: Logis+c Regression, SVM, Linear Regression, Random Forest, etc.
– Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc.
• Implement one of 300+ algorithms by edi+ng Python scripts

100. Machine Learning
Toolkit Demo
100

102. Splunk UBA

103. 103
Splunk Enterprise
- Big Data Analy+cs Plaporm -
Splunk Enterprise Security
- Security Analy+cs Plaporm -
Threat Hun+ng with Splunk
Threat Hun+ng Data
Enrichment
Threat Hun+ng
Automa+on
Ingest & Onboard Any
Threat Hun+ng
Machine Data Source
Search & Visualise
Rela+onships for
Faster Hun+ng
Hypotheses
Automated
Analy+cs
Data Science &
Machine
Learning
Data &
Intelligence
Enrichment
Data Search
Visualisa+on
Maturity
User Behavior Analy+cs
- Security Data Science Plaporm -

104. 104
Machine Learning Security Use Cases
Machine Learning Use Cases
Polymorphic AEack Analysis
Behavioral Peer Group Analysis
User & En+ty Behavior Baseline
Entropy/Rare Event Detec+on
Cyber AEack / External Threat Detec+on
Reconnaissance, Botnet and C&C Analysis
Lateral Movement Analysis
Sta+s+cal Analysis
Data Exfiltra+on Models
IP Reputa+on Analysis
Insider Threat Detec+on
User/Device Dynamic Fingerprin+ng

105. Splunk UBA Use Cases
ACCOUNT TAKEOVER
• Privileged account compromise
• Data exfiltra+on
LATERAL MOVEMENT
• Pass-the-hash kill chain
• Privilege escala+on
SUSPICIOUS ACTIVITY
• Misuse of creden+als
• Geo-loca+on anomalies
MALWARE ATTACKS
• Hidden malware ac+vity
BOTNET, COMMAND & CONTROL
• Malware beaconing
• Data leakage
USER & ENTITY BEHAVIOR ANALYTICS
• Suspicious behavior by accounts or
devices
EXTERNAL THREATS INSIDER THREATS

106. Splunk User Behavior Analy+cs (UBA)
• ~100% of breaches involve valid creden+als (Mandiant Report)
• Need to understand normal & anomalous behaviors for ALL users
• UBA detects Advanced CyberaEacks and Malicious Insider Threats
• Lots of ML under the hood:
– Behavior Baselining & Modeling
– Anomaly Detec+on (30+ models)
– Advanced Threat Detec+on
• E.g., Data Exfil Threat:
– “Saw this strange login & data transferfor user kwes+n
at 3am in China…”
– Surface threat to SOC Analysts

107. RAW SECURITY
EVENTS
ANOMALIES ANOMALY CHAINS
(THREATS)
MACHINE
LEARNING
GRAPH
MINING
THREAT
MODELS
Lateral Movement
Beaconing
Land-Speed Violation
HCI
Anomalies graph
Entity relationship graph
Kill chain sequence
Forensic artifacts
Threat/Risk scoring
FEEDBACK

108. Splunk UBA Demo
108

109. Security Workshops
● Security Readiness Workshop
● Data Science Workshop
● Enterprise Security Benchmark Assessment

110. Security Workshop Survey
hCps://www.surveymonkey.com/r/3T6T9TH
kwes+n@splunk.com
TwiEer: @kwes+n
linkedin.com/in/kwes+n