SlideShare a Scribd company logo

"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"

R
Rinaldi Rampen

This document summarizes a presentation about using Splunk to enrich data through geolocation, third-party data sources, and open-source intelligence (OSINT). The presentation discusses using Splunk's built-in geolocation capabilities to track user activity by location. It also provides examples of enriching data by integrating Twitter data, Shodan data, and other online sources to add context to security data in Splunk. The presentation concludes with a demonstration of Splunk's lookup commands and how to integrate external data sources.

1 of 59
Download to read offline
SPLUNKERS DC USER GROUP HUNTING THE BAD GUYS: USING OSINT, SOCIAL MEDIA & OTHER TOOLS WITHIN SPLUNK Jake Babbin Copper River Enterprise Services Splunk Services Splunk DC User Group – April 2018
ABOUT ME • Over 15 year career spanning a variety of customers in US Military, Intelligence Community, and Federal Law Enforcement • Published Author • Speaker at Security Conferences, assistant instructor • Currently • Architect Engineer, Copper River Enterprise Services • Prior • Director of Threat Intelligence, The Crypsis Group • Practice Director – Incident Response and Forensics McAfee/Intel Security (Americas) • Incident Response Auditor for DoD CIO CND-SP/CCRI team • Lead Analyst The White House Security Operation Center (EOP) • Founded The White House Cyber Threat Cell
AGENDA • Data Enrichment – why should we care ? • Splunk and Geo-location • Splunk enrichment options Examples - 3rd Party Data • Twitter Data • Status and information • Data Enrichment New ideas • Shodan • Censys • Demo • Conclusion
DATA ENRICHMENT – WHY SHOULD WE CARE ?
TRACKING USER ACTIVITY Contractor who sold their RSA token to stay at home watching cat videos and going out • “He physically FedExed his RSA [security] token to China” • U.S.-based company discovered its computer systems were being accessed from China • Company's own employee gave access to Chinese programmers he personally outsourced • Employee, known as "Bob", seen as "someone you wouldn't look at twice in an elevator" • "Bob" earned several hundred thousand dollars a year, paying Chinese firm $50,000 a year • Even kept a schedule “The Verizon team even found that "Bob" kept a regular schedule at his office: • 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos • 11:30 a.m. – Take lunch • 1:00 p.m. – Ebay time. • 2:00 – ish p.m Facebook updates – LinkedIn • 4:30 p.m. – End of day update e-mail to management. • 5:00 p.m. – Go home”
LESSONS LEARNED FROM “CAT VIDEO” USER Bottom line – could have been caught with a single Geo- location lookup in Splunk • Control physical access to security devices • Possibly require physical validation/maintenance of devices on some time window (1 year, etc) • Setup Geo-location fencing • For remote/home users trace the originating IP for matching • Some ISPs and geo-location data may only put in approximate location • Create and coordinate with HR locations or home sites for remote users • For travel implement a travel tracking system • Create asset tracking system • Provides endpoint validation for other security requirements • Current AV levels, security posture, etc prior to allowing VPN access
SPLUNK AND GEO-LOCATION
SPLUNK AND GEO-LOCATION • Crash course into Maxmind • Splunk uses Maxmind’s GeoLite2 databases to match IPv4 addresses to physical locations • Can be referenced in Splunk searches using an SPL command ‘iplocation’ • Mysearch | iplocation <field> • Outputs contain Latitude, Longitude, Country, City, address
MAXMIND AND SPLUNK Maxmind is a company who tracks IPv4 addresses (now also tracks IPv6) • Provide geographic coordinate information about the IP address. • Data is provided in a 2 formats (GeoIP2Country, GeoIP2City) that are paid allowing for updates and accurate • Also available in a Free format (GeoLiteIP2Country). • Major differences are in updates and accuracy. • Provide API access in a variety of languages
IP GEO-LOCATION 101 • Definition • Term for matching IPv4 addresses to their closest Latitude/Longitude coordinates • Several services perform this lookup and reference information • Maxmind, LLC is the major provider of this service • Usually closest match is the datacenter or area of a major Internet Service Providers office. • Below – an example of the full Maxmind data record (from Maxmind Product GeoIP2City) 10
GETTING SPLUNK TO UPDATE MAXMIND • Previous work TA-Geoip (https://github.com/georgestarcher/TA-geoip) • Updated work Script and Splunk app (Deploy among Search Heads) http://blog.hortonew.com/splunk-automatically-update-geoip-database-across- environment
SPLUNK AND UPDATING MAXMIND Splunk ships with a copy of Maxmind’s free product GeoLite2-City • Stored in ‘%SPLUNK_HOME%/share/’ • IP’s change ownership, but the shipped version of the database doesn’t between Splunk releases. How to update Splunk’s Maxmind GeoLite2-City database Create an app on your Deployment Server – Splunk_int_geoip %SPLUNK_HOME%/etc/deployment-apps/ …/Bin/ ……get_maxmind_db.sh …/default/ …….inputs.conf …….limits.conf Great example used is from http://blog.hortonew.com/splunk-automatically-update-geoip- database-across-environment ----- get_maxmind_db.sh #!/bin/bash # Author: Andrew Wurster # Date: 13 Jan 2015 cd/opt/splunk/etc/apps/Splunk_int_geoip/bin wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2- City.mmdb.gz || {echo'Could not download MaxMind GeoIP DB, exiting.';exit1; } gunzip -f GeoLite2-City-Latest.mmdb.gz chmod 644 GeoLite2-City-Latest.mmdb ----- inputs.conf # Download at 11pm the 1st Tuesday of the month [script:///opt/splunk/etc/apps/Splunk__int_geoip/bin/get_maxmind_db.sh] index = main interval = 0 23 1-7 * 2 sourcetype= splunk_geoip disabled=false ------ limits.conf # redirects the defalt location to this app’s directory [iplocation] db_path = /opt/splunk/etc/apps/Splunk_int_geoip/bin/GeoLite2-City- Latest.mmdb
SPLUNK ENRICHMENT OPTIONS
SPLUNK ENRICHMENT OPTIONS • Splunk Natively has several options available • Lookups – Called in SPL (Splunk Processing Language) Queries • File based • Geolocation • External (scripts) • KV Store • Automatic lookups – Added to content and fields automatically • Useful for Web Log data to automatically convert HTTP field Codes to Common Names • Adding site and location information to logs such as VPN data, endpoints, etc
LOOKUP DEFINITIONS – GIVE THAT DATA CONTEXT 15 • Splunk Community created a CSV file for HTTP Status messages. • http://wiki.splunk.com/Http_status.csv Fields: Status, status_description, status_type •Create a Lookup File and Definition •Call Lookup and provide Output column Mysearch | Lookup HttpSstatusLookup status AS status OUTPUT status_description AS Description
EASY WIN - GEO-LOCATION MAPPING • Simple Country filtering Mysearch | iplocation src_ip | search (Country=India OR Country="South Africa" OR Country="Germany") | geostats latfield=lat longfield=lon count • Splunk embedded commands used • iplocation/geostats – geo-coding information • geom - Allows for Geo-fencing framing via polygons • geomfilter – geo-fencing limiting | IOCfilter regex=“.*” ignorecase=True | search value_type=”ipv4- addr” | rename value as src_ip | iplocation src_ip | search (Country=India OR Country=“South Africa” OR Country=“Germany”) | geostats latfield=lat longfield=lon count
Real-world Example: Suricata: Protocol Analysis DNS Fun things to do with DNS data • Find out who’s mapping your network using DNS index=CUSTOMER_sec_suricata event_type=dns dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN" AND src_ip!=”CUSTOMER_IP.*" | stats count values(dns.rrname) by dns.rrtype, src_ip | sort – count • Find a specific country that is walking DNS to get information Example: Libya index=CUSTOMER_sec_suricata event_type=dns dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN" AND src_ip!=”CUSTOMER_IP.*" | iplocation src_ip | search Country="Libya" | stats count values(dns.rrname) by dns.rrtype, src_ip | sort – count
Interacting with External Commands Tor Tracking
TOR LOOKUPS • The Tor Project – Provides both web and script access to public repository information related to the Tor network – https://metrics.torproject.org • Hosts are broken down into functions • Exit Nodes – End points from the Tor network to the public Internet • Directory Servers – Onion network routing control servers • Bridges – Control connections between Tor clients, Directory Servers and Exit Nodes • Example IP: 162.247.72.201
INTERACTING WITH EXTERNAL COMMANDS 20 Interacting with other API’s Lookups, search scripts and more • Search for an IP address to see if it's part of the Tor index=security_logs sourcetype=nids | lookup torlookup ip AS clientip OUTPUT torvalue AS TorInfo | fillnull value=NotTorHost TorInfo | table sourcetype. clientip, TorInfo Positive Hit Negative Hit – (Custom result) NotTorHost
DEMO – LOOKUPS - Show Script - Show lookup creation - Show Example
DEMO – WALKTHROUGH • Script uses external lookup from DNS for a hosted site • Dan.co.uk maintains a DNS response that lists Tor information about IP • https[:]www.dan.me.uk/dnsbl • Take IPv4 address (Can to IPv6) • Reverse the IP to embed it into a DNS A record query 192.2.0.123 123.0.2.192.torexit.dan.me.uk • Response • If IP is a match response will be A record of 127.0.0.100 • Following up with a TXT record with extra information N:<nodename>/P:<port1[,port2]>/F:<flags> • Grab Response data Add Flag Info return results to Splunk BUILD THE SPLUNK LOOKUP COMMAND/SCRIPT Apply to transforms.conf $SPLUNK_HOME/etc/system/local/ # # Lookup NAME [torlookup] External_cmd = Tor_DNS_lookup.py EXT_IP TorResult Fields_list = EXT_IP, TorResult RUN A SEARCH index=zimperium "threat.general.external_ip"="*" | stats count by threat.general.external_ip, "threat.name" | rename "threat.general.external_ip" AS EXT_IP | lookup torlookup EXT_IP OUTPUT TorResult | table EXT_IP,"threat.name", TorResult
MORE EXAMPLES – 3RD PARTY DATA
EXAMPLES - 3RD PARTY DATA • JSON twitter • Follow Marai iot botnet • Keywords of interest / brand status • Catalog leaks pastebins • Shodan • Lookup and pivots • HL App
TWITTER DATA
FOLLOW THAT BOTNET –MARAI IOT BOTNET • Background Mirai(Japanese for "the future", ) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a leaked chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki. - Wikipedia - https://en.wikipedia.org/wiki/Mirai_(malware)
TWITTER TRACKING OF MIRAI BOTNET • Internet researchers (2sec4u and MalwareTechBlog) started a live feed of the DDoS Ips used in the Mirai botnet. • Twitter Posts contain information such as IP, attack type, name, duration and protocol • Lets use that to store into Splunk! • Twitter can be logged into Splunk using a JSON RESTful endpoint. • Follow the handle you want ‘@MiraiAttacks’ in this case. • Dump the Twitter text and parse for fields • Add to a lookup table?, Compare to other threat feeds/info available in Splunk
Example of using Twitter data • Parse Twitter index for ‘tweets’ ( message info) • Then look for my handle of interest ’@MiraiAttacks’ • Then make sure the tweet has an IPv4 address as part of the tweet • Extract fields for parsing • BotnetNumber – Internal tracker • BotnetProto – Type of IP protocol used • BotnetDuration – Time (seconds) for the attack • BotnetTarget – IPv4 address • BotnetCIDR – CIDR notation for the IP (in case not a single IP (/32) GET THAT THREAT INTEL index=socialmedia sourcetype=twitter_tweet | rename user.screen_name AS "Handle", count AS "Num_Tweets" | search Handle=MiraiAttacks | regex text="d{1,3}.d{1,3}.d{1,3}.d{1,3}” | rex field=text "w+sW(?<BotnetNumber>d+)s- s(?<BotnetProto>w+)sw+w+w+sw+s(?<BotnetDuration> d+)sw+s[w+]s(?<BotnetTarget>d+.d+.d+.d+)S( ?<BotnetCIDR>d+)” | stats count values(BotnetTarget) by BotnetNumber
ANOTHER EXAMPLE – RECORD/FOLLOW TWITTER FEED
SOCIAL MEDIA DASHBOARD 30 Quick Stats • Useful for Profile/brand status and awareness Example Content • Last 30 minutes of tweets • Last 24 Hours • Top Hashtags • Top Posters • All Time • Top Poster
LAZY ME – RECORDING AND TRACKING MY TWITTER FEED IN SPLUNK • REST API as data input (It’s only JSON right? J ) • Store in index only for messages, urls and names for now • Run a lookup of ‘dirty’ words then add to alert • Generates a daily report of tweets per day
COLLECT LEAKED INFORMATION - PASTEBIN • Twitter Handle ‘dumpmon’ reports and links to pastebin and pastie posts that appear to have leaked information in them.
DEMO – SOCIAL MEDIA
SITUATIONAL AWARENESS (SITREP)
STATUS AND INFORMATION • News • RSS feeds • Clickable links • Geo-fencing information
INGESTING RSS DATA • Splunk can ingest Syndication feeds such as RSS, Atom and RDF formats (any RSS-like format) • Add-on Syndication Input (2646) • Simple method of taking collections of feeds and ingesting into Splunk.
DEMO – CLICKABLE EXTERNAL LINKS
SPLUNK UI – MAKING LINKS CLICKABLE • Syndication Links and others can be made to be clickable • Splunk SimpleXML • Make the Originial_Link open in a new browser window • Use the Drilldown option • Pick up the field from the table Snippet - <drilldown target="_blank"> <link>$row.Original_Link|n$</link> </drilldown> • Takes the table and grabs the row value and opens a new browser • Note the link contains “$row.Original_Link|n$” This tells the Splunk web framework to treat the row field as a direct link rather than an internal Splunk link like a dashboard. • Thanks Ryan Thibodeaux for the help in solving this
GEO-SPATIAL LOOKUPS
SHAPESTER EXAMPLE Splunk App (2893) • This app lets you draw your own shapes and polygons directly on the map and save them as a geospatial lookup. • You can then use this lookup to set up alerts based on geo-fences. Or you can create a building map by drawing the buildings of your campus. • Example taken using GPS coordinates from a mobile team around Breckenridge Ski resort • Created Choropleth zones of different areas of the resort • Based on likely avalanche zones using other data 40 Source: http://blogs.splunk.com/2016/01/20/splunking-avalanches-of-data/
DATA ENRICHMENT NEW IDEAS
DATA ENRICHMENT NEW IDEAS Use security researcher search engine’s to identify and track public information • Shodan • HL app • Direct query with local cache storage ideas • Censys
SHODAN
SHODAN – GOOGLE FOR OPEN-SOURCE INTELLIGENCE • Shodan (http://shodan.io) – Search engine for security researchers • Functions like a search engine • Interrogates ports and grabs banners for collection • Data is gathered from Shodan crawlers that ‘walk’ the Internet IP space. • Designed to locate specific content and specific node information (desktops, servers, routers, etc) • Splunk and Shodan • Common app is Hurricane Labs search Add-on (1766) • Creates a new Splunk SPL keyword ‘shodan’ that allows to query an IP • Also used by Hurricane Labs Shodan App (1767) • Adaptive Response app available as well (3700) • Workflow action app (3509)
SHODAN EXAMPLES • Search by IP ‘| shodan 4.4.4.4 ‘ • Search by hostname/FQDN ‘| shodan badsite.com ‘ • Pivot on larger grouping such as • BGP ASN (useful for grouping IP’s to larger ASN) ‘ my_search by src_ip | stats count by asn’ • Geolocation (lat/long) - useful for geospatial bounding results ‘my_search | where Country=“Russia” • Map Bitcoin servers - search in Shodan (CLI or script or web) for popular bitcoin port 8333/tcp - Run scripted input to update list * Place in a KV Store for larger data sets* - Organize by geo-location, server type, etc Shodan search for ‘lighttpd/1.4.32’ 80.http.get.headers.www_authenticate= ‘antMiner’ 80.http.get.headers.server = ‘lighttpd/1.4.32’
SHODAN EXAMPLE – GATHER LIST OF ANTMINERS sh-3.2# shodan search "lighttpd/1.4.32" AND "antminer">antminer_shodan_list_20Feb_2018.txt Example OUPTUT 171.244.44.50 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="c32f6cf3b1306fe89ee4e42fe2eca7a3", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 09 Jan 2000 00:06:41 GMTrnServer: lighttpd/1.4.32rnrn 31.41.216.103 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="8d64634b86fd7e9139584a75683da9ea", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 17:59:11 GMTrnServer: lighttpd/1.4.32rnrn 219.151.23.205 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="459c170d1621be42afd523eb423bd8c3", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Thu, 01 Jan 1970 10:14:31 GMTrnServer: lighttpd/1.4.32rnrn 96.92.84.205 3000 96-92-84-205-static.hfc.comcastbusiness.net HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="9e0ceada5c09fd18bc498d83ff2bda11", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 07:35:34 GMTrnServer: lighttpd/1.4.32rnrn 93.178.219.116 8001 mail.zit.com.ua HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="f0f028aac537dd98fe8e6fa709c5c7c0", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 07:18:28 GMTrnServer: lighttpd/1.4.32rnrn
CENSYS
CENSYS – A NEW SEARCH ENGINE FOR RESEARCHERS • “Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.” states the description on the Censys official website.
CENSYS GRAB SSL CERTIFICATES THAT CONTAIN ANTMINER • Using Python library for Censys sh-3.2# python censys_io.py --api_id <MY_ID> --api_secret <MY_API_SECRET> -i "Let's Encrypt" antminer --limit 20 -- verbose • Search limited to 20 results but output JSON (raw) data • Where the SSL issuer is the EFF’s ”Let’s Encrypt” free SSL CA • And where somewhere in the record it also contains the string ‘antminer’ • Fun Result Example • Host in Germany • Victim’s Synology backup server …. • u'title': u'Hallo! Herzlich Willkommen bei Synology Web Station!'}}}, • Check marks for Antminer web control • Right Web Server - u'server': u'lighttpd/1.4.32’, • Right HTTP authentication - u'www_authenticate': u'Digest realm="antMiner Configuration", • Wrap this in a script to collect the IP and drop into Splunk watchlist Adding IP, DNS name, and Country to the KV Store ‘antminercoll’ • curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/antminercoll -H 'Content-Type: application/json' -d ‘{ “IP": ”217.72.209.42", ”Country": “Germany”, ”SSLCommonName": “loisl.ddnss.de”}'
DEMO – CENSYS AND SHODAN
MORE FUN WITH CENSYS AND SHODAN Tracking and Exploiting AntMiner and Claymore web backends https://medium.com/@s3yfullah/hacking-cryptocurrency-miners- with-osint-techniques-677bbb3e0157 In this example the Author’s are using the SHODAN search to find and exploit AntMiner poor web configurations to take over the Miner backend
DEMO
DEMO – PUTTING IT TOGETHER • Pray to Demo Gods Show - Shodan • Gather list of Questionable Servers (with SSL port enabled) • Censys • Combine output to find CA’s of interest “Let’s Encrypt” (EFF) for example
FUTURE IDEAS • Add other data sources • SSL blocklist • Extract/compare with NIDS like Bro and Suricata for SSL certificate • Allow extra pivoting based on threat information sources
SURICATA IDS • Network IDS that supports snort rules as well as protocol decoding. • Useful for grabbing SSL certificates SSL Investigation and Matching Find all EFF ‘Let’s Encrypt’ certificates being used on US Gov’t servers index=<CUSTOMER>_sec_suricata event_type=tls “Let’s encrypt” tls.sni=“*.gov” Find Suspect certificates (PICTURE) Anything stand out as suspicious? • Self-signed SSL certificate • Fake state, city, organization, and conical name/server name
BRO IDS • BRO IDS – Application decoding platform • Processes Layer 4 to 7 traffic • Rebuilds, HTTP, SSL, FTP, SMTP, etc protocols • Think of manual process in Wireshark to ‘Follow TCP Stream’ or ‘Follow HTTP Stream’ • This example Bro is parsing into Splunk SSL as ‘bro_ssl’ • NOTE the “JA3” field that’s a method/tool to enable cataloging of SSL certificates for comparison with known lists
HEY THERE’S A SPLUNK BLOG POST ABOUT THIS EXACT THING! • https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html ” They developedJA3,a technique for creating SSL client fingerprints from thepre-encryption handshakes of the SSL protocol. At this time, you cangenerate JA3 fingerprints with either a Bro JA3 scriptor customizing an instance of Suricata.” What you need to know • Supports both BRO and Suricata • Creates and calculates an MD5 ’hash’ for an SSL certificate that can be searched by Splunk • Monitor via Lookup for example from list of JA3 certificates Example list - https://github.com/trisulnsm/trisul- scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json Title Description Value ja3_version SSL Version 769 ja3_ciphers SSL Cipher(s) 47-53-5-10-49161-49162- 49171-49172-50-56-19-4 ja3_extensions SSL Extension 0-10-11 ja3_ec SSL Elliptic Curve 23-24-25 ja3_ec_fmt SSL Elliptic Curve PointFormat 0
WRAPPING UP • Splunk is a powerful tool • When leveraged with 3rd party and data enrichment Splunk Security Users and Managers can more clearly defend their environment • Integration of Social Media information can provide useful information • Tracking threats, priority events, etc • News and information for situational awareness in the environment • Threat Intelligence comes in many forms that can be useful for Splunk • Leverage and use every component in your environment (Network IDS for example) to better defend the network(s). • Hopefully these demo’s and examples have given ideas to take–a-way for your environment.
THANK YOU QUESTIONS/COMMENTS Can’t think of something now? Ask me later Email: jbabbin[@]gmail.com

Recommended

Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
Adam Nurudini
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
festival ICT 2016
 

Recommended

Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
Adam Nurudini
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
festival ICT 2016
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
Case IQ
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
SyedAmoz
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
c0c0n - International Cyber Security and Policing Conference
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
anonymousanonymous428352
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
Jeremiah Tillman
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
Internet Security Auditors
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
Molfar
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
Chandrapal Badshah
 
Snort ppt
Snort pptSnort ppt
Snort pptaAlcantar93
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 

More Related Content

What's hot

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
Case IQ
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
SyedAmoz
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
c0c0n - International Cyber Security and Policing Conference
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
Jeremiah Tillman
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
Internet Security Auditors
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
Molfar
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
Chandrapal Badshah
 

What's hot (20)

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
 
NMAP
NMAPNMAP
NMAP
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.NcN2015. Técnicas OSINT para investigadores de seguridad.
NcN2015. Técnicas OSINT para investigadores de seguridad.
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Snort ppt
Snort pptSnort ppt
Snort ppt
 

Similar to "Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"

Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT Operations
Timur Bagirov
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunk
 
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Docker, Inc.
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
Splunk
 
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
Amazon Web Services
 
Shaping Clouds with Terraform
Shaping Clouds with TerraformShaping Clouds with Terraform
Shaping Clouds with Terraform
Mike Fowler
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
Drilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache DrillDrilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache Drill
Charles Givre
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
Splunk
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
Precisely
 
Splunk Developer Platform
Splunk Developer PlatformSplunk Developer Platform
Splunk Developer Platform
Damien Dallimore
 
Getting Started with Splunk
Getting Started with SplunkGetting Started with Splunk
Getting Started with Splunk
Splunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous Applications
Databricks
 

Similar to "Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk" (20)

Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT Operations
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
 
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
 
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013
 
Shaping Clouds with Terraform
Shaping Clouds with TerraformShaping Clouds with Terraform
Shaping Clouds with Terraform
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, Cisco
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
Drilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache DrillDrilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache Drill
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
 
Splunk Developer Platform
Splunk Developer PlatformSplunk Developer Platform
Splunk Developer Platform
 
Getting Started with Splunk
Getting Started with SplunkGetting Started with Splunk
Getting Started with Splunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous Applications
 

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"

  • 1. SPLUNKERS DC USER GROUP HUNTING THE BAD GUYS: USING OSINT, SOCIAL MEDIA & OTHER TOOLS WITHIN SPLUNK Jake Babbin Copper River Enterprise Services Splunk Services Splunk DC User Group – April 2018
  • 2. ABOUT ME • Over 15 year career spanning a variety of customers in US Military, Intelligence Community, and Federal Law Enforcement • Published Author • Speaker at Security Conferences, assistant instructor • Currently • Architect Engineer, Copper River Enterprise Services • Prior • Director of Threat Intelligence, The Crypsis Group • Practice Director – Incident Response and Forensics McAfee/Intel Security (Americas) • Incident Response Auditor for DoD CIO CND-SP/CCRI team • Lead Analyst The White House Security Operation Center (EOP) • Founded The White House Cyber Threat Cell
  • 3. AGENDA • Data Enrichment – why should we care ? • Splunk and Geo-location • Splunk enrichment options Examples - 3rd Party Data • Twitter Data • Status and information • Data Enrichment New ideas • Shodan • Censys • Demo • Conclusion
  • 4. DATA ENRICHMENT – WHY SHOULD WE CARE ?
  • 5. TRACKING USER ACTIVITY Contractor who sold their RSA token to stay at home watching cat videos and going out • “He physically FedExed his RSA [security] token to China” • U.S.-based company discovered its computer systems were being accessed from China • Company's own employee gave access to Chinese programmers he personally outsourced • Employee, known as "Bob", seen as "someone you wouldn't look at twice in an elevator" • "Bob" earned several hundred thousand dollars a year, paying Chinese firm $50,000 a year • Even kept a schedule “The Verizon team even found that "Bob" kept a regular schedule at his office: • 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos • 11:30 a.m. – Take lunch • 1:00 p.m. – Ebay time. • 2:00 – ish p.m Facebook updates – LinkedIn • 4:30 p.m. – End of day update e-mail to management. • 5:00 p.m. – Go home”
  • 6. LESSONS LEARNED FROM “CAT VIDEO” USER Bottom line – could have been caught with a single Geo- location lookup in Splunk • Control physical access to security devices • Possibly require physical validation/maintenance of devices on some time window (1 year, etc) • Setup Geo-location fencing • For remote/home users trace the originating IP for matching • Some ISPs and geo-location data may only put in approximate location • Create and coordinate with HR locations or home sites for remote users • For travel implement a travel tracking system • Create asset tracking system • Provides endpoint validation for other security requirements • Current AV levels, security posture, etc prior to allowing VPN access
  • 8. SPLUNK AND GEO-LOCATION • Crash course into Maxmind • Splunk uses Maxmind’s GeoLite2 databases to match IPv4 addresses to physical locations • Can be referenced in Splunk searches using an SPL command ‘iplocation’ • Mysearch | iplocation <field> • Outputs contain Latitude, Longitude, Country, City, address
  • 9. MAXMIND AND SPLUNK Maxmind is a company who tracks IPv4 addresses (now also tracks IPv6) • Provide geographic coordinate information about the IP address. • Data is provided in a 2 formats (GeoIP2Country, GeoIP2City) that are paid allowing for updates and accurate • Also available in a Free format (GeoLiteIP2Country). • Major differences are in updates and accuracy. • Provide API access in a variety of languages
  • 10. IP GEO-LOCATION 101 • Definition • Term for matching IPv4 addresses to their closest Latitude/Longitude coordinates • Several services perform this lookup and reference information • Maxmind, LLC is the major provider of this service • Usually closest match is the datacenter or area of a major Internet Service Providers office. • Below – an example of the full Maxmind data record (from Maxmind Product GeoIP2City) 10
  • 11. GETTING SPLUNK TO UPDATE MAXMIND • Previous work TA-Geoip (https://github.com/georgestarcher/TA-geoip) • Updated work Script and Splunk app (Deploy among Search Heads) http://blog.hortonew.com/splunk-automatically-update-geoip-database-across- environment
  • 12. SPLUNK AND UPDATING MAXMIND Splunk ships with a copy of Maxmind’s free product GeoLite2-City • Stored in ‘%SPLUNK_HOME%/share/’ • IP’s change ownership, but the shipped version of the database doesn’t between Splunk releases. How to update Splunk’s Maxmind GeoLite2-City database Create an app on your Deployment Server – Splunk_int_geoip %SPLUNK_HOME%/etc/deployment-apps/ …/Bin/ ……get_maxmind_db.sh …/default/ …….inputs.conf …….limits.conf Great example used is from http://blog.hortonew.com/splunk-automatically-update-geoip- database-across-environment ----- get_maxmind_db.sh #!/bin/bash # Author: Andrew Wurster # Date: 13 Jan 2015 cd/opt/splunk/etc/apps/Splunk_int_geoip/bin wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2- City.mmdb.gz || {echo'Could not download MaxMind GeoIP DB, exiting.';exit1; } gunzip -f GeoLite2-City-Latest.mmdb.gz chmod 644 GeoLite2-City-Latest.mmdb ----- inputs.conf # Download at 11pm the 1st Tuesday of the month [script:///opt/splunk/etc/apps/Splunk__int_geoip/bin/get_maxmind_db.sh] index = main interval = 0 23 1-7 * 2 sourcetype= splunk_geoip disabled=false ------ limits.conf # redirects the defalt location to this app’s directory [iplocation] db_path = /opt/splunk/etc/apps/Splunk_int_geoip/bin/GeoLite2-City- Latest.mmdb
  • 14. SPLUNK ENRICHMENT OPTIONS • Splunk Natively has several options available • Lookups – Called in SPL (Splunk Processing Language) Queries • File based • Geolocation • External (scripts) • KV Store • Automatic lookups – Added to content and fields automatically • Useful for Web Log data to automatically convert HTTP field Codes to Common Names • Adding site and location information to logs such as VPN data, endpoints, etc
  • 15. LOOKUP DEFINITIONS – GIVE THAT DATA CONTEXT 15 • Splunk Community created a CSV file for HTTP Status messages. • http://wiki.splunk.com/Http_status.csv Fields: Status, status_description, status_type •Create a Lookup File and Definition •Call Lookup and provide Output column Mysearch | Lookup HttpSstatusLookup status AS status OUTPUT status_description AS Description
  • 16. EASY WIN - GEO-LOCATION MAPPING • Simple Country filtering Mysearch | iplocation src_ip | search (Country=India OR Country="South Africa" OR Country="Germany") | geostats latfield=lat longfield=lon count • Splunk embedded commands used • iplocation/geostats – geo-coding information • geom - Allows for Geo-fencing framing via polygons • geomfilter – geo-fencing limiting | IOCfilter regex=“.*” ignorecase=True | search value_type=”ipv4- addr” | rename value as src_ip | iplocation src_ip | search (Country=India OR Country=“South Africa” OR Country=“Germany”) | geostats latfield=lat longfield=lon count
  • 17. Real-world Example: Suricata: Protocol Analysis DNS Fun things to do with DNS data • Find out who’s mapping your network using DNS index=CUSTOMER_sec_suricata event_type=dns dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN" AND src_ip!=”CUSTOMER_IP.*" | stats count values(dns.rrname) by dns.rrtype, src_ip | sort – count • Find a specific country that is walking DNS to get information Example: Libya index=CUSTOMER_sec_suricata event_type=dns dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN" AND src_ip!=”CUSTOMER_IP.*" | iplocation src_ip | search Country="Libya" | stats count values(dns.rrname) by dns.rrtype, src_ip | sort – count
  • 18. Interacting with External Commands Tor Tracking
  • 19. TOR LOOKUPS • The Tor Project – Provides both web and script access to public repository information related to the Tor network – https://metrics.torproject.org • Hosts are broken down into functions • Exit Nodes – End points from the Tor network to the public Internet • Directory Servers – Onion network routing control servers • Bridges – Control connections between Tor clients, Directory Servers and Exit Nodes • Example IP: 162.247.72.201
  • 20. INTERACTING WITH EXTERNAL COMMANDS 20 Interacting with other API’s Lookups, search scripts and more • Search for an IP address to see if it's part of the Tor index=security_logs sourcetype=nids | lookup torlookup ip AS clientip OUTPUT torvalue AS TorInfo | fillnull value=NotTorHost TorInfo | table sourcetype. clientip, TorInfo Positive Hit Negative Hit – (Custom result) NotTorHost
  • 21. DEMO – LOOKUPS - Show Script - Show lookup creation - Show Example
  • 22. DEMO – WALKTHROUGH • Script uses external lookup from DNS for a hosted site • Dan.co.uk maintains a DNS response that lists Tor information about IP • https[:]www.dan.me.uk/dnsbl • Take IPv4 address (Can to IPv6) • Reverse the IP to embed it into a DNS A record query 192.2.0.123 123.0.2.192.torexit.dan.me.uk • Response • If IP is a match response will be A record of 127.0.0.100 • Following up with a TXT record with extra information N:<nodename>/P:<port1[,port2]>/F:<flags> • Grab Response data Add Flag Info return results to Splunk BUILD THE SPLUNK LOOKUP COMMAND/SCRIPT Apply to transforms.conf $SPLUNK_HOME/etc/system/local/ # # Lookup NAME [torlookup] External_cmd = Tor_DNS_lookup.py EXT_IP TorResult Fields_list = EXT_IP, TorResult RUN A SEARCH index=zimperium "threat.general.external_ip"="*" | stats count by threat.general.external_ip, "threat.name" | rename "threat.general.external_ip" AS EXT_IP | lookup torlookup EXT_IP OUTPUT TorResult | table EXT_IP,"threat.name", TorResult
  • 23. MORE EXAMPLES – 3RD PARTY DATA
  • 24. EXAMPLES - 3RD PARTY DATA • JSON twitter • Follow Marai iot botnet • Keywords of interest / brand status • Catalog leaks pastebins • Shodan • Lookup and pivots • HL App
  • 26. FOLLOW THAT BOTNET –MARAI IOT BOTNET • Background Mirai(Japanese for "the future", ) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a leaked chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki. - Wikipedia - https://en.wikipedia.org/wiki/Mirai_(malware)
  • 27. TWITTER TRACKING OF MIRAI BOTNET • Internet researchers (2sec4u and MalwareTechBlog) started a live feed of the DDoS Ips used in the Mirai botnet. • Twitter Posts contain information such as IP, attack type, name, duration and protocol • Lets use that to store into Splunk! • Twitter can be logged into Splunk using a JSON RESTful endpoint. • Follow the handle you want ‘@MiraiAttacks’ in this case. • Dump the Twitter text and parse for fields • Add to a lookup table?, Compare to other threat feeds/info available in Splunk
  • 28. Example of using Twitter data • Parse Twitter index for ‘tweets’ ( message info) • Then look for my handle of interest ’@MiraiAttacks’ • Then make sure the tweet has an IPv4 address as part of the tweet • Extract fields for parsing • BotnetNumber – Internal tracker • BotnetProto – Type of IP protocol used • BotnetDuration – Time (seconds) for the attack • BotnetTarget – IPv4 address • BotnetCIDR – CIDR notation for the IP (in case not a single IP (/32) GET THAT THREAT INTEL index=socialmedia sourcetype=twitter_tweet | rename user.screen_name AS "Handle", count AS "Num_Tweets" | search Handle=MiraiAttacks | regex text="d{1,3}.d{1,3}.d{1,3}.d{1,3}” | rex field=text "w+sW(?<BotnetNumber>d+)s- s(?<BotnetProto>w+)sw+w+w+sw+s(?<BotnetDuration> d+)sw+s[w+]s(?<BotnetTarget>d+.d+.d+.d+)S( ?<BotnetCIDR>d+)” | stats count values(BotnetTarget) by BotnetNumber
  • 30. SOCIAL MEDIA DASHBOARD 30 Quick Stats • Useful for Profile/brand status and awareness Example Content • Last 30 minutes of tweets • Last 24 Hours • Top Hashtags • Top Posters • All Time • Top Poster
  • 31. LAZY ME – RECORDING AND TRACKING MY TWITTER FEED IN SPLUNK • REST API as data input (It’s only JSON right? J ) • Store in index only for messages, urls and names for now • Run a lookup of ‘dirty’ words then add to alert • Generates a daily report of tweets per day
  • 32. COLLECT LEAKED INFORMATION - PASTEBIN • Twitter Handle ‘dumpmon’ reports and links to pastebin and pastie posts that appear to have leaked information in them.
  • 35. STATUS AND INFORMATION • News • RSS feeds • Clickable links • Geo-fencing information
  • 36. INGESTING RSS DATA • Splunk can ingest Syndication feeds such as RSS, Atom and RDF formats (any RSS-like format) • Add-on Syndication Input (2646) • Simple method of taking collections of feeds and ingesting into Splunk.
  • 37. DEMO – CLICKABLE EXTERNAL LINKS
  • 38. SPLUNK UI – MAKING LINKS CLICKABLE • Syndication Links and others can be made to be clickable • Splunk SimpleXML • Make the Originial_Link open in a new browser window • Use the Drilldown option • Pick up the field from the table Snippet - <drilldown target="_blank"> <link>$row.Original_Link|n$</link> </drilldown> • Takes the table and grabs the row value and opens a new browser • Note the link contains “$row.Original_Link|n$” This tells the Splunk web framework to treat the row field as a direct link rather than an internal Splunk link like a dashboard. • Thanks Ryan Thibodeaux for the help in solving this
  • 40. SHAPESTER EXAMPLE Splunk App (2893) • This app lets you draw your own shapes and polygons directly on the map and save them as a geospatial lookup. • You can then use this lookup to set up alerts based on geo-fences. Or you can create a building map by drawing the buildings of your campus. • Example taken using GPS coordinates from a mobile team around Breckenridge Ski resort • Created Choropleth zones of different areas of the resort • Based on likely avalanche zones using other data 40 Source: http://blogs.splunk.com/2016/01/20/splunking-avalanches-of-data/
  • 42. DATA ENRICHMENT NEW IDEAS Use security researcher search engine’s to identify and track public information • Shodan • HL app • Direct query with local cache storage ideas • Censys
  • 44. SHODAN – GOOGLE FOR OPEN-SOURCE INTELLIGENCE • Shodan (http://shodan.io) – Search engine for security researchers • Functions like a search engine • Interrogates ports and grabs banners for collection • Data is gathered from Shodan crawlers that ‘walk’ the Internet IP space. • Designed to locate specific content and specific node information (desktops, servers, routers, etc) • Splunk and Shodan • Common app is Hurricane Labs search Add-on (1766) • Creates a new Splunk SPL keyword ‘shodan’ that allows to query an IP • Also used by Hurricane Labs Shodan App (1767) • Adaptive Response app available as well (3700) • Workflow action app (3509)
  • 45. SHODAN EXAMPLES • Search by IP ‘| shodan 4.4.4.4 ‘ • Search by hostname/FQDN ‘| shodan badsite.com ‘ • Pivot on larger grouping such as • BGP ASN (useful for grouping IP’s to larger ASN) ‘ my_search by src_ip | stats count by asn’ • Geolocation (lat/long) - useful for geospatial bounding results ‘my_search | where Country=“Russia” • Map Bitcoin servers - search in Shodan (CLI or script or web) for popular bitcoin port 8333/tcp - Run scripted input to update list * Place in a KV Store for larger data sets* - Organize by geo-location, server type, etc Shodan search for ‘lighttpd/1.4.32’ 80.http.get.headers.www_authenticate= ‘antMiner’ 80.http.get.headers.server = ‘lighttpd/1.4.32’
  • 46. SHODAN EXAMPLE – GATHER LIST OF ANTMINERS sh-3.2# shodan search "lighttpd/1.4.32" AND "antminer">antminer_shodan_list_20Feb_2018.txt Example OUPTUT 171.244.44.50 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="c32f6cf3b1306fe89ee4e42fe2eca7a3", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 09 Jan 2000 00:06:41 GMTrnServer: lighttpd/1.4.32rnrn 31.41.216.103 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="8d64634b86fd7e9139584a75683da9ea", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 17:59:11 GMTrnServer: lighttpd/1.4.32rnrn 219.151.23.205 80 HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="459c170d1621be42afd523eb423bd8c3", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Thu, 01 Jan 1970 10:14:31 GMTrnServer: lighttpd/1.4.32rnrn 96.92.84.205 3000 96-92-84-205-static.hfc.comcastbusiness.net HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="9e0ceada5c09fd18bc498d83ff2bda11", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 07:35:34 GMTrnServer: lighttpd/1.4.32rnrn 93.178.219.116 8001 mail.zit.com.ua HTTP/1.1 401 UnauthorizedrnWWW-Authenticate: Digest realm="antMiner Configuration", nonce="f0f028aac537dd98fe8e6fa709c5c7c0", qop="auth"rnContent-Type: text/htmlrnContent-Length: 351rnDate: Sun, 18 Feb 2018 07:18:28 GMTrnServer: lighttpd/1.4.32rnrn
  • 48. CENSYS – A NEW SEARCH ENGINE FOR RESEARCHERS • “Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.” states the description on the Censys official website.
  • 49. CENSYS GRAB SSL CERTIFICATES THAT CONTAIN ANTMINER • Using Python library for Censys sh-3.2# python censys_io.py --api_id <MY_ID> --api_secret <MY_API_SECRET> -i "Let's Encrypt" antminer --limit 20 -- verbose • Search limited to 20 results but output JSON (raw) data • Where the SSL issuer is the EFF’s ”Let’s Encrypt” free SSL CA • And where somewhere in the record it also contains the string ‘antminer’ • Fun Result Example • Host in Germany • Victim’s Synology backup server …. • u'title': u'Hallo! Herzlich Willkommen bei Synology Web Station!'}}}, • Check marks for Antminer web control • Right Web Server - u'server': u'lighttpd/1.4.32’, • Right HTTP authentication - u'www_authenticate': u'Digest realm="antMiner Configuration", • Wrap this in a script to collect the IP and drop into Splunk watchlist Adding IP, DNS name, and Country to the KV Store ‘antminercoll’ • curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/antminercoll -H 'Content-Type: application/json' -d ‘{ “IP": ”217.72.209.42", ”Country": “Germany”, ”SSLCommonName": “loisl.ddnss.de”}'
  • 50. DEMO – CENSYS AND SHODAN
  • 51. MORE FUN WITH CENSYS AND SHODAN Tracking and Exploiting AntMiner and Claymore web backends https://medium.com/@s3yfullah/hacking-cryptocurrency-miners- with-osint-techniques-677bbb3e0157 In this example the Author’s are using the SHODAN search to find and exploit AntMiner poor web configurations to take over the Miner backend
  • 52. DEMO
  • 53. DEMO – PUTTING IT TOGETHER • Pray to Demo Gods Show - Shodan • Gather list of Questionable Servers (with SSL port enabled) • Censys • Combine output to find CA’s of interest “Let’s Encrypt” (EFF) for example
  • 54. FUTURE IDEAS • Add other data sources • SSL blocklist • Extract/compare with NIDS like Bro and Suricata for SSL certificate • Allow extra pivoting based on threat information sources
  • 55. SURICATA IDS • Network IDS that supports snort rules as well as protocol decoding. • Useful for grabbing SSL certificates SSL Investigation and Matching Find all EFF ‘Let’s Encrypt’ certificates being used on US Gov’t servers index=<CUSTOMER>_sec_suricata event_type=tls “Let’s encrypt” tls.sni=“*.gov” Find Suspect certificates (PICTURE) Anything stand out as suspicious? • Self-signed SSL certificate • Fake state, city, organization, and conical name/server name
  • 56. BRO IDS • BRO IDS – Application decoding platform • Processes Layer 4 to 7 traffic • Rebuilds, HTTP, SSL, FTP, SMTP, etc protocols • Think of manual process in Wireshark to ‘Follow TCP Stream’ or ‘Follow HTTP Stream’ • This example Bro is parsing into Splunk SSL as ‘bro_ssl’ • NOTE the “JA3” field that’s a method/tool to enable cataloging of SSL certificates for comparison with known lists
  • 57. HEY THERE’S A SPLUNK BLOG POST ABOUT THIS EXACT THING! • https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html ” They developedJA3,a technique for creating SSL client fingerprints from thepre-encryption handshakes of the SSL protocol. At this time, you cangenerate JA3 fingerprints with either a Bro JA3 scriptor customizing an instance of Suricata.” What you need to know • Supports both BRO and Suricata • Creates and calculates an MD5 ’hash’ for an SSL certificate that can be searched by Splunk • Monitor via Lookup for example from list of JA3 certificates Example list - https://github.com/trisulnsm/trisul- scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json Title Description Value ja3_version SSL Version 769 ja3_ciphers SSL Cipher(s) 47-53-5-10-49161-49162- 49171-49172-50-56-19-4 ja3_extensions SSL Extension 0-10-11 ja3_ec SSL Elliptic Curve 23-24-25 ja3_ec_fmt SSL Elliptic Curve PointFormat 0
  • 58. WRAPPING UP • Splunk is a powerful tool • When leveraged with 3rd party and data enrichment Splunk Security Users and Managers can more clearly defend their environment • Integration of Social Media information can provide useful information • Tracking threats, priority events, etc • News and information for situational awareness in the environment • Threat Intelligence comes in many forms that can be useful for Splunk • Leverage and use every component in your environment (Network IDS for example) to better defend the network(s). • Hopefully these demo’s and examples have given ideas to take–a-way for your environment.
  • 59. THANK YOU QUESTIONS/COMMENTS Can’t think of something now? Ask me later Email: jbabbin[@]gmail.com