The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.

1. Threat Hunting with Splunk

2. Splunk Security Workshops
● Threat Intelligence Workshop
● Insider Threats
● CSC 20 Workshop
● SIEM+, or A Better SIEM with Splunk
● Splunk UBA Data Science Workshop
● Enterprise Security Benchmark Assessment

3. Agenda
• Threat Hunting Basics
• Data Sources for Threat Hunting
• Lockheed-Martin’s Cyber Kill Chain
• Why Do We Like Endpoint Data?
• Walkthrough of Attack Scenario (hands on)
• Advanced Threat Hunting Techniques*
*OPTIONAL, based on your time and interest

4. Am I in the right place?
Some familiarity with…
● CSIRT/SOC Operations
● General understanding of Threat Intelligence
● General understanding of DNS, Proxy, and Endpoint types of data
4

5. These won’t work…

6. This is a hands-on session.
But.
The overview slides are important for
building your “hunt” methodology and
making sure we’re all on the same page.
Trust me, we’ll get there.

7. What is threat hunting, why do you need it?
The What?
• Threat hunting - the
act of aggressively
intercepting,
tracking and
eliminating cyber
adversaries as early
as possible in the
Cyber Kill Chain2
7
The Why?
• Threats are human.
Focused and funded
adversaries will not be
countered by security
boxes on the network
alone. Threat hunters are
actively searching for
threats to prevent or
minimize damage [before
it happens] 1
2 Cyber Threat Hunting - Samuel Alonso blog, Jan 2016 1 The Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016
“Threat Hunting is not new, it’s
just evolving!”

8. Search &
Visualisation
Enrichment
Data
Automation
8
Human
Threat Hunter
Key Building Blocks to Drive Threat Hunting Maturity
Ref: The he Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016
Objectives > Hypotheses > Expertise

9. SANS Threat Hunting Maturity
9
Ad Hoc
Search
Statistical
Analysis
Visualization
Techniques
Aggregation Machine Learning/
Data Science
85% 55% 50% 48% 32%
Source: SANS IR & Threat Hunting Summit 2016

10. Search &
Visualisation
Enrichment
Data
Automation
Human
Threat Hunter
How Splunk helps You Drive Threat Hunting Maturity
Threat Hunting Automation
Integrated & out of the box automation tooling from artifact
query, contextual “swim-lane analysis”, anomaly & time series
analysis to advanced data science leveraging machine learning
Threat Hunting Data Enrichment
Enrich data with context and threat-intel across the stack or time
to discern deeper patterns or relationships
Search & Visualise Relationships for Faster Hunting
Search and correlate data while visually fusing results for faster
context, analysis and insight
Ingest & Onboard Any Threat Hunting Machine Data Source
Enable fast ingestion of any machine data through efficient
indexing, a big data real time architecture and ‘schema on the
read’ technology
Hypotheses
Automated
Analytics
Data Science &
Machine
Learning
Data &
Intelligence
Enrichment
Data Search
Visualisation
Maturity

11. Here’s The Story…
Successful brute force
– download sensitive
pdf document
Weaponize the pdf file
with Zeus Malware
Convincing email
sent with
weaponized pdf
Vulnerable pdf reader
exploited by malware.
Dropper created on machine
Dropper retrieves
and installs the
malware
Persistence via regular
outbound comm
Data Exfiltration
Source: Lockheed Martin

12. Use The Right Tools
12
Vs.

13. Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Traditional
Authentication
And Use The Right Data…
13

14. How Do You Use All Your Data?
14

15. Persist, Repeat
Threat Intelligence
Access/Identity
Endpoint
Network
Attacker, know relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went to, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware
artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating system
• Database
• VPN, AAA, SSO
Typical Data Sources
• Web proxy
• NetFlow
• Network

16. Hunting Tools: Internal Data
16
• IP Addresses: threat intelligence, blacklist, whitelist, reputation monitoring
Tools: Firewalls, proxies, Splunk Stream, Bro, IDS
• Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, ports
and services
Tools: Splunk Stream, Bro IDS, FPC, Netflow
• DNS: activity, queries and responses, zone transfer activity
Tools: Splunk Stream, Bro IDS, OpenDNS
• Endpoint – Host Artifacts and Patterns: users, processes, services, drivers, files, registry, hardware, memory, disk activity, file
monitoring: hash values, integrity checking and alerts, creation or deletion
Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory
• Vulnerability Management Data
Tools: Tripwire IP360, Qualys, Nessus
• User Behavior Analytics: TTPs, user monitoring, time of day location, HR watchlist
Splunk UBA, (All of the above)

17. How Data Sources Illuminate Your Kill Chain

18. Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
This image
cannot currently
be displayed.
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
This image
cannot
currently be
displayed.
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Traditional
Authentication
Sometimes to find the critical data
18
You have to think outside the box.

19. Let’s Talk About Endpoint Data
19
● Where is it?
● It doesn’t show up on firewall.
● Internal processes may not
authenticate against AD/RADIUS.
● NIDS only sees traffic on the
network, and only that which hits
a monitored subnet.
● HIDS only works for a subset of
hosts.
BLACK
BOX

20. You Need An Agent…
20
● Where can you get it?
● Microsoft Sysmon TA (App Store)
● Great Blog Post to get you started
● Increases fidelity of MS Logging
● Are there other sources?
● Sure! Carbon Black, Tanium, etc.
● Consider pros and cons
● Test test test!
Blog Post:
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

21. What Will Your Agent Get You?
21
● Contacts and Communications
● What processes are
communicating with whom
● Destination address, port, etc
● Inside Information
● Where did those processes come
from?
● File name and path
● Parent process

22. 22
Maps Network Comm to process_id
Process_id creation and mapping to parentprocess_id
index=zeus_demo3 sourcetype=X*|dedup tag|table tag
Contacts, Communications & Inside Data

23. index=zeus_demo3 sourcetype=X*|search tag=communicate
23

24. index=zeus_demo3 sourcetype=X*|search tag=process
24

25. 25
Let’s dig in!
Please, raise your hand if you
need us to hit the pause button
Come, Watson, come!
The game is afoot.

26. APT Transaction Flow Across Data Sources
26
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment

27. index=zeus_demo3
27
in search:

29. }
}

40. index=zeus_demo3 2nd_qtr_2014_report.pdf
40
in search:

43. Root Cause Recap
43
Data Sources
.pdf executes & unpacks malware
overwriting and running “allowed” programs
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
.pdf
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment

44. 44

45. 45

46. 46

47. 47

48. 48

49. Kill Chain Analysis Across Data Sources
49
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment

50. 10 min Break!

51. Advanced Threat Hunting
- SQLi
- Lateral Movement
- DNS Exfiltration

52. SQLi

53. SQL Injection
● SQL injection
● Code injection
● OS commanding
● LDAP injection
● XML injection
● XPath injection
● SSI injection
● IMAP/SMTP injection
● Buffer overflow

54. Imperva Web Attacks Report, 2015

56. The anatomy of a SQL injection attack
SELECT * FROM users WHERE email='xxx@xxx.com'
OR 1 = 1 -- ' AND password='xxx';
xxx@xxx.xxx' OR 1 = 1 -- '
xxx
admin@admin.sys
1234
An attacker might supply:

58. Regular Expression FTW
sqlinjection_rex is a search macro. It contains:
(?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|([
%27|'](%20)*=(%20)*[%27|'])|w*[%27|']or)
Which means: In the string we are given, look for ANY of the following matches and put that
into the “injection” field.
• Anything containing SELECT followed by FROM
• Anything containing UNION followed by SELECT
• Anything with a ‘ at the end
• Anything containing DELETE followed by FROM
• Anything containing UPDATE followed by SET
• Anything containing ALTER followed by TABLE
• A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘
• Note: %27 is encoded “’” and %20 is encoded <space>
• Any amount of word characters followed by a %27 OR a ‘ and then “or”

59. https://splunkbase.splunk.com/app/1528/
Search for possible SQL injection in your events:
ü looks for patterns in URI query field to see if
anyone has injected them with SQL
statements
ü use standard deviations that are 2.5 times
greater than the average length of your URI
query field
Macros used
• sqlinjection_pattern(sourcetype, uri query field)
• sqlinjection_stats(sourcetype, uri query field)

60. Bonus: Try out the SQL Injection app!

61. Summary: Web attacks/SQL injection
● SQL injection provide attackers with easy access to data
● Detecting advanced SQL injection is hard – use an app!
● Understand where SQLi is happening on your network and put a
stop to it.
● Augment your WAF with enterprise-wide Splunk searches.

62. Lateral Movement

63. Poking around
An attacker hacks a non-privileged user system.
So what?

64. Lateral Movement
Lateral Movement is the expansion of systems
controlled, and data accessed.

65. Most famous Lateral Movement attack?
(excluding password re-use)
Pass the Hash!

66. Detecting Legacy PtH
Look for Windows Events:
● Event ID: 4624 or 4625
● Logon type: 3
● Auth package: NTLM
● User account is not a domain logon, or Anonymous
Logon

67. LM Detection: Pass the Hash
source=WinEventLog:Security
EventCode=4624
Authentication_Package=NTLM
Type=Information

69. Then it got harder
• Pass the Hash tools have improved
• Tracking of jitter, other metrics
• So let’s detect lateral movement
differently

70. Network traffic provides source of truth
● I usually talk to 10 hosts
● Then one day I talk to 10,000 hosts
● ALARM!

71. LM Detection: Network Destinations
sourcetype="pan:traffic"
| stats count dc(dest) sparkline(dc(dest)) by
src_ip

72. Consistently large
Inconsistent!

73. LM Detection: Network Destinations
sourcetype="pan:traffic"
| bucket _time span=1d
| stats count dc(dest) as NumDests by src_ip _time
| stats avg(NumDests) as avg stdev(NumDests) as
stdev latest(NumDests) as latest by src_ip
| where latest > 2 * stdev + avg
Find daily average, standard deviation, and most recent

75. Splunk UBA

76. Summary: Lateral Movement
● Attacker success defines scope of a breach
● High difficulty, high importance
● Worth doing in Splunk
● Easy with UBA

77. DNS Exfiltration

78. domain=corp;user=dave;password=12345
encrypt
DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

79. DNS exfil tends to be
overlooked within an
ocean of DNS data.
Let’s fix that!
DNS exfiltration

80. FrameworkPOS: a card-stealing program that exfiltrates data from the
target’s network by transmitting it as domain name system (DNS) traffic
But the big difference is the way how stolen data is
exfiltrated: the malware used DNS requests!
https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-
variant-exfiltrates-data-via-dns-requests
“
”
… few organizations actually keep detailed logs or records of the DNS traffic
traversing their networks — making it an ideal way to siphon data from a
hacked network.
http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty-breach/#more-30872
“
”
DNS exfiltration

81. https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade
ü parse URLs & complicated TLDs (Top Level Domain)
ü calculate Shannon Entropy
List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)

82. Examples
• The domain aaaaa.4.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.4.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s definition: a score reflecting the randomness or measure of
uncertainty of a string
Shannon Entropy

83. Detecting Data Exfiltration
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| `ut_shannon(ut_subdomain)`
| eval sublen =
length(ut_subdomain)
| table ut_domain ut_subdomain
ut_shannon sublen
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display Details

84. Detecting Data Exfiltration
… | stats
count
avg(ut_shannon) as avg_sha
avg(sublen) as avg_sublen
stdev(sublen) as stdev_sublen
by ut_domain
| search avg_sha>3 avg_sublen>20
stdev_sublen<2
TIPS
q Leverage our Bro DNS data
q Calculate Shannon Entropy scores
q Calculate subdomain length
q Display count, scores, lengths,
deviations

85. Detecting Data Exfiltration
RESULTS
• Exfiltrating data requires many DNS requests – look for high counts
• DNS exfiltration to mooo.com and chickenkiller.com

86. Summary: DNS exfiltration
● Exfiltration by DNS and ICMP is a very common technique
● Many organizations do not analyze DNS activity – do not be like them!
● No DNS logs? No Splunk Stream? Look at FW byte counts

87. Threat Hunting with Splunk

88. Security Workshops
● Threat Intelligence Workshop
● Insider Threats
● CSC 20 Workshop
● SIEM+, or A Better SIEM with Splunk
● Splunk UBA Data Science Workshop
● Enterprise Security Benchmark Assessment