Security & Threat Detection: Go Beyond Monitoring
|
|
|
- Benedict Wilkins
- 8 years ago
- Views:
Transcription
1 Copyright 2014 Splunk Inc. Security & Threat Detection: Go Beyond Monitoring Philip Sow, CISSP Sales Engineering Manager SEA
2 Security: We have come a long way.. FIG 1: New Malware Sample Over Years
3 Advanced Threats Are Hard to Find Cyber Criminals Another Day, Another Retailer in a Massive Credit Card Breach Bloomberg Businessweek, March 2014 Nation States ~ Cyber Security Banks Seek U.S. Help on Iran Cyber attacks Wall Street Journal, Jan 2013 Insider Threats Edward Snowden Tells SXSW He'd Leak Those Secrets Again NPR, March % Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Victims notified by external entity Source: Mandiant M-Trends Report 2012/2013/2014 3
4 Mature Threat Landscape New Environment Threat Technology Malware, bots, backdoors, rootkits, zero-day Exploit kits, password dumper, etc. People Outsider (organized crime, competitor, nation/state) Insiders (contractor, disgruntled employee) Process Attack Lifecycle, multi-stage, remote controlled Threat marketplaces buy and rent Goal-oriented Human directed Multiple tools, steps & activities Dynamic (adjust to environment) New evasion techniques Coordinated 4
5 New Requirements --> New Approach Traditional Analysis Approach Time & Event based Data reduction Event correlation Detect attacks Needle in a haystack More Additional Analysis Approach..and phase, location, more Data inclusion Multiple/dynamic relationships Detect attackers Hay in a haystack More 5
6 6
7 Big Data = All Data is Security Relevant Databases Web Desktops Servers Traditional SIEM DHCP/ DNS Network Flows Hypervisor Badges Firewall Authentication Vulnerability Scans Custom Apps Service Desk Storage Mobile Intrusion Detection Data Loss Prevention Anti- Malware Industrial Control Call Records
8 Data-mining the Machine Data Most enterprise data is unstructured machinegenerated. Machine data is gold-mine of intelligence. IP address Product ID Timestam p /Sep/2011:14:58:35] "GET /cart.do? action=changequantity&itemid=est-19&product_id= FL-DLH-02 IP address Device Timestam p Website Category Session /Sep/2011:14:58:35]SESSIONID= SD3SL3ADFF5 HTTP 1.1" " "Mozilla Macintosh/OSX-10)
![203-09/Sep/2011:14:58:35] "GET /cart.do?](/docs-images/44/11874935/images/page_8.jpg "action=changequantity&itemid=est-19&product_id= FL-DLH-02 IP address Device Timestam p Website Category Session 66.35.")
![IP address Machine Data Timesta mp 66.35.250.203-09/Sep/2011:14:58:35] "GET /cart.do?](/docs-images/27/11874935/images/9-0.png "action=changequantity&itemid=est-19&product_id= FL-DLH-02 Point Splunk at your machine data and ask any question Splunk Index Product ID IP address Device Timesta mp Session 66.35.255.")
9 IP address Machine Data Timesta mp /Sep/2011:14:58:35] "GET /cart.do? action=changequantity&itemid=est-19&product_id= FL-DLH-02 Point Splunk at your machine data and ask any question Splunk Index Product ID IP address Device Timesta mp Session /Sep/2011:14:58:35]SESSIONID= SD3SL3ADFF5 HTTP 1.1" " "Mozilla Macintosh/OSX-10) Website Category Real-time Data Collection and Indexing No RDB
![Index Product ID IP address Device Timesta mp Session 66.35.255.255-09/Sep/2011:14:58:35]SESSIONID= SD3SL3ADFF5 HTTP 1.](/docs-images/44/11874935/images/page_9.jpg "1\" 400 1645 \"http:// www.myflowershop.com?")
10 Signs of Malicious DNS Activities DNS name lookups that have multiple levels (a.b.c...n.domain.com) where a,b,c...n are composed of hexadecimal strings (e.g., e04fdbe587a1.f6c7.example.com) DNS name lookups as described above, where the cumulative length of the third and higher-level names (a.b.c...n) exceeds 40 bytes Multiple DNS name lookups to non-obvious or foreign domains (e.g., 4c7a.obscure.com 1a6d.some.site.cn) Multiple DNS name lookups to several non-obvious or foreign domains within a short timespan
11 Detection of Malicious DNS Activities Evaluation of namequery network traffic Analysis of DNS traffic pattern Correlation of DNS queries to other proxy logs Investigating of DNS query with no proxied outbound connection
12 Data Loss Example (Security Event Correlation) Sources Windows Authentication Endpoint Security Intrusion Detection Default Admin Account Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domaindomain=acme-2975eb InstallDate=NULLLocalAccount = IP: TrueName=Administrator SID =S SIDType=1 Status=Degradedwmi_ type=useraccounts Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: :19:12,Inserted: :20:12,End: :19:12,Domain: Default,Group: Source IP My Company\ACME Remote,Server: acmesep01,user: smithe,source computer:,source IP: Source IP Malware Found Source IP Data Loss Aug 08 08:26:54 snort.acmetech.com {TCP} :5072 -> :443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: Time Range All three occurring within a 24-hour period 12
13 APT hunting using the Kill Chain Framework Delivery, exploit installation Gain trusted access Upgrade (escalate) Lateral movement Data Gathering Exfiltration Persist, Repeat Phishing or download from infected site Attacker communicates with system & installs tools Attacker escalates privileges, obtains credentials to key systems Data is acquired and staged for exfiltration Data sent to attacker system hidden in allowed outgoing traffic Any and all of the previous and more You downloaded it infected system talking to attacker infected system talking to other systems infected systems talking to attacker/system everything looks normal attacker inside the network, with trusted access Multiple activities, multiples phases Adversary (attacker) orientation Rationalize attribution (who), intent (why), tactics (how) 13
14 Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you Technology Transaction Gain Access to system Create additional environment Conduct Business Threat Intelligence Attacker hacks website Steals.pdf files.pdf Web Portal Remote control Steal data Persist in company Rent as botnet Network Access/Securit y Attacker creates malware, embed in.pdf, s to the target MAIL http (web) session to command & control server WEB Read , open attachment Endpoint Access/Securit y.pdf.pdf executes & unpacks malware overwriting and running allowed programs Calc.exe Svchost.exe 14
15 Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you Technology Transaction Gain Access to system Create additional environment Conduct Business Threat Intelligence.pdf Web Portal Network Access/Securit y Events that contain link to file MAIL Proxy log C2 communication to blacklist WEB Endpoint Access/Securit y What created the program/process?.pdf Calc.exe How was process started? Svchost.exe Process making C2 traffic 15
16 Connecting the data-dots via multiple/dynamic relationships Delivery, exploit installation Gain trusted access Upgrade (escalate) Lateral movement Data Gathering Exfiltration Persist, Repeat Repeat Threat intelligence Network Activity/Security Host Activity/Security Auth - User Roles Attacker, know relay/c2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain 16
17 Splunk Security Intelligence Platform 130+ SECURITY APPS SPLUNK APP FOR ENTERPRISE SECURITY CISCO SPECIFIC Cisco Security Suite VENDOR Palo Alto Networks COMMUNITY OSSEC SPLUNK APPS ISE FireEye DShield Sourcefire ExtraHop DNS CUSTOM APPS SPLUNK ENTERPRISE (CORE) 17
18 Kill Chain Analysis Across Technology/Devices APPS FOR CISCO SPLUNK APP FOR ENTERPRISE SECURITY Ad-hoc Search Monitor and Alert Custom Dashboards Security Suite Report & Analyze Sourcefire Flexible Integration ISE Realtime Machine Data Asset & CMDB Employee Info Threat Intelligence External Lookups Applications Data Stores 18
19 Enrich Events With External Context Extend search with lookups and external data sources LDAP, AD Watch Lists CMDB Messag e Stores Reference Lookups Correlate across multiple data sources and data sets 19
20 APT Defense: Pre-alert Threat List Activity 20
21 Customer Case: Client running P2P ( BT bit torrent ) Client IP : Time : 18:10 5/3/14 Threats : Accessing following Bad IP - Tor (anonymous proxy) - Piratebay (BT host) - Blocked IP site - Known spyware site Verified with PC configuration and this PC has installed the BT client software. 21
22 The Top Five Splunk Security Use Cases A Security Intelligence Platform Splunk Can Complement OR Replace Existing SIEMs Incident Investigations & Forensics Security & Compliance Reporting Real-time Monitoring of Known Threats Real-time Monitoring of Unknown Threats Fraud detection
23 : Splunk Goes Mainstream for Security Adoption rate explodes, mostly in parallel with SIEMs. Grows to Over Global Security Use Case Customers 23
24 Over 2800 Global Security Customers 24
25 Customer and Industry Recognition Customers Industry Awards Leader in Gartner SIEM MQ Splunk 25
26 Thank You 26