Copyright 2014 Splunk Inc. Security & Threat Detection: Go Beyond Monitoring Philip Sow, CISSP Sales Engineering Manager SEA
Security: We have come a long way.. FIG 1: New Malware Sample Over Years
Advanced Threats Are Hard to Find Cyber Criminals Another Day, Another Retailer in a Massive Credit Card Breach Bloomberg Businessweek, March 2014 Nation States ~ Cyber Security Banks Seek U.S. Help on Iran Cyber attacks Wall Street Journal, Jan 2013 Insider Threats Edward Snowden Tells SXSW He'd Leak Those Secrets Again NPR, March 2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Victims notified by external entity Source: Mandiant M-Trends Report 2012/2013/2014 3
Mature Threat Landscape New Environment Threat Technology Malware, bots, backdoors, rootkits, zero-day Exploit kits, password dumper, etc. People Outsider (organized crime, competitor, nation/state) Insiders (contractor, disgruntled employee) Process Attack Lifecycle, multi-stage, remote controlled Threat marketplaces buy and rent Goal-oriented Human directed Multiple tools, steps & activities Dynamic (adjust to environment) New evasion techniques Coordinated 4
New Requirements --> New Approach Traditional Analysis Approach Time & Event based Data reduction Event correlation Detect attacks Needle in a haystack More Additional Analysis Approach..and phase, location, more Data inclusion Multiple/dynamic relationships Detect attackers Hay in a haystack More 5
6
Big Data = All Data is Security Relevant Databases Email Web Desktops Servers Traditional SIEM DHCP/ DNS Network Flows Hypervisor Badges Firewall Authentication Vulnerability Scans Custom Apps Service Desk Storage Mobile Intrusion Detection Data Loss Prevention Anti- Malware Industrial Control Call Records
Data-mining the Machine Data Most enterprise data is unstructured machinegenerated. Machine data is gold-mine of intelligence. IP address Product ID Timestam p 66.35.250.203-09/Sep/2011:14:58:35] "GET /cart.do? action=changequantity&itemid=est-19&product_id= FL-DLH-02 IP address Device Timestam p Website Category Session 66.35.255.255-09/Sep/2011:14:58:35]SESSIONID= SD3SL3ADFF5 HTTP 1.1" 400 1645 "http:// www.myflowershop.com?category_id=surprise" "Mozilla Macintosh/OSX-10)
IP address Machine Data Timesta mp 66.35.250.203-09/Sep/2011:14:58:35] "GET /cart.do? action=changequantity&itemid=est-19&product_id= FL-DLH-02 Point Splunk at your machine data and ask any question Splunk Index Product ID IP address Device Timesta mp Session 66.35.255.255-09/Sep/2011:14:58:35]SESSIONID= SD3SL3ADFF5 HTTP 1.1" 400 1645 "http:// www.myflowershop.com?category_id=surprise" "Mozilla Macintosh/OSX-10) Website Category Real-time Data Collection and Indexing No RDB
Signs of Malicious DNS Activities DNS name lookups that have multiple levels (a.b.c...n.domain.com) where a,b,c...n are composed of hexadecimal strings (e.g., e04fdbe587a1.f6c7.example.com) DNS name lookups as described above, where the cumulative length of the third and higher-level names (a.b.c...n) exceeds 40 bytes Multiple DNS name lookups to non-obvious or foreign domains (e.g., 4c7a.obscure.com 1a6d.some.site.cn) Multiple DNS name lookups to several non-obvious or foreign domains within a short timespan
Detection of Malicious DNS Activities Evaluation of namequery network traffic Analysis of DNS traffic pattern Correlation of DNS queries to other proxy logs Investigating of DNS query with no proxied outbound connection
Data Loss Example (Security Event Correlation) Sources Windows Authentication Endpoint Security Intrusion Detection Default Admin Account 20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domaindomain=acme-2975eb InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=useraccounts Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: Source IP My Company\ACME Remote,Server: acmesep01,user: smithe,source computer:,source IP: 10.11.36.20 Source IP Malware Found Source IP Data Loss Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: Time Range All three occurring within a 24-hour period 12
APT hunting using the Kill Chain Framework Delivery, exploit installation Gain trusted access Upgrade (escalate) Lateral movement Data Gathering Exfiltration Persist, Repeat Phishing or download from infected site Attacker communicates with system & installs tools Attacker escalates privileges, obtains credentials to key systems Data is acquired and staged for exfiltration Data sent to attacker system hidden in allowed outgoing traffic Any and all of the previous and more You downloaded it infected system talking to attacker infected system talking to other systems infected systems talking to attacker/system everything looks normal attacker inside the network, with trusted access Multiple activities, multiples phases Adversary (attacker) orientation Rationalize attribution (who), intent (why), tactics (how) 13
Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you Technology Transaction Gain Access to system Create additional environment Conduct Business Threat Intelligence Attacker hacks website Steals.pdf files.pdf Web Portal Remote control Steal data Persist in company Rent as botnet Network Access/Securit y Attacker creates malware, embed in.pdf, emails to the target MAIL http (web) session to command & control server WEB Read email, open attachment Endpoint Access/Securit y.pdf.pdf executes & unpacks malware overwriting and running allowed programs Calc.exe Svchost.exe 14
Modern APT are Essentially Attack Transactions but the attacker is trying to hide from you Technology Transaction Gain Access to system Create additional environment Conduct Business Threat Intelligence.pdf Web Portal Network Access/Securit y Events that contain link to file MAIL Proxy log C2 communication to blacklist WEB Endpoint Access/Securit y What created the program/process?.pdf Calc.exe How was process started? Svchost.exe Process making C2 traffic 15
Connecting the data-dots via multiple/dynamic relationships Delivery, exploit installation Gain trusted access Upgrade (escalate) Lateral movement Data Gathering Exfiltration Persist, Repeat Repeat Threat intelligence Network Activity/Security Host Activity/Security Auth - User Roles Attacker, know relay/c2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain 16
Splunk Security Intelligence Platform 130+ SECURITY APPS SPLUNK APP FOR ENTERPRISE SECURITY CISCO SPECIFIC Cisco Security Suite VENDOR Palo Alto Networks COMMUNITY OSSEC SPLUNK APPS ISE FireEye DShield Sourcefire ExtraHop DNS CUSTOM APPS SPLUNK ENTERPRISE (CORE) 17
Kill Chain Analysis Across Technology/Devices APPS FOR CISCO SPLUNK APP FOR ENTERPRISE SECURITY Ad-hoc Search Monitor and Alert Custom Dashboards Security Suite Report & Analyze Sourcefire Flexible Integration ISE Realtime Machine Data Asset & CMDB Employee Info Threat Intelligence External Lookups Applications Data Stores 18
Enrich Events With External Context Extend search with lookups and external data sources LDAP, AD Watch Lists CMDB Messag e Stores Reference Lookups Correlate across multiple data sources and data sets 19
APT Defense: Pre-alert Threat List Activity 20
Customer Case: Client running P2P ( BT bit torrent ) Client IP : 172.26.228.230 Time : 18:10 5/3/14 Threats : Accessing following Bad IP - Tor (anonymous proxy) - Piratebay (BT host) - Blocked IP site - Known spyware site Verified with PC configuration and this PC has installed the BT client software. 21
The Top Five Splunk Security Use Cases A Security Intelligence Platform Splunk Can Complement OR Replace Existing SIEMs Incident Investigations & Forensics Security & Compliance Reporting Real-time Monitoring of Known Threats Real-time Monitoring of Unknown Threats Fraud detection
2008-2014: Splunk Goes Mainstream for Security Adoption rate explodes, mostly in parallel with SIEMs. Grows to Over 1700+ Global Security Use Case Customers 23
Over 2800 Global Security Customers 24
Customer and Industry Recognition 7000+ Customers Industry Awards Leader in Gartner SIEM MQ Splunk 25
Thank You 26