Stalking Hackers with Core Splunk. Derek Arnold, CISSP Senior Splunk Consultant

Stalking Hackers with Core Splunk Derek Arnold, CISSP Senior Splunk Consultant

Your Presenter Derek Arnold 12 years in security Enterprise IT Industries: Retail, medical tech, health insurance Specialties: Security operations, threat intelligence, physical security, SIEM Certified Splunk admin Yoga, Pilates, running

Agenda Threat Realization Anomaly Detection Windows Searches UNIX Searches Networking and Remote Desktop Searches Key Takeaways/Conclusion

THREAT REALIZATION Why beef up your detection?

Kevin Mitnick Robert has a sense that he understands how IT and network security people work, and it s not all that different from everyone else in the working world. The only way for them to notice [my going online] would have been going through the logs actively. His view of IT security people wasn t very flattering. People don t read logs every morning. When you get to your desk, you sit down, have a coffee, read a few Web sites of personal interest. You don t go in and read logs and see who changed their passwords yesterday. Source: Kevin Mitnick, The Art of Intrusion 5

2014 Retail Breaches White Paper In today s corporations, there are many attack alerts that may possibly overwhelm the staff s ability to react to them all. Companies must implement and maintain Security Information and Event Management (SIEM), define events of interest (EOI) and train staff to assess whether the EOI poses a serious threat. Ignoring an alert is like driving a car with the check engine light on because there are seemingly no other symptoms of a serious problem. Source: http://www.accuvant.com/resources/ the-four-attack-vectors-to-prevent-or-detect-retailer-breaches 6

Sun Tzu If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Source: Sun Tzu, The Art of War, Ch. III 7

Reconnaissance Weaponization Delivery Exploitation Command and Control Exfiltration ANOMALY DETECTION Big word, big concept

Anomaly Detection In order to know what is abnormal, we need to know what is normal 30-90 day historical profile required Shorten the dwell time You re using Universal Forwarder, RIGHT?

Universal Forwarder on Windows Harness the full capability Data sources: Windows event logs File system changes WMI-based data Windows registry data Host information Network information Use Cases File integrity monitoring: configuration files DNS resolution Downloads folders, temp folders, root folders Software installations Crashing processes, AV tampering Creation of new services Task scheduler activity More information http://docs.splunk.com/documentation/splunk/6.1.3/data/monitorwindowsdata http://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262

Reconnaissance Weaponization Delivery Exploitation Command and Control Exfiltration WINDOWS

Local Admin Usage (description) Who is using local admin instead of a specific administrative user? Risk of escalation of privilege. Who is making the change? Shouldn t they be using an ID trackable to a specific person? Does the job role of this employee match their privileges?

Local Admin Usage sourcetype="wineventlog:security" "Sid=S-1-5-21-*-500"

Domain Admin Changes (description) Who is being added to the Windows domain admins group? Risk of escalation of privilege. Who is making the change? Does the job role of this employee match their privileges?

Domain Admin Changes (search) sourcetype=wineventlog:security Security_ID="YourDomain\ \DomainAdminADGroupName" (EventCode=4728 OR EventCode=632 OR EventCode=4729 OR EventCode=633) eval ChangedBy=mvindex(Security_ID,0) eval Member=mvindex(Security_ID,1) Adds/removes from W2k8 and W2k3 Assign variables for interesting fields eval DestinationGroup=mvindex(Security_ID,2) search DestinationGroup="YourDomain\\DomainAdminADGroupName" eval ActionTaken=if((EventCode=4729 OR EventCode=633), "A member was removed from a security-enabled global group.", ActionTaken) eval ActionTaken=if((EventCode=4728 OR EventCode=632), "A member was added to a security-enabled global group.", ActionTaken) Parse event codes and rename to friendly format Summarize activity in a table

Event Logs Cleared (description) After a threat actor has performed their task, wouldn t they try to clean up their tracks?

Event Logs Cleared (search) sourcetype=wineventlog:* (EventCode=1102 OR EventCode=517) LogName=Security table _time ComputerName EventCodeDescription Client_User_Name src_user Look for event logs cleared event codes Display the important info in a table

Suspicious Processes (description) Install malware using a name of a trusted process Can t install it in a system directory without sharing violation/system instability Look for trusted process names in non-standard folders

Suspicious Processes (search) sourcetype=wineventlog:security "new process has been created" eval Process_Name=coalesce(Image_File_Name,New_Process_Name) fields Message, Process_Name, User_Name, ComputerName search ((Process_Name=*cmd.exe NOT Process_Name="C:\\WINDOWS\\system32\\cmd.exe" NOT Process_Name="C:\\Windows\\SysWOW64\\cmd.exe" NOT Process_Name="C:\\Windows\\System32\ \inetsrv\\appcmd.exe" OR (Process_Name=*svchost.exe NOT Process_Name="C:\\WINDOWS\\system32\\svchost.exe") OR (Process_Name=*explorer.exe NOT Process_Name="C:\\WINDOWS\\explorer.exe") OR (Process_Name=*msiexec.exe NOT (Process_Name="C:\\WINDOWS\\system32\\msiexec.exe" OR Process_Name="C:\\Windows\\SysWOW64\\msiexec.exe")) OR (Process_Name=*taskmgr.exe NOT Process_Name="C:\\WINDOWS\\system32\\taskmgr.exe") OR (Process_Name=*at.exe NOT Process_Name="C:\\WINDOWS\\system32\\at.exe" NOT Process_Name="C:\\WINDOWS\\system32\\netstat.exe") OR (Process_Name=*gpupdate.exe NOT Process_Name="C:\\WINDOWS\\\system32\\gpupdate.exe") OR (Process_Name=*regedt32.exe NOT Process_Name="C:\\WINDOWS\\\system32\\regedt32.exe") OR (Process_Name=*iexplore.exe NOT Process_Name="C:\\Program Files (x86)\\internet Explorer\ \iexplore.exe" NOT Process_Name="C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Process_Name="* *" OR Process_Name=*scvhost.exe OR Process_Name=*iexplorer.exe OR Process_Name=*svcdost.exe) Gather data fields Look for key system process names not running in their system folder Blank or misspelled

Reconnaissance Weaponization Delivery Exploitation Command and Control Exfiltration UNIX

UNIX Failed Logins sourcetype=unix_syslog ((failed password) OR (authentication failure) ) stats count by user host where count>2 sort - count Failed login attempts More than 2 failed attempts per user sorted by count

Reconnaissance Weaponization Delivery Exploitation Command and Control Exfiltration NETWORKING AND REMOTE DESKTOP

RDP Logins (description) Who is logging in remotely to servers? Do the logins match expected usage patterns? Time of day, departments, change records Does the job role of this employee match their privileges?

RDP Logins (search) sourcetype=wineventlog:security (EventCode=4624 OR EventCode=528) AND (Logon_Type=10) dedup Source_Network_Address dest Security_ID eval Security_ID=mvindex(Security_ID,1) table _time Security_ID Logon_Type Source_Network_Address Dest_Server Successful interactive logins Remove duplicates Formatting and table

FTP Outbound (description) Where are your files being sent? Do the filenames and destinations match expected business applications? Are the usernames a match to expected naming conventions?

FTP Outbound (search) sourcetype=cisco_asa FTP "Stored file" rex field=_raw "(?i)user (?P<user>.*) Stored file" rex field=_raw "(?i)stored file (?P<file>.*)" rex field=_raw "(?i):(?p<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\. \d{1,3}+)/" rex field=_raw "(?i):(?p<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\. \d{1,3}+)/21" search NOT dest_ip=10.0.0.0/8 NOT dest_ip=172.16.0.0/12 geoip dest_ip fields - dest_ip_latitude, dest_ip_longitude, dest_ip_postal_code, dest_ip_region_name, dest_ip_country_code, dest_ip_country_name, dest_ip_city rename geo_info AS dest_ip_geo_info eval time=strftime(_time, "%m/%d %H:%M:%S") stats values(time) AS Time values(user) AS Username values(file) AS Filename values(dest_ip) AS dest_ip values(dest_ip_geo_info) AS "Dest IP Geo info" by src_ip File upload Extract user, file, source and dest Outbound activity only Get geolocation of dest and timestamp For format and clarity

KEY TAKEAWAYS/CONCLUSION

Key Takeaways/Conclusion Know Your Environment Understand the kill chain theory Baseline the past 30-90 days of activity Search and alert on anomalies Tune continuously

Learn, share and hack Security office hours: 11:00 AM 2:00 PM @Room 103 Everyday Geek out, share ideas with Enterprise Security developers Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM 2:00 PM Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM 1:00 PM @Meal Room 2

Derek Arnold darnold@accuvant.com http://www.linkedin.com/in/derekarnold @DerekPArnold 1125 17th Street, Suite 1700, Denver, CO 80202 800.574.0896 sales@accuvant.com www.accuvant.com