1. Next Presentation begins at 14.40pm
Live Security Incident Investigation
Best Practices for Scoping Infections and Disrupting
Breaches
Matthias Maier
Splunk
8. Capabilities - Scoping Infections and
Breach
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Threat
Intelligence
Asset
& CMDB
Employee
Info
Data
StoresApplications
Raw Events
Online
Services
Web
Services
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
Threat
Intelligence
Servers
Endpoint
9. Capabilities - Scoping Infections and Breach
Analytics
Context &
Intelligence
Connecting Data
and People
11. Kill Chain – Breach Example
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
Calc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Access/Identity
Endpoint
Network
13. Demo Review
Challenge:
Difficult to go from threat-intel match to root cause
Hard to determine – was there a breach?
Sources
Threat Intel – open source threat intel feed
Network – web proxy logs, email logs
Endpoint – endpoint monitoring agent
Access/Identity – asset management database
Finding the root cause: connecting the dots
Match the threat-intel IP to network data to identify the infected machine
Identify the malicious process by mapping network data to endpoint data
Discover the infected email by matching local file access to email data
14. Actionable Takeaways
•Info, case study, analyst report at:
Splunk.com > Solutions > Security & Fraud
•Try Splunk Enterprise for free!
Download Splunk software at http://www.splunk.com/download
Go to Splunk.com > Community > Documentation > Search Tutorial
In 30 minutes, you will have imported data, run searches, created
reports
Free apps at Splunk.com > Community > Apps
•Contact sales team at Splunk.com > About Us > Contact
The adversary’s success lies in a deliberate methodology.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ?
Network – network based attack, lateral movement, exfiltration
Endpoint – malware exploitation – data gathering, launch point
Authentication – the basis of lateral movement and access to assets, intellectual property
Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach
You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
The capabilities required to distinguish an infection from a breach
Why is it important to preserve an event?
Risk Based Analytics to Align Security Operations With the Business
Risk scoring framework enhances decision making by applying risk score to any data
Quickly and easily assign any KSI or KPI to any event to produce risk scores
Expose the contributing factors of a risk score for deeper insights
Visualize and Discover Relationships for Faster Detection and Investigation
Visually fuse data, context and threat-intel across the stack and time to discern any context
Pre-built correlations, alerts and dashboards for detection, investigation and compliance
Workflow actions and automated lookups enhance context building
Enrich Security Analysis with Threat Intelligence
Automatically apply threat intelligence from any number of providers
Apply threat intelligence to event data as well as wire data
Conduct historical analysis using new threat intelligence across all data
Exploitation != Gameover when you have analysts that can use the analytics ability and contextualize it
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
Zeus Demo:
https://demo-zeus.splunkoxygen.com/en-US/app/SA-zeus-demo/zeus_workflow?earliest=0&latest=
Explaining the kill chain and the data sources mentioned – CLICK into Picture -> Incident Review Page occurs
Explaining triggers, selecting threat activity notable and expanding it
Explaining the context, drilling into asset investigator for 192.168.56.102
Explaning data sources at the asset investigator
Identifing IPS activity, followed by malware activity, followed by file exec and threat intel triggers
Drilling down into exec file activity events and identifing the phishing mail
Then mentioned now the phishing mail could be scoped – who else got the e-mail, who sent it etc.