Live Security Incident Investigation
•
0 gefällt mir•337 views
Follow the kill chain of a targeted attack and navigate through a incident investigation to learn how the attacker worked.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Mehr von Splunk
Mehr von Splunk (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Live Security Incident Investigation
- 1. Next Presentation begins at 14.40pm Live Security Incident Investigation Best Practices for Scoping Infections and Disrupting Breaches Matthias Maier Splunk
- 2. Live Security Incident Investigation Best Practices for Scoping Infections and Disrupting Breaches Matthias Maier Splunk
- 3. Agenda • Best Practices for Scoping Infections & Disrupting Breaches • Live Demo: Incident Investigation • Q&A
- 4. Adversary Perspective - Attack Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
- 5. Threat IntelligenceNetwork Endpoint Access/Identity Data Sources Required
- 6. Data Sources Required Known relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Who talked to whom, traffic, malware download/delivery, C2, exfiltration, lateral movement Running process, services, process owner, registry mods, file system changes, patching level, network connections by process/service Access level, privileged use/escalation, system ownership, user/system/service business criticality • 3rd party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Web Proxy • NetFlow • Network • AV/IPS/FW • Malware detection • Config Management • Performance • OS logs • File System • Directory Services • Asset Mgmt • Authentication Logs • Application Services • VPN, SSO Threat intelligence Access/Identity Endpoint Network
- 7. The capabilities required to distinguish an infection from a breach
- 8. Capabilities - Scoping Infections and Breach Report and analyze Custom dashboards Monitor and alert Ad hoc search Threat Intelligence Asset & CMDB Employee Info Data StoresApplications Raw Events Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint
- 9. Capabilities - Scoping Infections and Breach Analytics Context & Intelligence Connecting Data and People
- 11. Kill Chain – Breach Example http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe Calc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat intelligence Access/Identity Endpoint Network
- 12. Demo
- 13. Demo Review Challenge: Difficult to go from threat-intel match to root cause Hard to determine – was there a breach? Sources Threat Intel – open source threat intel feed Network – web proxy logs, email logs Endpoint – endpoint monitoring agent Access/Identity – asset management database Finding the root cause: connecting the dots Match the threat-intel IP to network data to identify the infected machine Identify the malicious process by mapping network data to endpoint data Discover the infected email by matching local file access to email data
- 14. Actionable Takeaways •Info, case study, analyst report at: Splunk.com > Solutions > Security & Fraud •Try Splunk Enterprise for free! Download Splunk software at http://www.splunk.com/download Go to Splunk.com > Community > Documentation > Search Tutorial In 30 minutes, you will have imported data, run searches, created reports Free apps at Splunk.com > Community > Apps •Contact sales team at Splunk.com > About Us > Contact
- 15. Thanks Q&A Visit Splunk at Stand C20
Hinweis der Redaktion
- The adversary’s success lies in a deliberate methodology. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ? Network – network based attack, lateral movement, exfiltration Endpoint – malware exploitation – data gathering, launch point Authentication – the basis of lateral movement and access to assets, intellectual property Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
- The capabilities required to distinguish an infection from a breach Why is it important to preserve an event?
- Risk Based Analytics to Align Security Operations With the Business Risk scoring framework enhances decision making by applying risk score to any data Quickly and easily assign any KSI or KPI to any event to produce risk scores Expose the contributing factors of a risk score for deeper insights Visualize and Discover Relationships for Faster Detection and Investigation Visually fuse data, context and threat-intel across the stack and time to discern any context Pre-built correlations, alerts and dashboards for detection, investigation and compliance Workflow actions and automated lookups enhance context building Enrich Security Analysis with Threat Intelligence Automatically apply threat intelligence from any number of providers Apply threat intelligence to event data as well as wire data Conduct historical analysis using new threat intelligence across all data
- Exploitation != Gameover when you have analysts that can use the analytics ability and contextualize it
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Zeus Demo: https://demo-zeus.splunkoxygen.com/en-US/app/SA-zeus-demo/zeus_workflow?earliest=0&latest= Explaining the kill chain and the data sources mentioned – CLICK into Picture -> Incident Review Page occurs Explaining triggers, selecting threat activity notable and expanding it Explaining the context, drilling into asset investigator for 192.168.56.102 Explaning data sources at the asset investigator Identifing IPS activity, followed by malware activity, followed by file exec and threat intel triggers Drilling down into exec file activity events and identifing the phishing mail Then mentioned now the phishing mail could be scoped – who else got the e-mail, who sent it etc.