Submit Search
Upload
Threat Hunting Workshop
ā¢
3 likes
ā¢
1,474 views
Splunk
Follow
Threat Hunting Workshop
Read less
Read more
Technology
Report
Share
Report
Share
1 of 128
Download now
Download to read offline
Recommended
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
Ā
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
Ā
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
Ā
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
Ā
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
Ā
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
Ā
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
Ā
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
Ā
Recommended
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
Ā
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
Ā
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
Ā
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
Ā
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
Ā
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
Ā
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
Ā
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
Ā
Threat Hunting
Threat Hunting
Splunk
Ā
Threat Hunting Report
Threat Hunting Report
Morane Decriem
Ā
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
Ā
Threat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
Ā
Threat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
Ā
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
Ā
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
Ā
Threat Hunting
Threat Hunting
Splunk
Ā
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
Ā
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
Ā
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
Ā
Introduction to red team operations
Introduction to red team operations
Sunny Neo
Ā
Cyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
Ā
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
Ā
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
Ā
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
Ā
Cyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
Ā
SIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
Ā
Soc and siem and threat hunting
Soc and siem and threat hunting
Vikas Jain
Ā
Introduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Splunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
Splunk
Ā
More Related Content
What's hot
Threat Hunting
Threat Hunting
Splunk
Ā
Threat Hunting Report
Threat Hunting Report
Morane Decriem
Ā
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
Ā
Threat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
Ā
Threat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
Ā
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
Ā
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
Ā
Threat Hunting
Threat Hunting
Splunk
Ā
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
Ā
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
Ā
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
Ā
Introduction to red team operations
Introduction to red team operations
Sunny Neo
Ā
Cyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
Ā
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
Ā
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
Ā
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
Ā
Cyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
Ā
SIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
Ā
Soc and siem and threat hunting
Soc and siem and threat hunting
Vikas Jain
Ā
Introduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
Ā
What's hot
(20)
Threat Hunting
Threat Hunting
Ā
Threat Hunting Report
Threat Hunting Report
Ā
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
Ā
Threat Intelligence Workshop
Threat Intelligence Workshop
Ā
Threat hunting in cyber world
Threat hunting in cyber world
Ā
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Ā
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Ā
Threat Hunting
Threat Hunting
Ā
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ā
ATT&CKcon Intro
ATT&CKcon Intro
Ā
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Ā
Introduction to red team operations
Introduction to red team operations
Ā
Cyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Ā
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Ā
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
Ā
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
Ā
Cyber Threat Intelligence
Cyber Threat Intelligence
Ā
SIEM and Threat Hunting
SIEM and Threat Hunting
Ā
Soc and siem and threat hunting
Soc and siem and threat hunting
Ā
Introduction to Cybersecurity
Introduction to Cybersecurity
Ā
Similar to Threat Hunting Workshop
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Splunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
Splunk
Ā
Splunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
Ā
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
Ā
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
Adam Tice
Ā
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
Ā
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security Session
Splunk
Ā
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
Ā
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Cloudera, Inc.
Ā
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
Ā
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
Ā
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
Splunk
Ā
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
Splunk
Ā
Similar to Threat Hunting Workshop
(20)
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Splunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
Ā
Splunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security Posture
Ā
Threat Hunting with Splunk
Threat Hunting with Splunk
Ā
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Ā
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
Ā
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Ā
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security Session
Ā
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Ā
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Ā
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
Ā
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Ā
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
Ā
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
Ā
More from Splunk
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
Ā
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
Ā
.conf Go 2023 - Navegando la normativa SOX (TelefĆ³nica)
.conf Go 2023 - Navegando la normativa SOX (TelefĆ³nica)
Splunk
Ā
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
Ā
.conf Go 2023 - PĆ„ liv og dĆød Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - PĆ„ liv og dĆød Om sikkerhetsarbeid i Norsk helsenett
Splunk
Ā
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius BƤr)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius BƤr)
Splunk
Ā
.conf Go 2023 - Das passende Rezept fĆ¼r die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept fĆ¼r die digitale (Security) Revolution zu...
Splunk
Ā
.conf go 2023 - Cyber Resilienz ā Herausforderungen und Ansatz fĆ¼r Energiever...
.conf go 2023 - Cyber Resilienz ā Herausforderungen und Ansatz fĆ¼r Energiever...
Splunk
Ā
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
Ā
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
Ā
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
Ā
Splunk x Freenet - .conf Go KoĢln
Splunk x Freenet - .conf Go KoĢln
Splunk
Ā
Splunk Security Session - .conf Go KoĢln
Splunk Security Session - .conf Go KoĢln
Splunk
Ā
Data foundations building success, at city scale ā Imperial College London
Data foundations building success, at city scale ā Imperial College London
Splunk
Ā
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
Ā
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
Ā
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
Ā
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
Ā
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
Ā
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
Ā
More from Splunk
(20)
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Ā
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Ā
.conf Go 2023 - Navegando la normativa SOX (TelefĆ³nica)
.conf Go 2023 - Navegando la normativa SOX (TelefĆ³nica)
Ā
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Ā
.conf Go 2023 - PĆ„ liv og dĆød Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - PĆ„ liv og dĆød Om sikkerhetsarbeid i Norsk helsenett
Ā
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius BƤr)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius BƤr)
Ā
.conf Go 2023 - Das passende Rezept fĆ¼r die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept fĆ¼r die digitale (Security) Revolution zu...
Ā
.conf go 2023 - Cyber Resilienz ā Herausforderungen und Ansatz fĆ¼r Energiever...
.conf go 2023 - Cyber Resilienz ā Herausforderungen und Ansatz fĆ¼r Energiever...
Ā
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Ā
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Ā
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Ā
Splunk x Freenet - .conf Go KoĢln
Splunk x Freenet - .conf Go KoĢln
Ā
Splunk Security Session - .conf Go KoĢln
Splunk Security Session - .conf Go KoĢln
Ā
Data foundations building success, at city scale ā Imperial College London
Data foundations building success, at city scale ā Imperial College London
Ā
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Ā
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Ā
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Ā
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Ā
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Ā
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Ā
Recently uploaded
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
Ā
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĆŗjo
Ā
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Ā
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Ā
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
Ā
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Ā
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Ā
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
Ā
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Ā
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Ā
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Ā
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Ā
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
Ā
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Ā
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Ā
š¬ The future of MySQL is Postgres š
š¬ The future of MySQL is Postgres š
RTylerCroy
Ā
Scaling API-first ā The story of a global engineering organization
Scaling API-first ā The story of a global engineering organization
Radu Cotescu
Ā
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Ā
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Ā
Recently uploaded
(20)
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Ā
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Ā
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Ā
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Ā
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Ā
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Ā
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Ā
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Ā
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Ā
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Ā
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Ā
š¬ The future of MySQL is Postgres š
š¬ The future of MySQL is Postgres š
Ā
Scaling API-first ā The story of a global engineering organization
Scaling API-first ā The story of a global engineering organization
Ā
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Ā
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Ā
Threat Hunting Workshop
1.
Ā© 2017 SPLUNK INC.Ā© 2017 SPLUNK INC. Threat Hunting With
Splunk
2.
Ā© 2017 SPLUNK INC. ā¶ Threat Hunting
Basics ā¶ Threat Hunting Data Sources ā¶ Know Your Endpoint ā¶ Cyber Kill Chain ā¶ Walkthrough of Attack Scenario Using Core Splunk (hands on) ā¶ Advanced Threat Hunting Techniques & Tools ā¶ Enterprise Security Walkthrough ā¶ Applying Machine Learning and Data Science to Security Agenda
3.
Ā© 2017 SPLUNK INC. Log In Credentials January
& February https://OD-threat-hunting-baltimore-01.splunkoxygen.com March & April https://OD-threat-hunting-baltimore-02.splunkoxygen.com May & June https://OD-threat-hunting-baltimore-03.splunkoxygen.com July & August https://OD-threat-hunting-baltimore-04.splunkoxygen.com September & October https://OD-threat-hunting-baltimore-05.splunkoxygen.com November & December https://OD-threat-hunting-baltimore-06.splunkoxygen.com User: hunter Password: pr3dat0r Birth Month
4.
Ā© 2017 SPLUNK INC. Hands On? This
Wonāt Work.
5.
Ā© 2017 SPLUNK INC. Some familiarity withā¦ ā¶CSIRT/SOC
Operations ā¶General understanding of Threat Intelligence ā¶General understanding of DNS, Proxy, and Endpoint types of data Am I in the right place?
6.
Ā© 2017 SPLUNK INC. What is Threat
Hunting, Why do You Need it? 1 The Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 2 Cyber Threat Hunting - Samuel Alonso blog, Jan 2016 āThreat Hunting is not new, itās just evolving!ā Threat hunting - the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain2 What? Threats are human. Focused and funded adversaries will not be countered by security boxes on the network alone. Threat hunters are actively searching for threats to prevent or minimize damage [before it happens] 1 Why?
7.
Ā© 2017 SPLUNK INC. Locardās Exchange Principle
8.
Ā© 2017 SPLUNK INC. Threat Hunting With
Splunk VS
9.
Ā© 2017 SPLUNK INC. Human Threat Hunter Objectives
> Hypotheses > Expertise Key Building Blocks to Drive Threat Hunting Maturity Ref: The Who, What, Where, When, Why and How of Effective Threat Hunting, SANS Feb 2016 Search & Visualisation Enrichment Data Automation
10.
Ā© 2017 SPLUNK INC. Henry A. Crumpton The
Art of Intelligence: Lessons From a Life in the CIAās Clandestine Service āāA good intelligence officer cultivates an awareness of what he or she does not know. You need a dose of modesty to acknowledge your own ignorance - even more, to seek out your ignorance.ā
11.
Ā© 2017 SPLUNK INC. SANS Threat Hunting
Maturity Ad Hoc Search Statistical Analysis Visualization Techniques Aggregation Machine Learning/ Data Science 85% 55% 50% 48% 32% Source: SANS IR & Threat Hunting Summit 2016
12.
Ā© 2017 SPLUNK INC. Hypotheses Automated Analytics Data Science & Machine Learning Data
& Intelligence Enrichment Data Search Visualisation Maturity How Splunk Helps You Drive Threat Hunting Maturity Human Threat Hunter Threat Hunting Automation Integrated & out of the box automation tooling from artifact query, contextual āswim-lane analysisā, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualise Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and āschema on the readā technology Search & Visualisation Enrichment Data Automation
13.
Ā© 2017 SPLUNK INC. ā¶ IP Addresses:
threat intelligence, blacklist, whitelist, reputation monitoring Tools: Firewalls, Proxies, Splunk Stream, Bro, IDS ā¶ Network Artifacts and Patterns: network flow, packet capture, active network connections, historic network connections, ports and services Tools: Splunk Stream, Bro IDS, FPC, Netflow ā¶ DNS: activity, queries and responses, zone transfer activity Tools: Splunk Stream, Bro IDS, OpenDNS ā¶ Endpoint ā Host Artifacts and Patterns: users, processes, services, drivers, files, registry, hardware, memory, disk activity, file monitoring: hash values, integrity checking and alerts, creation or deletion Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Active Directory ā¶ Vulnerability Management Data Tools: Tripwire IP360, Qualys, Nessus ā¶ User Behavior Analytics: TTPs, user monitoring, time of day location, HR watchlist Splunk UBA, (All of the above) Hunting Tools: Internal Data
14.
Ā© 2017 SPLUNK INC. Typical Data Sources Attacker,
know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Threat intelligence Network Endpoint Access/Identity ā¢ Third-party threat intel ā¢ Open-source blacklist ā¢ Internal threat intelligence ā¢ Endpoint (AV/IPS/FW) ā¢ Malware detection ā¢ PCLM ā¢ DHCP ā¢ OS logs ā¢ Patching ā¢ Active Directory ā¢ LDAP ā¢ CMDB ā¢ Operating system ā¢ Database ā¢ VPN, AAA, SSO ā¢ Firewall, IDS, IPS ā¢ DNS ā¢ Email ā¢ Web proxy ā¢ NetFlow ā¢ Network
15.
Ā© 2017 SPLUNK INC. Threat Intelligence Network Security Intelligence
16.
Ā© 2017 SPLUNK INC. ā¶ TA Available
on the App Store ā¶ Great blog post to get you started ā¶ Increases the fidelity of Microsoft Logging Know Your Endpoint: Microsoft Sysmon Primer Blog Post: http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
17.
Ā© 2017 SPLUNK INC. Endpoint Data āAlthough network data-based data collections were rated high on the survey, endpoint analysis data is still a gaping hole in most hunting operations.ā
18.
Ā© 2017 SPLUNK INC.
19.
Ā© 2017 SPLUNK INC. Sysmon Event Tags:
Optional Search Maps Network Comm to process_id Process_id creation and mapping to parentprocess_id
20.
Ā© 2017 SPLUNK INC. Log In Credentials January
& February https://OD-threat-hunting-baltimore-01.splunkoxygen.com March & April https://OD-threat-hunting-baltimore-02.splunkoxygen.com May & June https://OD-threat-hunting-baltimore-03.splunkoxygen.com July & August https://OD-threat-hunting-baltimore-04.splunkoxygen.com September & October https://OD-threat-hunting-baltimore-05.splunkoxygen.com November & December https://OD-threat-hunting-baltimore-06.splunkoxygen.com User: hunter Password: pr3dat0r Birth Month
21.
Ā© 2017 SPLUNK INC. sourcetype=X* | search
tag=communicate
22.
Ā© 2017 SPLUNK INC. sourcetype=X* | dedup
tag| search tag=process
23.
Ā© 2017 SPLUNK INC. Data Source Mapping Web
Email Endpoint Proxy/DNS CMDB and Threat Intelligence Recon Weaponize Deliver Exploit Install Command & Control Action
24.
Ā© 2017 SPLUNK INC. Web Email Endpoint
Proxy/DNS CMDB and Threat Intelligence Recon Weaponize Deliver Exploit Install Command & Control Action Demo Story - Kill Chain Framework Successful brute force ā download sensitive pdf document Weaponize the pdf file with Zeus Malware Convincing email sent with weaponized pdf Vulnerable pdf reader exploited by malware. Dropper created on machinea Dropper retrieves and installs the malware Persistence via regular outbound comm Data exfiltration
25.
Ā© 2017 SPLUNK INC. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Stream
Investigations ā Choose Your Data Wisely Intrusion Detection Firewall Data Loss Prevention Anti-Malware Vulnerability Scans Traditional Authentication
26.
Ā© 2017 SPLUNK INC. APT Transaction Flow
Across Data Sources .pdf executes & unpacks malware overwriting and running āallowedā programs Threat Intelligence Auth - User Roles Host Activity/Security Network Activity/Security Transaction Gain Access to System Create Additional Environment Conduct Business Svchost.exeCalc.exe Attacker hacks website. Steals .pdf files Web Portal Attacker creates malware, embed in .pdf Read email, open attachment Emails to the target EMAIL HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Our Investigation begins by detecting high risk communications through the proxy, at the endpoint, and even a DNS call.
27.
Ā© 2017 SPLUNK INC. index=zeus_demo3 in search:
28.
Ā© 2017 SPLUNK INC. To begin our
investigation, we will start with a quick search to familiarize ourselves with the data sources. In this demo environment, we have a variety of security relevant data includingā¦ Web DNS Proxy Firewall Endpoint Email
29.
Ā© 2017 SPLUNK INC. Take a look
at the endpoint data source. We are using the Microsoft Sysmon TA. We have endpoint visibility into all network communication and can map each connection back to a process. } We also have detailed info on each process and can map it back to the user and parent process. } Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
30.
Ā© 2017 SPLUNK INC. We have multiple
source IPs communicating to high risk entities identified by these 2 threat sources. We are seeing high risk communication from multiple data sources. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Letās take closer look at the IP Address. We can now see the owner of the system (Chris Gilbert) and that it isnāt a PII or PCI related asset, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This dashboard is based on event data that contains a threat intel based indicator match( IP Address, domain, etc.). The data is further enriched with CMDB based Asset/identity information.
31.
Ā© 2017 SPLUNK INC. We are now
looking at only threat intel related activity for the IP Address associated with Chris Gilbert and see activity spanning endpoint, proxy, and DNS data sources. These trend lines tell a very interesting visual story. It appears that the asset makes a DNS query involving a threat intel related domain or IP Address. ScrollDown Scroll down the dashboard to examine these threat intel events associated with the IP Address. We then see threat intel related endpoint and proxy events occurring periodically and likely communicating with a known Zeus botnet based on the threat intel source (zeus_c2s).
32.
Ā© 2017 SPLUNK INC. Itās worth mentioning
that at this point you could create a ticket to have someone re- image the machine to prevent further damage as we continue our investigation within Splunk. Within the same dashboard, we have access to very high fidelity endpoint data that allows an analyst to continue the investigation in a very efficient manner. It is important to note that near real-time access to this type of endpoint data is not not common within the traditional SOC. The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. Proxy related threat intel matches are important for helping us to prioritize our efforts toward initiating an investigation. Further investigation into the endpoint is often very time consuming and often involves multiple internal hand-offs to other teams or needing to access additional systems. This encrypted proxy traffic is concerning because of the large amount of data (~1.5MB) being transferred which is common when data is being exfiltrated.
33.
Ā© 2017 SPLUNK INC. Exfiltration of data
is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is encrypted as in this case. Lets continue the investigation. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information.
34.
Ā© 2017 SPLUNK INC. We have a
workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
35.
Ā© 2017 SPLUNK INC. This is a
standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. We also can see that the parent process that created this suspicuous svchost.exe process is called calc.exe. This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. Suspected Malware Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper. Suspected Downloader/Dropper This process calls itself āsvchost.exe,ā a common Windows process, but the path is not the normal path for svchost.exe. ā¦which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443.
36.
Ā© 2017 SPLUNK INC. The Parent Process
of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. Suspected Downloader/Dropper Suspected Vulnerable AppWe have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. Click on the parent process to keep investigating.
37.
Ā© 2017 SPLUNK INC. We can see
that the PDF Reader process has no identified parent and is the root of the infection. ScrollDown Scroll down the dashboard to examine activity related to the PDF reader process.
38.
Ā© 2017 SPLUNK INC. Chris opened 2nd_qtr_2014_report.pdf which
was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
39.
Ā© 2017 SPLUNK INC. Lets dig a
little further into 2nd_qtr_2014_report.pdf to determine the scope of this compromise.
40.
Ā© 2017 SPLUNK INC. index=zeus_demo3 2nd_qtr_2014_report.pdf in search:
41.
Ā© 2017 SPLUNK INC. Lets search though
multiple data sources to quickly get a sense for who else may have have been exposed to this file. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
42.
Ā© 2017 SPLUNK INC. We have access
to the email body and can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. Hold On! Thatās not our Domain Name! The spelling is close but itās missing a ātā. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris).
43.
Ā© 2017 SPLUNK INC. Root Cause Recap .pdf executes & unpacks malware overwriting and running āallowedā programs Threat Intelligence Endpoint Host Activity/Security Network Activity/Security Transaction Gain Access to System Create Additional Environment Conduct Business Svchost.exeCalc.exe Attacker hacks website. Steals .pdf
files Web Portal Attacker creates malware, embed in .pdf Read email, open attachment Emails to the target EMAIL HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB We utilized threat intel to detect communication with known high risk indicators and kick off our investigation then worked backward through the kill chain toward a root cause. Key to this investigative process is the ability to associate network communications with endpoint process data. This high value and very relevant ability to work a malware related investigation through to root cause translates into a very streamlined investigative process compared to the legacy SIEM based approach.
44.
Ā© 2017 SPLUNK INC. Lets revisit the
search for additional information on the 2nd_qtr_2014-_report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Click Select the access_combined sourcetype to investigate further.
45.
Ā© 2017 SPLUNK INC. The results show
54.211.114.134 has accessed this file from the web portal of buttergames.com. There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file.
46.
Ā© 2017 SPLUNK INC. Select the IP
Address, left-click, then select āNew searchā. We would like to understand what else this IP Address has accessed in the environment.
47.
Ā© 2017 SPLUNK INC. Thatās an abnormally
large number of requests sourced from a single IP Address in a ~90 minute window. This looks like a scripted action given the constant high rate of requests over the below window. ScrollDown Scroll down the dashboard to examine other interesting fields to further investigate. Notice the Googlebot useragent string which is another attempt to avoid raising attention..
48.
Ā© 2017 SPLUNK INC. The requests from
52.211.114.134 are dominated by requests to the login page (wp-login.php). Itās clearly not possible to attempt a login this many times in a short period of time ā this is clearly a scripted brute force attack. After successfully gaining access to our website, the attacker downloaded the pdf file, weaponized it with the zeus malware, then delivered it to Chris Gilbert as a phishing email. The attacker is also accessing admin pages which may be an attempt to establish persistence via a backdoor into the web site.
49.
Ā© 2017 SPLUNK INC. .pdf executes &
unpacks malware overwriting and running āallowedā programs Threat Intelligence Endpoint Host Activity/Security Network Activity/Security Transaction Gain Access to System Create Additional Environment Conduct Business Svchost.exeCalc.exe Attacker hacks website. Steals .pdf files Web Portal Attacker creates malware, embed in .pdf Read email, open attachment Emails to the target EMAIL HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB We continued the investigation by pivoting into the endpoint data source and used a workflow action to determine which process on the endpoint was responsible for the outbound communication. We began by reviewing threat intel related events for a particular IP address and observed DNS, Proxy, and Endpoint events for a user in Sales. Investigation complete! Lets get this turned over to Incident Reponse team. We traced the svchost.exe Zeus malware back to itās parent process ID which was the calc.exe downloader/dropper. Once our root cause analysis was complete, we shifted out focus into the web logs to determine that the sensitive pdf file was obtained via a brute force attack against the company website. We were able to see which file was opened by the vulnerable app and determined that the malicious file was delivered to the user via email. A quick search into the mail logs revealed the details behind the phishing attack and revealed that the scope of the compromise was limited to just the one user. We traced calc.exe back to the vulnerable application PDF Reader. Kill Chain Analysis Across Data Sources
50.
Ā© 2017 SPLUNK INC. BREAK 10 MINUTES
51.
Ā© 2017 SPLUNK INC. BONUS! - SQLi - DNS
Exfilatration - Splunk Security Essentials
52.
Ā© 2017 SPLUNK INC. SQLi
53.
Ā© 2017 SPLUNK INC. ā¶ SQL injection ā¶
Code injection ā¶ OS commanding ā¶ LDAP injection ā¶ XML injection ā¶ XPath injection ā¶ SSI injection ā¶ IMAP/SMTP injection ā¶ Buffer overflow SQL Injection
54.
Ā© 2017 SPLUNK INC. Imperva Web Attacks
Report, 2015
55.
Ā© 2017 SPLUNK INC.
56.
Ā© 2017 SPLUNK INC. The Anatomy of
an SQL Injection Attack SELECT * FROM users WHERE email='xxx@xxx.com' OR 1 = 1 -- ' AND password='xxx'; xxx@xxx.xxx' OR 1 = 1 -- ' xxx admin@admin.sys 1234 An attacker might supply:
57.
Ā© 2017 SPLUNK INC. ā¦and so far
this yearā¦ 39
58.
Ā© 2017 SPLUNK INC. index=web_vuln password select
59.
Ā© 2017 SPLUNK INC. Our learning environment
consists of: ā¶ A bunch of publically-accessible single Splunk servers ā¶ Each with ~5.5M events, from real environments but massaged: ā¢ Windows Security events ā¢ Apache web access logs ā¢ Bro DNS & HTTP ā¢ Palo Alto traffic logs ā¢ Some other various bits What have we here?
60.
Ā© 2017 SPLUNK INC. https://splunkbase.splunk.com/app/1528/ Search for possible
SQL injection in your events: ā¢ looks for patterns in URI query field to see if anyone has injected them with SQL statements ā¢ use standard deviations that are 2.5 times greater than the average length of your URI query field ā¶ Macros used ā¢ sqlinjection_pattern(sourcetype, uri query field) ā¢ sqlinjection_stats(sourcetype, uri query field)
61.
Ā© 2017 SPLUNK INC. Regular Expression FTW sqlinjection_rex
is a search macro. It contains: (?<injection>(?i)select.*?from|union.*?select|'$|delete.*?from|update.*?set|alter.*?table|([%27|'](%2 0)*=(%20)*[%27|'])|w*[%27|']or) Which means: In the string we are given, look for ANY of the following matches and put that into the āinjectionā field. ā¢ Anything containing SELECT followed by FROM ā¢ Anything containing UNION followed by SELECT ā¢ Anything with a ā at the end ā¢ Anything containing DELETE followed by FROM ā¢ Anything containing UPDATE followed by SET ā¢ Anything containing ALTER followed by TABLE ā¢ A %27 OR a ā and then a %20 and any amount of characters then a %20 and then a %27 OR a ā ā¢ Note: %27 is encoded āāā and %20 is encoded <space> ā¢ Any amount of word characters followed by a %27 OR a ā and then āorā
62.
Ā© 2017 SPLUNK INC. Bonus: Try out
the SQL Injection app!
63.
Ā© 2017 SPLUNK INC. ā¶ SQL injection
provide attackers with easy access to data ā¶ Detecting advanced SQL injection is hard ā use an app! ā¶ Understand where SQLi is happening on your network and put a stop to it. ā¶ Augment your WAF with enterprise-wide Splunk searches. Summary: Web Attacks/SQL Injection
64.
Ā© 2017 SPLUNK INC. DNS Exfiltration
65.
Ā© 2017 SPLUNK INC. domain=corp;user=dave;password=12345 DNS Query: ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyM zQ1DQoNCg==.attack.com ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg== DNS Exfiltration Firewall
66.
Ā© 2017 SPLUNK INC. DNS exfil tends
to be overlooked within an ocean of DNS data. Letās fix that! DNS Exfiltration
67.
Ā© 2017 SPLUNK INC. But the big
difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new- frameworkpos-variant-exfiltrates-data-via-dns-requests ā ā ā¦ few organizations actually keep detailed logs or records of the DNS traffic traversing their networks ā making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally-beauty- breach/#more-30872 ā ā ā¶ FrameworkPOS: a card-stealing program that exfiltrates data from the targetās network by transmitting it as domain name system (DNS) traffic DNS Exfiltration
68.
Ā© 2017 SPLUNK INC. https://splunkbase.splunk.com/app/2734/ DNS exfil detection
ā tricks of the trade Ć¼ parse URLs & complicated TLDs (Top Level Domain) Ć¼ calculate Shannon Entropy List of provided lookups ā¢ ut_parse_simple(url) ā¢ ut_parse(url, list) or ut_parse_extended(url, list) ā¢ ut_shannon(word) ā¢ ut_countset(word, set) ā¢ ut_suites(word, sets) ā¢ ut_meaning(word) ā¢ ut_bayesian(word) ā¢ ut_levenshtein(word1, word2)
69.
Ā© 2017 SPLUNK INC. Laymanās definition: a
score reflecting the randomness or measure of uncertainty of a string ā¶ Examples ā¢ The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) ā¢ The domain google.com has a Shannon Entropy score of 2.6 (rather low) ā¢ A00wlkjā(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Shannon Entropy
70.
Ā© 2017 SPLUNK INC. index=bro sourcetype=bro_dns | `ut_parse(query)` |
`ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen ā¶ TIPS ā¢ Leverage our Bro DNS data ā¢ Calculate Shannon Entropy scores ā¢ Calculate subdomain length ā¢ Display details Detecting Data Exfiltration
71.
Ā© 2017 SPLUNK INC. ā¶ TIPS ā¢ Leverage
our Bro DNS data ā¢ Calculate Shannon Entropy scores ā¢ Calculate subdomain length ā¢ Display count, scores, lengths, deviations Detecting Data Exfiltration ā¦ | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2
72.
Ā© 2017 SPLUNK INC. ā¶ RESULTS ā¢ Exfiltrating
data requires many DNS requests ā look for high counts ā¢ DNS exfiltration to mooo.com and chickenkiller.com Detecting Data Exfiltration
73.
Ā© 2017 SPLUNK INC. ā¶ Exfiltration by DNS and ICMP is a very common technique ā¶ Many organizations do not analyze DNS activity ā
do not be like them! ā¶ No DNS logs? No Splunk Stream? Look at FW byte counts Summary: DNS exfiltration
74.
Ā© 2017 SPLUNK INC. Splunk Security Essentials
75.
Ā© 2017 SPLUNK INC. Security Essentials: Free
as in Beer
76.
Ā© 2017 SPLUNK INC. https://splunkbase.splunk.com/app/3435/ Identify bad guys
in your environment: Ć¼ 45+ use cases common in UEBA products, all free on Splunk Enterprise Ć¼ Target external attackers and insider threat Ć¼ Scales from small to massive companies Ć¼ Save from the app, send results to ES/UBA You can solve use cases today for free, then use Splunk UBA for advanced ML detection.
77.
Ā© 2017 SPLUNK INC. ā¶ First Time
Seen Powered by Stats ā¶ Time Series Analysis With Standard Deviation ā¶ General Security Analytics Searches Splunk Security Essentials Types of Use Cases
78.
Ā© 2017 SPLUNK INC. Splunk Security Essentials Data
Sources Electronic Medical Records Source Code Repository Firewall EmailLogs
79.
Ā© 2017 SPLUNK INC. Mitre ATT&CK Matrix
80.
Ā© 2017 SPLUNK INC. Mitre Cyber Analytic
Repository
81.
Ā© 2017 SPLUNK INC.
82.
Ā© 2017 SPLUNK INC. =
83.
Ā© 2017 SPLUNK INC. Splunk Enterprise Security
84.
Ā© 2017 SPLUNK INC. Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity Threat Hunting With
Splunk 84 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting User Behavior Analytics - Security Data Science Platform - Search & Visualization Enrichment Data Automation
85.
Ā© 2017 SPLUNK INC. Other Items To
Note Items to Note Navigation - How to Get Here Description of what to click on Click
86.
Ā© 2017 SPLUNK INC. Key Security Indicators
(build your own!) Sparklines Editable
87.
Ā© 2017 SPLUNK INC. Various ways to
filter data Malware-Specific KSIs and Reports Most Popular Signatures Across All Technologies Security Domains -> Endpoint -> Malware Center
88.
Ā© 2017 SPLUNK INC. Filterable KSIs specific to
Risk Risk assigned to system, user or other Under Advanced Threat, select Risk Analysis
89.
Ā© 2017 SPLUNK INC. (Scroll Down) Recent Risk
Activity Under Advanced Threat, Select Risk Analysis
90.
Ā© 2017 SPLUNK INC. Filterable, down to
IoC KSIs specific to Threat Most active threat source Scroll downā¦ Scroll Under Advanced Threat, Select Threat Activity
91.
Ā© 2017 SPLUNK INC. Specifics about recent
threat matches Under Advanced Threat, Select Threat Activity
92.
Ā© 2017 SPLUNK INC. To add threat
intel go to: Configure -> Data Enrichment -> Threat Intelligence Downloads Click
93.
Ā© 2017 SPLUNK INC. Click āThreat Artifactsā Under
āAdvanced Threatā Click
94.
Ā© 2017 SPLUNK INC. Artifact Categories ā click
different tabsā¦ STIX feed Custom feed Under Advanced Threat, Select Threat Artifacts
95.
Ā© 2017 SPLUNK INC. Review the Advanced
Threat content Click
96.
Ā© 2017 SPLUNK INC. Data from asset
framework Configurable Swimlanes Darker=more events All happened around same timeChange to āTodayā if needed Asset Investigator, enter ā192.168.56.102ā
97.
Ā© 2017 SPLUNK INC. Data Science & Machine
Learning In Security 97
98.
Ā© 2017 SPLUNK INC. Disclaimer: I am
not a data scientist
99.
Ā© 2017 SPLUNK INC. BIG DATA vs
DATA SCIENCE COLLECTION vs INSIGHT
100.
Ā© 2017 SPLUNK INC. Security data isnāt
just big data Itās morbidly obese data
101.
Ā© 2017 SPLUNK INC. Computer Science Statistics and Math Machine Learning Security Engineer Security Analyst Cyber Security Expertise Security
Data Science
102.
Ā© 2017 SPLUNK INC. Supervised Machine Learning:
Focus is to build models that make predictions based on evidence (labeled data) in the presence of uncertainty. As adaptive algorithms identify patterns in data, it "learns" from the observations. Unsupervised Machine Learning: Used to draw inferences from datasets consisting of input data without labeled responses. Semi-Supervised Machine Learning Types of Machine Learning
103.
Ā© 2017 SPLUNK INC. Types of Machine
Learning Supervised Learning: Generalizing from labeled data
104.
Ā© 2017 SPLUNK INC. ā¶ Regression: A
regression problem is when the output variable is a real value, such as āauthorizations over timeā. ā¶ Classification: A classification problem is when the output variable is a category, such as āmaliciousā or ānon-malicious.ā or āauthorizedā and ānot authorizedā. ā¶ Anomaly Detection: Identify unusual activity, learn what normal looks like. Example: A history of normal web authorizations to then identify anything significantly different. Supervised Machine Learning
105.
Ā© 2017 SPLUNK INC. ā¶ Regression is
used for predictive modeling to investigate the relationship between a dependent (target) and independent variables (predictors). ā¶ Examples of regression algorithms: ā¢ Linear Regression ā¢ Logistic Regression ā¢ Stepwise Regression ā¢ Multivariate Adaptive Regression Splines (MARS) ā¢ Locally Estimated Scatterplot Smoothing (LOESS) ā¢ Ordinary Least Squares Regression (OLSR) Supervised Machine Learning Regression
106.
Ā© 2017 SPLUNK INC. Regression Demo Predict VPN
Usage
107.
Ā© 2017 SPLUNK INC. Supervised Machine Learning Domain Name
TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign log.tagcade.com 111 2 0 1 0 0 Benign go.vidprocess.com 170 2 0 0 0 0 Benign statse.webtrendslive.com 310 2 0 1 0 0 Benign cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign log.tagcade.com 111 1 0 1 0 0 Benign
108.
Ā© 2017 SPLUNK INC. Test Raw Security Data Production Supervised Machine
Learning Process Algorithm Product Sample Pre/Train/Model Verification
109.
Ā© 2017 SPLUNK INC. Unsupervised Learning: Generalizing from
unlabeled data
110.
Ā© 2017 SPLUNK INC. ā¶ No tuning ā¶
Programmatically finds trends Unsupervised Machine Learning Raw Security Data Automated Clustering ā¶UBA is primarily unsupervised ā¶Rigorously tested for fit Algorithm
111.
Ā© 2017 SPLUNK INC. Supervised vs. Unsupervised Supervised
Learning Unsupervised Learning
112.
Ā© 2017 SPLUNK INC. SCI-Kit Learn
113.
Ā© 2017 SPLUNK INC. SCI-Kit Learn
114.
Ā© 2017 SPLUNK INC. ā¶ Splunk Supported
framework for building ML Apps ā¢ Get it for free: http://tiny.cc/splunkmlapp ā¶ Leverages Python for Scientific Computing (PSC) add-on: ā¢ Open-source Python data science ecosystem ā¢ NumPy, SciPy, scitkit-learn, pandas, statsmodels ā¶ Showcase use cases: Predict Hard Drive Failure, Server Power Consumption, Application Usage, Customer Churn & more ā¶ Standard algorithms out of the box: ā¢ Supervised: Logistic Regression, SVM, Linear Regression, Random Forest, etc. ā¢ Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc. ā¶ Implement one of 300+ algorithms by editing Python scripts ML Toolkit & Showcase ML Toolkit and Showcase
115.
Ā© 2017 SPLUNK INC. Machine Learning Toolkit Demo 115
116.
Ā© 2017 SPLUNK INC. Splunk for Analytics
and Data Science
117.
Ā© 2017 SPLUNK INC. Splunk UBA
118.
Ā© 2017 SPLUNK INC. Hypotheses Automated Analytics Data Science & Machine Learning Data & Intelligence Enrichment Data Search Visualisation Maturity Threat Hunting With
Splunk 118 Splunk Enterprise - Big Data Analytics Platform - Splunk Enterprise Security - Security Analytics Platform - Threat Hunting Data Enrichment Threat Hunting Automation Ingest & Onboard Any Threat Hunting Machine Data Source Search & Visualise Relationships for Faster Hunting User Behavior Analytics - Security Data Science Platform - Search & Visualization Enrichment Data Automation
119.
Ā© 2017 SPLUNK INC. Machine Learning Security
Use Cases 119 MachineLearningUseCases Polymorphic Attack Analysis Behavioral Peer Group Analysis User & Entity Behavior Baseline Entropy/Rare Event Detection Cyber Attack / External Threat Detection Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Statistical Analysis Data Exfiltration Models IP Reputation Analysis Insider Threat Detection User/Device Dynamic Fingerprinting
120.
Ā© 2017 SPLUNK INC. Insider Treats External
Threats ā¶ Account Takeover ā¢ Privileged account compromise ā¢ Data exfiltration ā¶ Lateral Movement ā¢ Pass-the-hash kill chain ā¢ Privilege escalation ā¶ Suspicious Activity ā¢ Misuse of credentials ā¢ Geo-location anomalies ā¶ Malware Attacks ā¢ Hidden malware activity ā¶ Botnet, Command & Control ā¢ Malware beaconing ā¢ Data leakage ā¶ User & Entity Behavior Analytics ā¢ Suspicious behavior by accounts or devices Splunk UBA Use Cases
121.
Ā© 2017 SPLUNK INC. ā¶ ~100% of
breaches involve valid credentials (Mandiant Report) ā¶ Need to understand normal & anomalous behaviors for ALL users ā¶ UBA detects Advanced Cyberattacks and Malicious Insider Threats ā¶ Lots of ML under the hood: ā¢ Behavior Baselining & Modeling ā¢ Anomaly Detection (30+ models) ā¢ Advanced Threat Detection ā¶ E.g., Data Exfil Threat: ā¢ āSaw this strange login & data transferfor user kwestin at 3am in Chinaā¦ā ā¢ Surface threat to SOC Analysts Splunk User Behavior Analytics (UBA)
122.
Ā© 2017 SPLUNK INC. Raw Security Events Anomalies Anomaly
Chains (Threats) Machine Learning Graph Mining Threat Models Lateral Movement Beaconing Land-Speed Violation HCI Anomalies graph Entity relationship graph Kill chain sequence Forensic artifacts Threat/Risk scoring Feedback
123.
Ā© 2017 SPLUNK INC. Overall Architecture Real-Time Infra (Storm-based) Filter Events Drop Events Model Execution & Online Training Runtime Topologies Threat and Anomaly Review Hadoop/HDFS Data Receivers (flume, REST, etc.) Real-Time Updates/Noti fications App/SaaS Connectors Core + ES Network Data Push/Pull Model Persistence Layer DataDistributed Kafka ETL IR Model Parsers Filters Attribution Control Path āResource/Health Monitoring HBase/HDFS Direct Access FaƧade GraphDB SQL Access Layer Node.js Socket.io server SQL Store (Threats/ Anomalies) Time-Series DBModel Registry Model Store
HBase Model N Data Model 1 Model N Model 1 Model N Neo4J (Graph visualizations) Rules Engine Anomalies + Threats Analytics Store Syslog and Other Data
124.
Ā© 2017 SPLUNK INC. Data Flow and
System Requirements API CONNECTOR SYSLOG FORWARDER Explore Visualize ShareAnalyze Dashboards Results THREAT & ANOMALY DATA Query UBA Request for additional details Threats Results Query Notable events Risk scoring framework Workflow management VM Search head Standard RT Query VM specs: - Ubuntu/RHEL - 16 cores - 64 GB RAM - Local and network disks - GigE connectivity Performance/scale: - UBA v2.3 - E.g., 5-nodes - 25K EPS - Add nodes for near-linear scale Splunk Enterprise: - RT search capability - 8-10 concurrent searches - REST API port (8089) - SA-LDAPSEARCH Shared network storage
125.
Ā© 2017 SPLUNK INC. Splunk UBA Demo 125
126.
Ā© 2017 SPLUNK INC. ā¶Security Readiness Workshop ā¶Data
Science Workshop ā¶Enterprise Security Benchmark Assessment ā¶Boss of the SOC More Security Workshops!
127.
Ā© 2017 SPLUNK INC. Security Workshop Survey
128.
Ā© 2017 SPLUNK INC.Ā© 2017 SPLUNK INC. Thank You!
Download now