SlideShare a Scribd company logo

Security Hands-On - Splunklive! Houston

Download as DOCX, PDF
Splunk
Splunk

Hands On Instructions for attendees at SplunkLive! Houston

Technology
1 of 22
splunklive! Security Hands-On Handout May, 2015 1 Hands-On with Splunk: Security Analytics Session May 5th: SplunkLive! Houston Introduction A strong security posture and disruption of the adversary kill chain depends on four categories of data sources that have to be combined and integrated. The sources are: Network, Endpoint, Asset and Identity Management and Threat Intelligence. For the purposes of this session, our log sources will be a small data set already loaded in our Splunk demo instance containing:  Network: Web portal logs, web proxy logs, dns logs, email events;  Endpoint Threat Detection & Response: Windows Sysmon;  Asset/Identity Management: Via an asset lookup; and  Threat Intelligence: Via a threat intel lookup. We are playing the role of a security analyst employed by a video gaming company called “Buttercup Games.” Analysts and incident investigators can use Splunk as a security analytics platform, to leverage these disparate data sources to disrupt the adversary kill chain. This hands-on exercise shows a real world investigation scenario for the Zeus malware. We begin the investigation by searching for events for new threat intelligence and investigate the infection and identify the complete adversary kill chain. The key points in this exercise are:
splunklive! Security Hands-On Handout May, 2015 2  Splunk is used to discover and disrupt the attackers kill chain;  Splunk is used to produce new threat intelligence; and  Splunk is used for incident investigation across the security stack. Accessing the session servers We will all be accessing the same Splunk servers, behind a load balancer, for this hands-on session. We will all use the same username and password. The URL and credentials can be found below. URL: (Will be provided during session) Username: splunklive Password: splunksecurity1 Please be kind to your fellow session-mates and do not run Splunk searches that will affect the systems negatively. Document Conventions Descriptive Text Instructive Text: Description of what to do in the GUI Search text: What to type Click text: What to click on
splunklive! Security Hands-On Handout May, 2015 3 Exercise 1: Finding IOC (C&C communication) and Actions on Intent Step What to click Description Display 1a Log in to Splunk using the credentials above. The Search page in the Zeus Demo app should be displayed. Splunk helps organizations drastically reduce the time to respond to cyber attacks, helping identify the initial threats, investigate the impact, and ultimately discover the root cause of each attack, so action can be taken. A strong security posture depends on analyzing four categories of data sources: Network, Endpoint, Asset & Identity Management and Threat Intelligence. Without a solution like Splunk, many organizations struggle to gain the visibility needed to protect their organization from current and future attacks, with investigators spending hours, days, or even weeks to find and accurately identify a single threat. Splunk is the only security analytics platform that enables analysts and incident investigators to find correlations across these disparate sources in real-time, enabling organizations to not only detect attacks, but to identify and disrupt the adversary’s kill chain. In this hands-on exercise, we will be using
splunklive! Security Hands-On Handout May, 2015 4 Step What to click Description Display anonymous data from a real world investigation of a Zeus attack, to show you how Splunk drastically reduces the time to respond. We will use Splunk to detect a new threat, investigate the impact, and discover the root cause. Once we determine the adversary’s kill chain, we can create our own threat intelligence to disrupt the adversary’s kill chain and secure our organization in the future. 1b In the Splunk search bar, type (or copy/paste) the search below and click the magnifying glass to the far right OR press Enter. index=zeus_demo3 In this scenario, we just received new threat intelligence from one of our sources, and want to see if any systems in our environment are impacted by this new threat intelligence. We will begin our investigation with a simple search of all security data. 1c The Splunk Fields Sidebar appears to the left of the browser window. Clicking on any of the sourcetypes pulls up the Field Summary for that field. Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. In this hands-on environment, we have a variety of security relevant data being consumed by Splunk including web logs, Sysmon endpoint visibility, DNS, proxy, and messaging infrastructure. This is static data, by the way – just to keep things simple.
splunklive! Security Hands-On Handout May, 2015 5 Step What to click Description Display 1d Click on XmlWinEventLog:Micros oft-Windows- Sysmon/Operational Next, we will explore the events coming to Splunk from endoints. 1e Scroll down and click on tag field ‘tag’ We have endpoint visibility into all network communication and can map each connection back to a process. We also have detailed info on each process and can map it back to the user and parent process. 1f Click on Threat Intelligence Overview in the menu Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
splunklive! Security Hands-On Handout May, 2015 6 Step What to click Description Display 1g This dashboard is based on the same type of search we just ran, but enriches the data with additional threat intel lists, CMDB systems and identity data. With this enhanced data, we can graphically show potential compromises. Having this capability is key as it enables us to prioritize investigations not just based on the threat criticality, but also based on what will have the greatest value or impact to the business. We can now see who is the owner of the system at IP 192.168.56.102 (Chris Gilbert) and that it isn’t part of our PII or PCI assets, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This information comes from a “lookup” defined within Splunk.
splunklive! Security Hands-On Handout May, 2015 7 Recap: Finding IOC (C&C communication) and Actions on Intent Figure1 - Finding IOC and Actions on Intent
splunklive! Security Hands-On Handout May, 2015 8 Exercise 2: Endpoint Behavior and Method of Exploitation Step What to click Description Display 2a Click on the firs IP address in the table Let’s drill down into the system we saw communicating with the Zeus botnet to see if we can get to the root cause of this compromise as well as understand what other related risks might exist. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Let’s take closer look at the IP Address. 2b Scroll down on the page and view the All Threat Events panel. It’s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. We can see events correlated from Sysmon and Bluecoat proxy events. Sysmon is used here as an Endpoint Threat Detection and Response technology (ETDR). Sysmon is a Windows system service that logs system activity to the Windows Event
splunklive! Security Hands-On Handout May, 2015 9 Step What to click Description Display Log. This exercise uses Sysmon events, but similar information can come from other ETDR tools you may be using. 2c Click on ‘>’ next to the second event from the top The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information. Exfiltration of data is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is
splunklive! Security Hands-On Handout May, 2015 10 Step What to click Description Display encrypted as in this case. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. 2d Click on ‘Event Actions’ and then on ‘Explore Process: 4768’ Lets continue the investigation. We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
splunklive! Security Hands-On Handout May, 2015 11 Step What to click Description Display 2e This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. This process calls itself “svchost.exe,” a common Windows process, but the path is not the normal path for svchost.exe.
splunklive! Security Hands-On Handout May, 2015 12 Step What to click Description Display …which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443. We also can see that the parent process that created this suspicious svchost.exe process is called calc.exe. This is a standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. In our case svchost.exe is the suspected malware and calc.exe is the suspected downloader/dropper. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper.
splunklive! Security Hands-On Handout May, 2015 13 Step What to click Description Display 2f Click on ‘Process ID’ 4000 Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. 2g The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. We have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. 2h Click on ‘Process ID’ 4123 Click on the parent process to keep investigating.
splunklive! Security Hands-On Handout May, 2015 14 Step What to click Description Display 2i We can see that the PDF Reader process has no identified parent and is the root of the infection. 2j Scroll down. Click on ‘>’ next to the event to expand Scroll down the dashboard to examine activity related to the PDF reader process. Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
splunklive! Security Hands-On Handout May, 2015 15 Recap: Endpoint Behavior and Method of Exploitation Figure2 - Endpoint Behavior and Exploitation Method
splunklive! Security Hands-On Handout May, 2015 16 Exercise 3: Reconnaissance, Weaponization, Delivery Step What to click Description Display 3a Get back to your Search page within the Zeus Demo app, and enter this into the search blank and press enter: 2nd_qtr_2014_report.pdf We know the malicious file that started this. But where did this file come from? Let’s change our search to find all events that contain the file name 2nd_qtr_2014_report.pdf 3b Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. Click on ‘email’ We quickly determine that this file name exists in multiple sources including our web logs, Sysmon, and email. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
splunklive! Security Hands-On Handout May, 2015 17 Step What to click Description Display 3c Click on Show all 60 lines to expand the event. Review the full event and view that this mail came from a fake domain “jose.dave@butercupgames.com.” Hold On! That’s not our Domain Name (not buttercupgames.com)! The spelling is close but it’s missing a “t”. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris). We have access to the email body and
splunklive! Security Hands-On Handout May, 2015 18 Step What to click Description Display can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. 3d Enter this into the search blank and press enter: 2nd_qtr_2014_report.pdf Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. Click on ‘access_combined’ Lets revisit the search for additional information on the 2nd_qtr_2014- _report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Select the access_combined sourcetype to investigate further. 3e The results show 54.211.114.134 has accessed this file from the web portal of buttergames.com.
splunklive! Security Hands-On Handout May, 2015 19 Step What to click Description Display Scroll down click on ‘threat_intel_source’ There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file. 3f Select the IP Address, left- click, then select “New search”. We would like to understand what else this IP Address has accessed in the environment. 3g That’s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window.
splunklive! Security Hands-On Handout May, 2015 20 Step What to click Description Display This looks like a scripted action given the constant high rate of requests over the below window. Notice the Googlebot useragent string, which is another attempt to avoid raising attention. 3h Bring up the Field Summary for the uri_path field. Click and expand uri_path field. By selecting the uri_path, we can investigate which pages this IP address accessed. We see that the largest number of requests were for the wp-login.php page. The volume over such a narrow window of time (again, refer to the timeline) is not humanly possible. This was clearly a brute force attack. Once successful the attacker evidently downloaded the Report PDF file, and then weaponized it.
splunklive! Security Hands-On Handout May, 2015 21 Recap: Reconnaissance, Weaponization, Delivery Figure3 - Reconnaissance, Weaponization, Delivery Now we have the complete picture and the entire kill chain for this attacker. Using Splunk, with simple intuitive searches and UI clicks, we discovered that this was a two-phased attack: first the attacker compromised the web portal and then subsequently compromised Chris’s machine. In addition to identifying the attack, we developed new threat intelligence to help us prevent future attacks from the same IP and improve our security posture.
splunklive! Security Hands-On Handout May, 2015 22 Conclusion In review, here are the steps that we uncovered about our adversary, mapped to the major portions of the Kill Chain. Figure4 - Summaryof Kill Chain Without Splunk, this analysis would take countless man-hours just to get part of the picture—and evaluating the entire kill chain would be almost impossible to do.

Recommended

Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourSplunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunk
 
Level Up Your Security Skills in Splunk Enterprise
Level Up Your Security Skills in Splunk EnterpriseLevel Up Your Security Skills in Splunk Enterprise
Level Up Your Security Skills in Splunk EnterpriseSplunk
 

Recommended

Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourSplunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunk
 
Level Up Your Security Skills in Splunk Enterprise
Level Up Your Security Skills in Splunk EnterpriseLevel Up Your Security Skills in Splunk Enterprise
Level Up Your Security Skills in Splunk EnterpriseSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop Splunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018YoungCho50
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
Threat hunting workshop
Threat hunting workshopThreat hunting workshop
Threat hunting workshopMegan Shippy
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsSplunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 
SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunk
 
Power of SPL
Power of SPLPower of SPL
Power of SPLTian Chen
 

More Related Content

What's hot

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop Splunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018YoungCho50
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
Threat hunting workshop
Threat hunting workshopThreat hunting workshop
Threat hunting workshopMegan Shippy
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsSplunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 

What's hot (20)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
 
Threat hunting workshop
Threat hunting workshopThreat hunting workshop
Threat hunting workshop
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior Analytics
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
 

Viewers also liked

SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunk
 
Power of SPL
Power of SPLPower of SPL
Power of SPLTian Chen
 
SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunk
 
Using splunk6.2 labs
Using splunk6.2 labsUsing splunk6.2 labs
Using splunk6.2 labsJagadish a
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with SplunkSanjib Dhar
 
Improving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data MiningImproving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data MiningSplunk
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-onSplunk
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer PresentationSplunk
 
Field Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your BuddyField Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your BuddyMichael Wilde
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk
 
Getting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceGetting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceSplunk
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-onSplunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 

Viewers also liked (17)

SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On Version
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
 
SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language Beginner
 
Using splunk6.2 labs
Using splunk6.2 labsUsing splunk6.2 labs
Using splunk6.2 labs
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
Improving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data MiningImproving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data Mining
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-on
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
 
Field Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your BuddyField Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your Buddy
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-On
 
Getting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceGetting Started with IT Service Intelligence
Getting Started with IT Service Intelligence
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 

Similar to Security Hands-On - Splunklive! Houston

Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourSplunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainSplunk
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Integrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityIntegrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityMaryJWilliams2
 
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...MaryJWilliams2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk
 

Similar to Security Hands-On - Splunklive! Houston (20)

Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Integrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityIntegrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud Security
 
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security Session
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Security Hands-On - Splunklive! Houston

  • 1. splunklive! Security Hands-On Handout May, 2015 1 Hands-On with Splunk: Security Analytics Session May 5th: SplunkLive! Houston Introduction A strong security posture and disruption of the adversary kill chain depends on four categories of data sources that have to be combined and integrated. The sources are: Network, Endpoint, Asset and Identity Management and Threat Intelligence. For the purposes of this session, our log sources will be a small data set already loaded in our Splunk demo instance containing:  Network: Web portal logs, web proxy logs, dns logs, email events;  Endpoint Threat Detection & Response: Windows Sysmon;  Asset/Identity Management: Via an asset lookup; and  Threat Intelligence: Via a threat intel lookup. We are playing the role of a security analyst employed by a video gaming company called “Buttercup Games.” Analysts and incident investigators can use Splunk as a security analytics platform, to leverage these disparate data sources to disrupt the adversary kill chain. This hands-on exercise shows a real world investigation scenario for the Zeus malware. We begin the investigation by searching for events for new threat intelligence and investigate the infection and identify the complete adversary kill chain. The key points in this exercise are:
  • 2. splunklive! Security Hands-On Handout May, 2015 2  Splunk is used to discover and disrupt the attackers kill chain;  Splunk is used to produce new threat intelligence; and  Splunk is used for incident investigation across the security stack. Accessing the session servers We will all be accessing the same Splunk servers, behind a load balancer, for this hands-on session. We will all use the same username and password. The URL and credentials can be found below. URL: (Will be provided during session) Username: splunklive Password: splunksecurity1 Please be kind to your fellow session-mates and do not run Splunk searches that will affect the systems negatively. Document Conventions Descriptive Text Instructive Text: Description of what to do in the GUI Search text: What to type Click text: What to click on
  • 3. splunklive! Security Hands-On Handout May, 2015 3 Exercise 1: Finding IOC (C&C communication) and Actions on Intent Step What to click Description Display 1a Log in to Splunk using the credentials above. The Search page in the Zeus Demo app should be displayed. Splunk helps organizations drastically reduce the time to respond to cyber attacks, helping identify the initial threats, investigate the impact, and ultimately discover the root cause of each attack, so action can be taken. A strong security posture depends on analyzing four categories of data sources: Network, Endpoint, Asset & Identity Management and Threat Intelligence. Without a solution like Splunk, many organizations struggle to gain the visibility needed to protect their organization from current and future attacks, with investigators spending hours, days, or even weeks to find and accurately identify a single threat. Splunk is the only security analytics platform that enables analysts and incident investigators to find correlations across these disparate sources in real-time, enabling organizations to not only detect attacks, but to identify and disrupt the adversary’s kill chain. In this hands-on exercise, we will be using
  • 4. splunklive! Security Hands-On Handout May, 2015 4 Step What to click Description Display anonymous data from a real world investigation of a Zeus attack, to show you how Splunk drastically reduces the time to respond. We will use Splunk to detect a new threat, investigate the impact, and discover the root cause. Once we determine the adversary’s kill chain, we can create our own threat intelligence to disrupt the adversary’s kill chain and secure our organization in the future. 1b In the Splunk search bar, type (or copy/paste) the search below and click the magnifying glass to the far right OR press Enter. index=zeus_demo3 In this scenario, we just received new threat intelligence from one of our sources, and want to see if any systems in our environment are impacted by this new threat intelligence. We will begin our investigation with a simple search of all security data. 1c The Splunk Fields Sidebar appears to the left of the browser window. Clicking on any of the sourcetypes pulls up the Field Summary for that field. Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. In this hands-on environment, we have a variety of security relevant data being consumed by Splunk including web logs, Sysmon endpoint visibility, DNS, proxy, and messaging infrastructure. This is static data, by the way – just to keep things simple.
  • 5. splunklive! Security Hands-On Handout May, 2015 5 Step What to click Description Display 1d Click on XmlWinEventLog:Micros oft-Windows- Sysmon/Operational Next, we will explore the events coming to Splunk from endoints. 1e Scroll down and click on tag field ‘tag’ We have endpoint visibility into all network communication and can map each connection back to a process. We also have detailed info on each process and can map it back to the user and parent process. 1f Click on Threat Intelligence Overview in the menu Lets get our day started by looking using threat intel to prioritize our efforts and focus on communication with known high risk entities.
  • 6. splunklive! Security Hands-On Handout May, 2015 6 Step What to click Description Display 1g This dashboard is based on the same type of search we just ran, but enriches the data with additional threat intel lists, CMDB systems and identity data. With this enhanced data, we can graphically show potential compromises. Having this capability is key as it enables us to prioritize investigations not just based on the threat criticality, but also based on what will have the greatest value or impact to the business. We can now see who is the owner of the system at IP 192.168.56.102 (Chris Gilbert) and that it isn’t part of our PII or PCI assets, so there are no immediate business implications that would require informing agencies or external customers within a certain timeframe. This information comes from a “lookup” defined within Splunk.
  • 7. splunklive! Security Hands-On Handout May, 2015 7 Recap: Finding IOC (C&C communication) and Actions on Intent Figure1 - Finding IOC and Actions on Intent
  • 8. splunklive! Security Hands-On Handout May, 2015 8 Exercise 2: Endpoint Behavior and Method of Exploitation Step What to click Description Display 2a Click on the firs IP address in the table Let’s drill down into the system we saw communicating with the Zeus botnet to see if we can get to the root cause of this compromise as well as understand what other related risks might exist. We see multiple threat intel related events across multiple source types associated with the IP Address of Chris Gilbert. Let’s take closer look at the IP Address. 2b Scroll down on the page and view the All Threat Events panel. It’s worth mentioning that at this point you could create a ticket to have someone re-image the machine to prevent further damage as we continue our investigation within Splunk. We can see events correlated from Sysmon and Bluecoat proxy events. Sysmon is used here as an Endpoint Threat Detection and Response technology (ETDR). Sysmon is a Windows system service that logs system activity to the Windows Event
  • 9. splunklive! Security Hands-On Handout May, 2015 9 Step What to click Description Display Log. This exercise uses Sysmon events, but similar information can come from other ETDR tools you may be using. 2c Click on ‘>’ next to the second event from the top The initial goal of the investigation is to determine whether this communication is malicious or a potential false positive. Expand the endpoint event to continue the investigation. We immediately see the outbound communication with 115.29.46.99 via https is associated with the svchost.exe process on the windows endpoint. The process id is 4768. There is a great deal more information from the endpoint as you scroll down such as the user ID that started the process and the associated CMDB enrichment information. Exfiltration of data is a serious concern and outbound communication to external entity that has a known threat intel indicator, especially when it is
  • 10. splunklive! Security Hands-On Handout May, 2015 10 Step What to click Description Display encrypted as in this case. Another clue. We also see that svchost.exe should be located in a Windows system directory but this is being run in the user space. Not good. 2d Click on ‘Event Actions’ and then on ‘Explore Process: 4768’ Lets continue the investigation. We have a workflow action that will link us to a Process Explorer dashboard and populate it with the process id extracted from the event (4768).
  • 11. splunklive! Security Hands-On Handout May, 2015 11 Step What to click Description Display 2e This has brought us to the Process Explorer dashboard which lets us view Windows Sysmon endpoint data. This process calls itself “svchost.exe,” a common Windows process, but the path is not the normal path for svchost.exe.
  • 12. splunklive! Security Hands-On Handout May, 2015 12 Step What to click Description Display …which is a common trait of malware attempting to evade detection. We also see it making a DNS query (port 53) then communicating via port 443. We also can see that the parent process that created this suspicious svchost.exe process is called calc.exe. This is a standard Windows app, but not in its usual directory, telling us that the malware has again spoofed a common file name. In our case svchost.exe is the suspected malware and calc.exe is the suspected downloader/dropper. This is very consistent with Zeus behavior. The initial exploitation generally creates a downloader or dropper that will then download the Zeus malware. It seems like calc.exe may be that downloader/dropper.
  • 13. splunklive! Security Hands-On Handout May, 2015 13 Step What to click Description Display 2f Click on ‘Process ID’ 4000 Lets continue the investigation by examining the parent process as this is almost certainly a genuine threat and we are now working toward a root cause. 2g The Parent Process of our suspected downloader/dropper is the legitimate PDF Reader program. This will likely turn out to be the vulnerable app that was exploited in this attack. We have very quickly moved from threat intel related network and endpoint activity to the likely exploitation of a vulnerable app. 2h Click on ‘Process ID’ 4123 Click on the parent process to keep investigating.
  • 14. splunklive! Security Hands-On Handout May, 2015 14 Step What to click Description Display 2i We can see that the PDF Reader process has no identified parent and is the root of the infection. 2j Scroll down. Click on ‘>’ next to the event to expand Scroll down the dashboard to examine activity related to the PDF reader process. Chris opened 2nd_qtr_2014_report.pdf which was an attachment to an email! We have our root cause! Chris opened a weaponized .pdf file which contained the Zeus malware. It appears to have been delivered via email and we have access to our email logs as one of our important data sources. Lets copy the filename 2nd_qtr_2014_report.pdf and search a bit further to determine the scope of this compromise.
  • 15. splunklive! Security Hands-On Handout May, 2015 15 Recap: Endpoint Behavior and Method of Exploitation Figure2 - Endpoint Behavior and Exploitation Method
  • 16. splunklive! Security Hands-On Handout May, 2015 16 Exercise 3: Reconnaissance, Weaponization, Delivery Step What to click Description Display 3a Get back to your Search page within the Zeus Demo app, and enter this into the search blank and press enter: 2nd_qtr_2014_report.pdf We know the malicious file that started this. But where did this file come from? Let’s change our search to find all events that contain the file name 2nd_qtr_2014_report.pdf 3b Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. Click on ‘email’ We quickly determine that this file name exists in multiple sources including our web logs, Sysmon, and email. We will come back to the web activity that contains reference to the pdf file but lets first look at the email event to determine the scope of this apparent phishing attack.
  • 17. splunklive! Security Hands-On Handout May, 2015 17 Step What to click Description Display 3c Click on Show all 60 lines to expand the event. Review the full event and view that this mail came from a fake domain “jose.dave@butercupgames.com.” Hold On! That’s not our Domain Name (not buttercupgames.com)! The spelling is close but it’s missing a “t”. The attacker likely registered a domain name that is very close to the company domain hoping Chris would not notice. This looks to be a very targeted spear phishing attack as it was sent to only one employee (Chris). We have access to the email body and
  • 18. splunklive! Security Hands-On Handout May, 2015 18 Step What to click Description Display can see why this was such a convincing attack. The sender apparently had access to sensitive insider knowledge and hinted at quarterly results. There is our attachment. 3d Enter this into the search blank and press enter: 2nd_qtr_2014_report.pdf Bring up the Field Summary for the sourcetype field. Click and expand sourcetype field. Click on ‘access_combined’ Lets revisit the search for additional information on the 2nd_qtr_2014- _report.pdf file. We understand that the file was delivered via email and opened at the endpoint. Why do we see a reference to the file in the access_combined (web server) logs? Select the access_combined sourcetype to investigate further. 3e The results show 54.211.114.134 has accessed this file from the web portal of buttergames.com.
  • 19. splunklive! Security Hands-On Handout May, 2015 19 Step What to click Description Display Scroll down click on ‘threat_intel_source’ There is also a known threat intel association with the source IP Address downloading (HTTP GET) the file. 3f Select the IP Address, left- click, then select “New search”. We would like to understand what else this IP Address has accessed in the environment. 3g That’s an abnormally large number of requests sourced from a single IP Address in a ~90 minute window.
  • 20. splunklive! Security Hands-On Handout May, 2015 20 Step What to click Description Display This looks like a scripted action given the constant high rate of requests over the below window. Notice the Googlebot useragent string, which is another attempt to avoid raising attention. 3h Bring up the Field Summary for the uri_path field. Click and expand uri_path field. By selecting the uri_path, we can investigate which pages this IP address accessed. We see that the largest number of requests were for the wp-login.php page. The volume over such a narrow window of time (again, refer to the timeline) is not humanly possible. This was clearly a brute force attack. Once successful the attacker evidently downloaded the Report PDF file, and then weaponized it.
  • 21. splunklive! Security Hands-On Handout May, 2015 21 Recap: Reconnaissance, Weaponization, Delivery Figure3 - Reconnaissance, Weaponization, Delivery Now we have the complete picture and the entire kill chain for this attacker. Using Splunk, with simple intuitive searches and UI clicks, we discovered that this was a two-phased attack: first the attacker compromised the web portal and then subsequently compromised Chris’s machine. In addition to identifying the attack, we developed new threat intelligence to help us prevent future attacks from the same IP and improve our security posture.
  • 22. splunklive! Security Hands-On Handout May, 2015 22 Conclusion In review, here are the steps that we uncovered about our adversary, mapped to the major portions of the Kill Chain. Figure4 - Summaryof Kill Chain Without Splunk, this analysis would take countless man-hours just to get part of the picture—and evaluating the entire kill chain would be almost impossible to do.