using*splunk*to* automacally** midgate*threats*...11 sajmidgaon* midgaon* correlaon* searches*...
TRANSCRIPT
Copyright © 2014 Splunk Inc.
Jose E Hernandez Security Specialist, Splunk
Using Splunk to AutomaDcally MiDgate Threats
Disclaimer
2
During the course of this presentaDon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and
esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aSer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward-‐looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to
include any such feature or funcDonality in a future release.
Agenda
! Intro ! The Framework ! AUack Example #1 (The Known) ! AUack Example #2 (The Unknown) ! PrevenDon ! QuesDons
3
4 hUp://www.bloomberg.com/infographics/2014-‐08-‐21/top-‐data-‐breaches.html
5 hUp://www.bloomberg.com/infographics/2014-‐08-‐21/top-‐data-‐breaches.html
6
Red Team has Auto PWN Where is our Auto MiDgate?
hUp://pentestlab.wordpress.com/2012/04/23/metasploit-‐browser-‐autopwn/
7
Auto MiDgaDng AUacks with Splunk App for Enterprise Security
8
Auto-‐miDgaDon is not heresy!
Is an accepted business risk
Framework
9
MiDgaDon Framework
10
Online Services
Web Services
Servers
Security
Desktops
Networks
Packaged ApplicaDons
Custom ApplicaDons
Databases
RFID
Real-‐&me
Machine Data
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica&ons
SA-‐Mi&ga&on
DA-‐Mi&ga&on
SA-‐LWF-‐Mi&ga&on
1 3 2
3 elements
11
SA-‐MiDgaDon
MiDgaDon CorrelaDon Searches
Incident Management Index
Master MiDgaDon Searches
Creates Events
Pulls Events to Block
Sends a Custom Block Command
12
SA-‐MiDgaDon
MiDgaDon CorrelaDon Searches
Incident Management Index
Master MiDgaDon Searches
Creates Events
Pulls Events to Block
Sends a Custom Block Command
| datamodel Incident_Management Notable_Events_Meta search | search Network MiDgaDon | eval status="submiUed" | rename Notable_Events_Meta.rule_id as id | table id,host,src,status | collect index=miDgaDon addDme=true | panblock ip=src group=badactors
SA-‐LWF-‐MiDgaDon
13
Splunk ES SH
Splunk Light Forwarder
Endpoint Host
SA-‐LWF-‐Mi&ga&on
SA-‐Mi&ga&on
| miDgator system=test pid=12345
SA-‐LWF-‐MiDgaDon
14
Splunk ES SH
Splunk Light Forwarder
Endpoint Host
SA-‐LWF-‐Mi&ga&on
SA-‐Mi&ga&on adds pid 12345
process_queue lookup
| miDgator system=test pid=12345
SA-‐LWF-‐MiDgaDon
15
Splunk ES SH
Splunk Light Forwarder
Endpoint Host
SA-‐LWF-‐Mi&ga&on
SA-‐Mi&ga&on adds pid 12345
process_queue lookup
| miDgator system=test pid=12345
Sends results in default/proc_miDgator.log
Savedsearch:
queue_manager_nix runs 5/* runs block cmd
Splunk Indexer
16
Visibility
Analysis
MiDgaDon
PrevenDon
Close The Loop
Before The Loop Closes You!
AUack Example #1 The Known
17
18
AUack Scenario #1
19
AHack
Layer 7 FW
IDS Alerts
AUack Scenario #1
20
AHack
IDS Event to a Cri&cal Server
Corp Machine Layer 7 FW
Block
Bypass FW
IDS Alerts
AUack Scenario #1
21
AHack
Corp Machine Layer 7 FW
IDS Event to a Cri&cal Server Block
Bypass FW
IDS Alerts
AUack Scenario #1
22
AHack
Corp Machine Layer 7 FW
IDS Event to a Cri&cal Server Block
Bypass FW
IDS Alerts
23
“Let Me Show You”
The Known
24
AUack • AUack was launched at a high criDcality asset
Not Blocked • Palo Alto was not set to block those specific IDS Alerts
Visibility • Splunk got visibility of the aUack via IDS log
Analyze • Splunk analyzed the alert and with added context decided to block
MiDgate • Splunk decided to mi&gate, sends a block message to the Palo Alto
Audit • Full history if this in the miDgaDon tracker
Tangent on PA App/Encrypted Store
25
Why We did not want to require the app with the framework What We moved the panChange.py to our app and modified it Also leverage the credenDal store to store PAN passwords
The Unknown
26
27
0days
AUack Scenario #2
28
exploit
Running Vulnerable Service Layer 7 FW
Metasploit
exploit
Mi&gate
AUack Scenario #2
29
exploit
Running Vulnerable Service Layer 7 FW
Metasploit
exploit
Setup Persistence
Splunk LWF
Mi&gate
AUack Scenario #2
30
exploit
Running Vulnerable Service
Endpoint logs
Layer 7 FW
Metasploit
exploit
Setup Persistence
Splunk LWF
Mi&gate
AUack Scenario #2
31
exploit
Running Vulnerable Service
Endpoint logs
Layer 7 FW
Metasploit
exploit
Setup Persistence
Splunk LWF Registry Key with Random Chars
Mi&gate
AUack Scenario #2
32
exploit
Running Vulnerable Service
Endpoint logs
Layer 7 FW
Metasploit
exploit
Setup Persistence
Splunk LWF Registry Key with Random Chars
Mi&gate
33
“Let Me Show You”
The Unknown
34
Bypass • AUacker infects vulnerable machine on the network
Analysis
• Determine is an aUack due to registry key placed in incorrect place with random characters
MiDgated
• Send miDgate_proc command to endpoint to kill process and do clean up
MiDgated
• Not only is the aUack miDgated the endpoint has been cleaned from the foothold
Why We needed Python to take acDon on the endpoint How
Tangent on LWF
35
c:\..splunk\bin\>splunk enable app SplunkLightForwarder –auth <username>:<password>
What A Splunk UF with Python
hUp://docs.splunk.com/DocumentaDon/Splunk/latest/Forwarding/Deployaforwarder#Set_up_light_forwarding_with_the_CLI
PrevenDon
36
37
Just a Framework
Think of the Use Cases
38
hUps://github.com/divious1/Splunk-‐MiDgaDon-‐Framework Coming soon to the Splunk App Store
Devs:
Find the Framework and Docs at :
Brian Luger [email protected]
Jose Hernandez [email protected]
Monzy Merza [email protected]
QuesDons?
39
THANK YOU
41
Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday Geek out, share ideas with Enterprise Security developers
Red Team / Blue Team -‐ Challenge your skills and learn new tricks Mon-‐Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM
Learn, share and hack
Birds of a feather-‐ Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room