Splunk Enterpise for Information Security Hands-On

Editor's Notes

1. Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
2. The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Hunk – for analytics on data in Hadoop Splunk Mint – to get insights into data from Mobile devices The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
3. Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
4. The OWASP (Open Web Application Security Project ) Top Ten represents a broad consensus about what the most critical web application security flaws are.
5. A SQL injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query. Injections let attackers modify a back-end statement of command through unsanitized user input. Imagine a form that accepts an email address and password then submits them to a PHP file named index.php. Instead of entering a “real” username or password, the hacker will enter a SQL command (or a JSON string in the case of a NoSQL database). This piece of malicious code is then sent to the database, which executes the command as if it were an expected string (like a username). Cybercriminals use injection attacks against databases to export data such as Personally Identifying Data (PII), to delete accounts, create bogus accounts and modify data. Injection attacks can even be used to initiate a Denial of Service (DOS) attack. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations, etc. Suppose a user supplies admin@admin.sys and 1234 as the password. The statement to be executed against the database would look something like this <CLICK> The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field. <CLICK> xxx@xxx.xxx' OR 1 = 1 And essentially anything for the password. <CLICK>
6. Under SplunkLive Security 2016 App, open Web Attacks -> Simple SQL Injection Scroll down to see search syntax and results and explanations Splunk supports the Boolean operators: AND, OR, and NOT; the operators have to be capitalized. The AND operator is always implied between terms, that is: “password select” is the same as “password AND select”.
7. Expand on the previous search by adding specific credentials and using iplocation, identify any attacks from the Ukraine. Also note that Splunk search terms and field values are case insensitive.
8. Under SplunkLive Security 2016 App, open Web Attacks -> Advanced SQL Injection Scroll down to see search syntax and results and explanations As mentioned in the intro, Splunk does not limit how you perform searches, you can use countless ways to find the same results.
9. This is the pattern that the SQL injection search app leverages; we will augment it to list the attackers.
10. Under SplunkLive Security 2016 App, open Lateral Movement -> Lateral Movement Detection: Legacy Pass the Hash Scroll down to see search syntax and results and explanations
11. Under SplunkLive Security 2016 App, open Lateral Movement -> Lateral Movement Detection: Network Destinations Scroll down to see search syntax and results and explanations
12. Under SplunkLive Security 2016 App, open DNS Exfil -> DNS Exfil: Detecting Data Exfiltration Scroll down to see search syntax and results and explanations
13. DNS exfil: 18k text file - Infected host is 10.124.15.193 - Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com - Time frame is around 1946-2134 08AUG14 20mb+ Zip file - Infected host is 10.124.15.193 - Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com - Time frame is around 1853-1927 08AUG14
14. op
15. We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!