Embed Size (px)
Citation preview
Ten(?) Holiday Gift Ideas for the SOC Who Has Everything
Dave Ryan
@ SANS SIEM & Tactical Analytics Summit
November 2017
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding
future events or the expected performance of the company. I often lie. Maybe this is a lie.
Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes
The wøndërful telephøne system And mäni interesting furry animals The characters and
incidents portrayed and the names used in this Presentation are fictitious and any similarity
to the names, characters, or history of any person is entirely accidental and unintentional.
Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...
No realli! He was Karving his initials on the møøse with the sharpened end of an
interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and
star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our
roadmap outlines our general product direction and is subject to change at any time
without notice. Splunk undertakës no øbligation either to develøp the features or
functionality described or to include any such feature or functionality in a future release.
• 17 years of cyber security experience
• Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research
• Also investigating why printers are so insubordinate ಠ_ಠ
3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan KovarCISSP,MSc(Dist)
- 20+ years IT and security- Information security officer, security architect, pen tester, consultant, SE, system/network engineer
- Former SANS Mentor
- Co-creator of Splunk Boss of the SOC
Security Architect @splunk
@daveherrald
# whoami > Dave HerraldCISSP, GIAC G*, GSE #79
We use Splunk
But you don’t have to!
On the shoulders of giants
Florian Roth• Twitter: @cyb3rop
• Github: https://github.com/Neo23x0
• Currently employed at:https://www.bsk-consulting.de
• Sigma author
• Yara signature creator extraordinaire
Expectations…
Test your SIEM with Realistic Data
BOTS Data Is Free
• Splunk Boss of the SOC is a realistic, blue-team CTF
• BOTS Version 1 debuted in September 2016
• Data set has been open-sourced. (CCO license)
• Available as pre-indexed Splunk data, JSON, and CSV
https://github.com/daveherrald/botsv1
BOTS Data Is Realistic
• Realistic attack data• Realistic background noise• Includes 22 data types
• Windows events• Microsoft Sysmon• Windows registry• Wire data (HTTP, DNS, DHCP, etc.)
• Suricata• Firewall
Open source detection rules
SIGMA
Generic Signature Format for SIEM• Developed by Florian Roth and Thomas
Patzke• https://github.com/Neo23x0/sigma
What’s in the box?• Rule specification• Open repository of signatures• A Python converter for different SIEM
systems
SIGMA – Preparing to test against BOTSv1 data• Focus on Sysmon data for this test- About 46 of 148 Sigma rules at time of test
• Need to convert Sigma Sysmon rules to Splunk searches
• I used sigmac.py manually, included with Sigma
• Recommend the excellent TA-Sigma-Searches add-on for Splunk- https://github.com/dstaulcu/TA-Sigma-
Searches- Finished product- Also includes the PowerShell wrapper for
sigmac.py that takes care of a lot of messy details
SIGMA – Test against BOTSv1 data set
Success!• sysmon_office_macro_cmd.yml• sysmon_office_shell.yml
• sysmon_susp_execution_path_webserver.yml• sysmon_susp_net_execution.yml• sysmon_webshell_spawn.yml
Follow-up• More hits with other Sigma rules?• Contribute new rules to Sigma
Automating your first 15 minutes
Then one day you have an “incident”
Automate Local Yara Scan
Yara on the local host
Now run Yara on the local host
Yara on the local host
*thanks Florian!
Yara in da SIEM
Yara in da SIEM
Integration into the DFIR world
Supertimeline in Excel Template
Supertimeline in a SIEM
Supertimeline in a SIEMStore and search over multiple
timelines
Supertimeline in a SIEMStore and search over multiple
timelines
Extract the Supertimeline Source Types
Supertimeline in a SIEMStore and search over multiple
timelines
Extract the Supertimeline Source Types
Specify time ranges
Supertimeline in a SIEMStore and search over multiple
timelines
Extract the Supertimeline Source Types
Specify time rangesAd-hoc search
Supertimeline in a SIEMStore and search over multiple
timelines
Extract the Supertimeline Source Types
Specify time rangesAd-hoc search
Familiar color coding
Resources
Supertimeline(Plaso) Splunk Apps• https://github.com/daveherrald/TA_plaso-add-on-for-splunk• https://github.com/daveherrald/SA_plaso-app-for-splunk
Earlier work from Nick Klein• https://www.youtube.com/watch?v=xe0qJriD7aM
Labeling yourgifts rules
Too many damn rules!
SIEM rule creep
Make a SIEM ruletaxonomy!
Don’t reinvent the wheel
• “4” Indicates it is in the 4th stage of the kill chain • “002” Indicates it is the 2nd rule written in ”4”
category • “EXP” Indicates it is in the ’Exploit’ category • Lastly, the name of the rule
Don’t reinvent the wheel https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
Don’t reinvent the wheel
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
Endpoint Data On-Demand
Current osquery Capability with Splunk
•Schedule osquery queries•Log results locally•Monitor with Universal Forwarder•Analyze with Splunk•We include this in BOTS v2 if you want to see it in action
•https://splunkbase.splunk.com/app/3278/
What’s new?
Osquery clients directly connected to Splunk
Osquery clients directly connected to Splunk
Multiple endpoints.
Osquery clients directly connected to Splunk
Multiple endpoints.Active connections.
Osquery clients directly connected to Splunk
Multiple endpoints.Active connections.
Windows, Linux, OSX
So what?
Your analysts can now query an endpoint, on-demand…
Choose from saved queries, like Listening Ports
Any connected endpoint
Run the query on the endpoints you choose.
With results available in seconds…
From all the queried clients…
Query results are stored for future analysis
Details
•No Splunk software on the endpoint, osquery only
•TLS transport•Collects both on-demand and scheduled query results
•GOTO: Disclaimer
TIP’ing your SIEM
OK… So what’s a TIP again?
YETIAn open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense.
Malware Information Sharing Platform (MISP) allows organizations to share information about malware and their indicators. MISP users benefit from the collaborative knowledge about existing malware or threats.
Yeti is a platform meant to organize
observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository
“Threat Intelligence Platform”
A SIEM acting as a TIP
A SIEM acting as a TIP
Optimizing your SIEM Analysis with CyberChef
Optimizing Analysis with CyberChef
• Developed and maintained by GCHQ• Open source, Apache 2.0 License and
Crown Copyright• https://github.com/gchq/CyberChef• Convert virtually any data format to
any other• Web based• Processing is performed locally using
JavaScript in the browser• Easy to use, powerful,
programmable, extensible
CyberChef Integrated with Your SIEM
CyberChef Recipes (encodings aplenty)
CyberChef Recipes (encodings aplenty)
CyberChef Recipes (encodings aplenty and more)
CyberChef Recipes (Holiday Playlist)Encodings
• Base64• Hexdump• URL/HTML Entity
Encryption• AES• 3DES• RC4• XOR
Public Key Crypto• Parse X509• PEM to DER
Logical• AND/OR/NOT/X
OR• Bit shift
• Endian flipNetworking
• Parse UA string• Parse URI• NETBIOS
EncodingLanguages
• Dozens• Unicode un-
escapingText Manipulation
• Upper, lower• Sort, count, uniq• Head, tail• Regex
Extractions
• IP• File names• Domains• EXIF
Compression• Zip, gzip, bz2• Tar
Hashing• SHA1/SHA2/Md5• HMAC• CRC
CyberChef Resources
About:https://www.gchq.gov.uk/news-article/cyberchef-cyber-swiss-army-knife
Code:https://github.com/gchq/CyberChef
Demo:https://gchq.github.io/CyberChef/
Splunk SIEM Integration:https://github.com/daveherrald/TA-cyberchef
Takeaways
• Get some “SIEMsipration”!
• Think outside of “Alerts and Events”
• Use third-party open source tools to
“accelerate” your bicycle
• Automate the mundane. Investigate
the interesting.
Dave Herrald
@daveherrald
Ryan Kovar
@meansec
http://blogs.splunk.com/author/rkovar
Contact info
