Top Banner
Copyright © 2012 Splunk Inc. Paul Pang Chief Security Strategist, APAC & Japan Riskbased Security Analytics for Effective APT Defense
29

Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Aug 26, 2018

Download

Documents

phungnguyet
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Copyright  ©  2012  Splunk  Inc.  

Paul  Pang  Chief  Security  Strategist,  APAC  &  Japan

Risk-‐‑‒based  Security  Analytics  for  Effective  APT  Defense

Page 2: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Security  Analytics  Methodology!   Correlation(Patterns  between  different  kind  of  logs)

–  Incident  investigation  scenario(  carried  out  manually  until  now?)–  Tracking  of  unauthorized  access(What  is  the  impact  and  damage?)

–  Monitoring  any  critical  asset  is  accessed  by  external  dangerous  site.

!   Statistical(Analysis  of  the  same  type  of  log,  big  data)–  Baselining  of  normal  activity(Average・Max・Min)–  Abnormality  detection  (Rare  outliners)–  Comparison  of  time  series(Time・Season・Case  Pattern)

2  

Page 3: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Fraud Detection

Insider Threat

Advanced Threat

Detection

Security & Compliance Reporting

Incident Analysis &

Investigations

Real-time Monitoring & Alerting

Security Intelligence Use Cases

Splunk provides solutions that address SIEM use cases and more

Tradi;onal  SIEM  (Security  Log  Focus)   Next  Gen  SOC  (All  machine  data)  

Page 4: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

New  Types  of  Security  Guru  

4  

Mul$ple  roles  with  different  background,  skills,  pay  levels,  personali$es  

SOC  Manager  

SOC  Admin  &  Architect  

Project  Manager  

Tier  1  Analyst  

Tier  2  Analyst  

Forensics  Specialist  

Malware  Engineer  

Counter-­‐Intel  

!  On-­‐the-­‐job  training  and  mentoring,  and  external  training  &  cer;fica;ons  !  Opera;ng  hours  and  SOC  scope  play  key  role  in  driving  headcount  !   Tier3  Analyst  focus  on  NG  SOC  technology  such  as  Risk-­‐based  analy;cs,  APT  Hun;ng,  Threat  Intelligence  …  

Tier  3  Analyst  (CSIRT)  Key  APT  Hunter  

Page 5: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

All  Data  is  Security  Relevant  =  Big  Data  

5  

Security  Relevant  Data  All  Security  Relevant  Data  

•  “Non-­‐security”  user  and  machine  generated  data  behind  creden;als.  Includes  “Unknown”  threats.    

•  AD,  OS,  DNS,  DHCP,  email,  proxy,  badge,  industrial  control  systems,  etc.  

 

•  “Security”  data,  or  alerts  from  point  security  products.  “Known”  threats.  

•  Firewall,  an;-­‐malware,  IDS,  DLP,  vulnerability  scan  

Tradi;onal  SIEM  

Page 6: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Proac;ve  Security  Monitoring  and  Forensics  

6  

Splunk  allows  us  to  quickly  consolidate  and  correlate  disparate  log  sources,  enabling  previously  imprac;cal  monitoring  and  response  scenarios.  

“  

”  !  Enabled  proac;ve  threat  assessment,  mi;ga;on  planning,  incident  trending  with  analysis,  security  architecture,  incident  detec;on  and  response  

!  Delivered  a  centralized  view  into  user  ac;vi;es  and  in-­‐scope  systems  

Dave  Schwartzburg  Computer  Security  Incident    Response  Team  

Page 7: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

7  

Page 8: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

0-­‐day  detec;on  :  Real  ;me  Anomalty  Detec;on  (Machine  Learning  -­‐  Protected  by  Maths)  

8  

Page 9: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

CSIRT  Logging  Deployment  

9  

•  25 indexers / 7 clusters •  HA, load balanced, & scalable

•  Index up to 1TB/day

•  150TB storage

Page 10: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Correlation  Analytic  Example

10

•  WAF  >  Web  (HTTP  Server)  >  Web  App

–  WAF  alerts  detected,  what  is  the  effect  to  the  previous  Web  server  application?

–  Based  on  the  same  source  IP  address  or  time  range  as  a  "key",  aggregating  and  grouping  corresponding  logs

–  Real  time  display  the  following  information  to  the  security  admin  as  a  single  incident  :  ê WAF  alerts  content  (WAF  log)ê  HTTP  URL  request  (Web  Server  log)ê  Response  from  Application  Server  (Application  log)

Page 11: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

131.178.233.243  -­‐  -­‐  [24/Jun/2014  12:29:01:183]  "GET  /category.screen?category_id=FLOWERS&JSESSIONID=SD5SL6FF7ADFF6  HTTP  1.1"  200  308  "hpp://www.myflowershop.com/product.screen?product_id=K9-­‐CW-­‐01"  "Mozilla/5.0  (Macintosh;  U;  Intel  Mac  OS  X  10_6_3;  en-­‐US)  AppleWebKit/533.4  (KHTML,  like  Gecko)  Chrome/5.0.375.38  Safari/533.4"  701  

[06/24/14  12:29:23  UTC]  000000af  StorageApi        E  com.ibm.wps.policy.commands.StorageApi    logExcep;onGetPvsProper;es  EJQAB0061E:  An  ItemNotFoundExcep;on  occurred  in  method    logExcep;onGetPvsProper;es.com.ibm.portal.    WpsExcep;on:  EJQAB0061E:  An  ItemNotFoundExcep;on  occurred  in  method    logExcep;onGetPvsProper;es.at  (PolicyService.java:191)  

June  24  12:29:01  172.29.70.161  ASM:unit_hostname="asm232.labt.ts.f5net.com",management_ip_address="172.29.69.232",  web_applica;on_name="/Common/ASM_Class1",policy_name="AllViola;ons",policy_apply_date="2011-­‐09-­‐30  13:58:53”,viola;ons="Mandatory  HTTP  header  is  missing,Illegal  URL  length,Illegal  request  length,Illegal  header  length,IllegalURL”,support_id="1446599167164232350",request_status="alerted”,ip_client="131.178.233.243"  

11  

Sources  

Time  Range  

Applica$on  (WebSphere)  

Web  Server  (Apache)  

Web  App  Firewall  (F5  ASM)  

Trace  from  5  seconds  to  "WAF  →  Applica;on"  with  any  machine  data  between  1  minute  

Source  IP  

Machine  data  generated  in  each  layer

TimeRange    +  5s  

Page 12: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Incident  Review  based  on  aggregation  of  events  by  Splunk

12  

Source  IP

Time SourceType F5  WAF Host Web  Log Application  Log

Page 13: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Threat  intelligence  

Auth  -­‐  User  Roles  

Host    Ac$vity/Security  

Network    Ac$vity/Security  

13  

WEB  

Conduct  Business  

Create  addi$onal  environment  

Gain  Access    to  system  Transac$on  

MAIL  

.pdf   Svchost.exe  Calc.exe  

Events  that    contain  link  to  file  

Proxy  log  C2  communica;on    to  blacklist  

How  was    process  started?  

What  created  the  program/process?  

Process  making  C2  traffic  

Web  Portal  .pdf  

Advanced  Threat  Detec;on  and  Response  

Page 14: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Threat  intelligence  

Auth  -­‐  User  Roles  

Host    Ac$vity/Security  

Network    Ac$vity/Security  

Kill  Chain  Analysis  

14  

115.29.46.99/32,zeus_c2s  61.155.30.0/24,cymru_hpp  

{"domain":  "115.29.46.99",    "protocol":  6,    "ipv4":  "115.29.46.99",    "process_guid":  “3259531”,    "port":  443}  

dest_ip  cmdb_bu_owner  cmdb_applica;on_name  cmdb_system_owner  cmdb_app_lifecycle  cmdb_s_ox  cmdb_GLBA  cmdb_app_uses_ssn  cmdb_credit_card_data  cmdb_priority  cmdb_server_so{ware  cmdb_supported_by  cmdb_server_phase  cmdb_db_server  cmdb_db_name  cmdb_PCI  cmdb_PII  cmdb_safe_harbor  192.168.56.102  Sales  Laptop  [email protected]  Produc;on  No  No  No  No  Tier  3  Windows7  Internal  Deployed  N  N/A  No    No    No  172.20.12.224  Marke;ng  Laptop  [email protected]  Produc;on  No  No  No  No  Tier  3  Windows7  Internal  Deployed  N  N/A  No    No    No  172.20.10.217  eCommerce  Laptop  [email protected]  Staging  Yes  Yes  No  Yes  Tier  1  Windows7  Internal  Deployed  Y  Oracle  Yes  Yes  Yes  172.20.15.229  eCommerce  Laptop  [email protected]  Staging  Yes  Yes  No  Yes  Tier  1  Windows7  Internal  Deployed  Y  Oracle  Yes  Yes  Yes    

{"ac;on":  "create",    "path":  ”…\Content.Outlook\Q2_commission.pdf”,  "process_guid":  “-­‐7751687”}  

Subject:  new  commission  report  breakdown  From:  Jose  Dave  <[email protected]>  To:  <[email protected]>  Content-­‐type:  mul;part/mixed;  Content-­‐type:  applica;on/pdf;  name=”Q2_commission.pdf"  

115.29.46.99  

115.29.46.99  

Q2_commission.pdf”  

”  Q2_commission.pdf”  

[email protected]  192.168.56.102  

[email protected]  

"process_guid":  “3259531”  "process_guid":  “-­‐7751687”  

"ac$on":  "create”    

Page 15: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Free  Threat  Feed  

Page 16: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library
Page 17: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Visual  Inves;ga;ons  for  All  Assets  and  Users  

17  

Page 18: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Statistical  Analytics  Example–  Baselining  user  activities  to  detect  abnormality

e.g.  1)  Counting  number  of  characters  in  the  "User-‐‑‒Agent"  in  WAF  or  HTTP  log

ê  Many  malware  seems  to  be  counterfeiting  the  "User-‐‑‒Agent”ê  Visualize  the  distribution  of  the  characters  pattern  and  number

e.g.  2)  Counting  number  of  characters  in  the  “HTTP  Request  URL”ê  Many  malware  sending  out  data  secretly  by  pretending  as  normal  Web  Request

18

Page 19: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Real  ;me  sta;s;cal  analy;cs  in  Splunk    !   Counting  “User_̲Agent”  Length

19  

Mozilla/4.0  (compatible;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR  1.1.4322)

Characters  count:74

UserAgent  content  inside  logs PatternLength Count

Page 20: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

A  lot  of  web-­‐based  apack  are  using  VERY  long  URL  

20  

Mean  URL  length  for  128  Byte  looks    Normal    But  for  Max  URL  length  for  9KB  size,  it    looks  suspicious.    We  found  a  lot  of  LONG  URLs  which  is  trying  to  access  the  external  site  :    “hpp://103.7.28.187/pingd?type-­‐1&dm=  www.discouss.com.hk  …  “    A{er  verified  with  hpp://urlquery.net/report.php?id=2182484,  they  are  Tencent  QQ/wechat  Message.  The  long  hpp  packages  are  encrypted  SMS.    

Page 21: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Visualize  the  Pattern  in  Real  time

21  

件数

Count

Page 22: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

1Risk-­‐based    security    

Security  Base  lining  and  Abnormal  Detec;on  

22  

Page 23: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Statistical  Analytics  Example  2  !   Prediction

–  Splunk  comes  with  Predication  library  to  calculate  the  future  of  number  and  numerical  range  from  data  transition

–  E.g.  predication  of  DoS  attack  if  pattern  is  exceeding  the  95  percentile.

–  Can  automate  the  alerts  when  it  exceeds  a  value  range  which  has  been  predicted

23  

WAF  event  detection  value  range  until  now

Future  value  range  based  on  prediction

Page 24: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Advance  Threat  Detec;on  example  :  New  Domain  Analysis  

24  

Iden;fy  unexpected  top  level  domain  

ac;vity  

Hosts  talking  to  recently  registered  domains  

Discover  outlier  ac;vity  to  newly  registered  

domains  

Page 25: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Determine  the  DNS  baseline  

25  

Page 26: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Mainframe  Data  

VMware  

Pla�orm  for  Machine  Data  

Easy  to  Adopt  Splunk  

Exchange   PCI  Security  

DB  Connect   Mobile  Forwarders   Syslog  /    TCP  /  Other  

Sensors  &  Control  Systems  

Rich  Ecosystem  of  Apps  

Across  Data  Sources,  Use  Cases  &  Consump$on  Models  

Stream  

26  

Page 27: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Further  Reading  ! www.splunk.com  

–  Whitepaper,  Splunk  and  the  SANS  Top  20  Cri;cal  Security  Controls  

 

! NIST.gov  –  FISMA  Compliance,  FAQ  on  

Con;nuous  Monitoring  

27  

Page 28: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

Thank  You

28  

Page 29: Risk based Security Analytics for Effective APT Defense 4_Risk-based... · Risk based Security Analytics ... Advanced Threat Detection ... – Splunk comeswith Predication library

The  Splunk  Pla�orm  for  Security  Intelligence    

29  

200+    SECURITY  APPS   SPLUNK  FOR  ENTERPRISE  SECURITY  

SPLUNK  ENTERPRISE  (CORE)  

Copyright  ©  2014  Splunk  Inc.  

SPLUNK-­‐BUILT  APPS  

VENDOR   OPEN  SOURCE  COMMUNITY  

Wire  (NFT)  data  

SIEM  integra;on  

RDBMS  (any)  data  

Windows  (host/inf)  data  

Unix  &  Linux  data  

Exchange  (email,  inf)  data  

More…