Top Banner
stoQ’ing your Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
38

stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Feb 24, 2018

Download

Documents

hadung
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

stoQ’ing your SplunkRyan Kovar, Splunk

Marcus LaFerrera, PUNCH

SANS DFIR 2016

Page 2: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Ryan Kovar

• Staff Security

Strategist @Splunk

• Does Security things

and then talks about

them

• 17+ years defending

networks private

sector

Marcus LaFerrera

• Director of

Development

@PUNCH

• Lead stoQ Developer

• 18+ years supporting

the government

Page 3: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Agenda

• Overview of stoQ

• Overview of Splunk

• A DFIR use case walk

through

• Questions

Page 4: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

TOOL * N == :(

NOTHING COMMUNICATES

AND MOST TOOLS

REQUIRE MANUAL INTERACTION

Page 5: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

HOW’S THE WEATHER OUT THERE

OLLIE?

IT’S

CYBER

Page 6: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

stoQ

Page 7: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

STOQ IS A FRAMEWORK

THAT ENABLES

EVERYONE TO AUTOMATE

PROCESSES, ANALYTICS,

AND JUST ABOUT ANYTHING

ELSE

Page 8: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

AUTOMATE AND REDUCE

THE MAJORITY

OF YOUR MOST

MUNDANE ANALYTIC TASKS

Page 9: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

LEVERAGE ALL OF YOUR

TOOLS SIMULTANEOUSLY,

AND SAVE THOSE RESULTS

FOR LATER

Page 10: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

IT’S A FORCE MULTIPLIER

Page 11: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

LOOK AT YOUR DATA, RATHER THAN

SEEKING WAYS TO CAPTURE OR

PRODUCE IT

Page 12: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

COMMAND LINE,

INTERACTIVE SHELL,

OR FULLY AUTOMATED

Page 13: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

EVERYTHING IS A PLUGIN, FROM INPUT

TO OUTPUT AND EVERYTHING IN

BETWEEN

Page 14: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Tell me more about Plugins…

• Very simple and easy to write

• Lots of documentation and examples

• stoQ does most of the heavy lifting

Page 15: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Over 40 stoQ Plugins Available• E-mail Parser• VTMIS• TotalHash• Yara• Censys• Fireeye• IOC Extract• Pastebin• PassiveTotal• ClamAV

• Opswat• TRiD• RabbitMQ• Suricata• Tika• PEinfo• Excel• XOR• Base64• Bit Rotation

• Bro Intel• Fluentd• Google Cloud Storage• Amazon S3• Slack• ThreatCrowd• MongoDB• ElasticSearch• Exif• And many more…

Page 16: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

IT’S OPENSOURCED

Page 17: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
Page 18: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
Page 19: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
Page 20: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
Page 21: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Monitor & Alert

Search & Investigate

Custom Dashboards &

Reports

Analytics &Visualization

Meets Key Needs of SOC Personnel

Splunk Can Ingest ALL THE DATA

Real-timeMachine Data

Cloud Apps

Servers

Email

Web

NetworkFlows

DHCP/ DNS

Custom Apps

Badges

Intrusion Detection

Firewall

Data Loss Prevention

Anti-Malware

VulnerabilityScans

Authentication

Storage

Industrial Control

Mobile Security Intelligence Platform

ThreatFeeds

Asset Info

EmployeeInfo

DataStores

NetworkSegments

External Lookups / Enrichment

Page 22: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Then Build Security Dashboards

Incident Investigations & ManagementDashboards and Reports

Statistical Outliers Asset and Identity Aware

22

Page 23: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016
Page 24: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

The Splunk App for stoQ

Page 25: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

THE STOQ DFIR APP FOR

SPLUNK!

• ALLOWS YOU TO VISUALIZE

STOQ RESULTS

• MAKE CONNECTIONS THAT

WERE DIFFICULT TO SEE

BEFORE

• QUICKLY PIVOT TO NEW

DATA SOURCES

• APPLY THREAT

INTELLIGENCE TO STOQ

DATA

Page 26: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

A DFIR Scenario

Page 27: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

You are an analyst at a Fortune

100 company

Page 28: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

A user reports an email

with a suspicious

attachment

Page 29: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

We need to quickly

identify if the file is good

or bad

Page 30: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 31: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 32: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 33: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 34: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 35: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 36: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

SPLUNK PLACEHOLDER

Page 37: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

WHERE DO I GET ALL OF THIS

INCREDIBLENESS???

https://splunkbase.splunk.com/app/3196/ http://stoq.punchcyber.com

Page 38: stoQ’ing your Splunk - SANS · PDF filestoQ’ingyour Splunk Ryan Kovar, Splunk Marcus LaFerrera, PUNCH SANS DFIR 2016

Questions? Try it out instead

Ryan Kovar

[email protected]

@meansec

Marcus LaFerrera

[email protected]

@mlaferrera

https://demo.stoq.io

Username: dfir2016

Password: stoqingyoursplunk