Upload
truongtu
View
218
Download
1
Embed Size (px)
Citation preview
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Copyright ©2015Splunk Inc.
PhishingAttacksThethreatmostdatabreachesstartwith
AlainGutknechtSeniorSystemEngineer
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
SafeHarborStatementDuring thecourseof this presentation, wemay make forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectationsand estimatesbased onfactors currently known to us and that actual eventsor results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentation may not contain current or accurate information. We donotassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytimewithout notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Recent Headlines
Source:FBI
Source:Computerworld UK
Source:Verizon DBR2015
Source:isc.sans.edu
23%OFRECIPIENTSNOWOPENPHISHINGMESSAGESAND11% CLICKONATTACHMENTS.
OPENE-MAILSANDCLICKONPHISHINGLINKSWITHINTHEFIRSTHOUR.
50%
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source: Mandiant M-Trends Report 2012/2013/2014
100%Validcredentialswereused
40Average#ofsystemsaccessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotifiedbyexternalentity
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Thetraditionalway:Focusonmass mailingDirect delivery or indirect deliveryof malwareSpamfilters and sandboxingtechnologies aregood to detect
Tax return picture from https://www.proofpoint.com
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
TrueStory:Stateof Michigan(SOM)– Useraccount spoofing• PhishingMail:Mailboxreachedstorage
limit...• OutlookWebAccessPortalcustom design
of SOMwasrebuilt by attacker• Provide E-Mail,Username,Passwordand
Dateof Birth...To how many Userswasthemaildelivered?How manyclicked?Howmanyfilled out?
• Deliveredto 2800 Employees beforebeing blocked
• 155 Employees clicked the link• 144 Employees provided their credentials
6
Source: GISEC2015 KeyNote– ExMichigan‘s CSODanLohrmann
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Thetrend:Which one is the validone?
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Whyarephishingattacksseenas increased risk?
• More focused – social engineering researches• Localized• No longer bad google translations• Using validgraphics and formating• Sent out to target people or groups• Use e-mail accounts with good reputation• Use common use cases to click alink
– No longer aka„validate bank credential“– Downloadsignature of post delivery– Downloadof onlinePDFbill from YOURmobile
provider
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
KillChain—BreachExample
http(web)sessiontofakedwebportal
StealdataPersistincompanySellaccesstothirdparty
WEB
DiscoveryDeliveryExploitationInstallationCommandandControl(C2) ActionsonObjectives
EnterslogincredentialsDownloadsmalware
Attackercreatescustomwebpage
emailstothetarget
Readsemail, clicklink
ThreatIntelligence
Access/Identity
Endpoint
NetworkVPN Portals
Actinglikea legitimate UserStealing furtherPIInformationUtilizingUserauthorizations
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
You need to have the capability to answerany question about anattack within your
organisation
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
NewapproachtosecurityoperationisneededTHREAT AttackApproach
Analytics-drivenSecurity
SecurityApproach
11
TECHNOLOGY
PEOPLE
PROCESS
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multipletools&activities
• Newevasiontechniques
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Analytics-DrivenSecurity
Risk-Based
ContextandIntelligence
ConnectingDataandPeople
12
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
SecurityIntelligence
13
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
ThreatIntelligence
Asset&CMDB
EmployeeInfo
DataStoresApplications
OnlineServices
WebServices
SecurityGPS
Location
Storage
Desktops
Networks
PackagedApplications
CustomApplications
Messaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
Firewall
Authentication
ThreatIntelligence
Servers
Endpoint
ExternalLookups
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
2013-08-0916:21:3810.11.36.2998483148TCP_HIT2002000622- - OBSERVEDGETwww.neverbeenseenbefore.comHTTP/1.10"Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR2.0.50727;InfoPath.1;MS-RTCLM8;.NETCLR1.1.4322;.NETCLR3.0.4506.2152;)UserJohnDoe,"
08/09/201316:23:51.0128event_status="(0)Theoperationcompletedsuccessfully."pid=1300process_image="\JohnDoe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“registry_type="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\PrintersPrint\Providers\ JohnDoe-PC\Printers\{}\ NeverSeenbefore"data_type""
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected],Pleaseopenthisattachmentwithpayrollinformation,,,2013-08-09T22:40:24.975Z
14
Phishing– AdvancedAnalyticsSources
TimeRange
EndpointLogs
WebProxy
EmailServer
Allthreeoccurringwithina24-hourperiod
UserName
UserName
Rarelyseenemaildomain
Rarelyvisitedwebsite
UserName Rarelyseenservice
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
UsingaKillChainFramework– EarlierStageDetection
15
Delivery&Installation
Rarelyseenemail,RarelyseenwebtrafficAbnormalregistryaccess
EmaillogWeblogHostlog
phishing example
Persist,RepeatDelivery,exploitinstallation
Gaintrustedaccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
Useindicators&attributestofind infectedsystems,users&verifycontrols
Protect
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Keyquestions that the press,investors, customers andmanagement asks anorganization that has publicly
disclosed anincident
• How did the attacker gain initialaccessto the environment?
• How did the attacker maintain accessto the environment?
• What is the storyline of the attack?• What data wasstolen from the
environment?• Have you contained the incident?
16
Source:Mandiant
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Demo
SplunkEnterpriseSecurity
17
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Splunk@MaastrichtUniversityBefore Splunk:
• Useraccounts got compromised and hajecked by phishingattacks
• Useraccounts have been used for sending out spam which did result ine-mail domain beeing blacklisted.
• interruption of e-mail service
• users getting locked outof their accounts, strugled to identify cause and fix
AfterSplunk:
• better understanding of what 'normal'looks likeintheir environment
• investigate any suspicious activities instudent and staff accounts
• monitoring access to important or sensitivemailboxes for any unauthorized access
• monitoring for abnormally largevolumes of mailto one inbox
• determine the attributes of aphishingattack
• react more quickly when other things go wrong
• sysadmin team can now immediately identify the device onwhich the wrong credentials were used
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Splunk@PostFinance – PhishingAttack Workflow
©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution
Hunter UseCases
OnDemandAPTScanning
SSLcertificate analytics User Agent Stringanalytics
UseCaseOverviewIT-Security UseCases
Privileged usermonitoring
Botnet Detection Frauddetection in E-Payment
Unauthorized ServiceMonitoring
IdentifyPatient-Zero VulnerabilityManagementPosture
Frauddetection OnlineBanking
UpdateMonitoring
Detecting ZeroDayAttacks
Threat IntelligenceCorrelation
Frauddetection inproper serviceusage
Website defacement
Detect andStopDataExfiltration
UserAccount Sharing Defensein depthinvestigations
Spamto external
Phishing Attacks Incident Investigationacrossteam’s
Giveteam’sthevisibility theyneed
SQLInjections DynamicRiskandPatternManagement
Monitoring ofexpireduseraccounts
CISOUseCases
In thenews! Information DrivenSecurity
Compliance reporting Centralized SituationalAwareness