2016-04-18 Fight against Phishing with Splunk - · PDF fileSplunk undertakes no obligation either to develop the featuresor functionality ... 2016-04-18 Fight against Phishing with

©2015Splunk Inc.Proprietary andConfidential InformationNotforRedistribution

Copyright ©2015Splunk Inc.

PhishingAttacksThethreatmostdatabreachesstartwith

AlainGutknechtSeniorSystemEngineer


SafeHarborStatementDuring thecourseof this presentation, wemay make forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectationsand estimatesbased onfactors currently known to us and that actual eventsor results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentation may not contain current or accurate information. We donotassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytimewithout notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.


Recent Headlines

Source:FBI

Source:Computerworld UK

Source:Verizon DBR2015

Source:isc.sans.edu

23%OFRECIPIENTSNOWOPENPHISHINGMESSAGESAND11% CLICKONATTACHMENTS.

OPENE-MAILSANDCLICKONPHISHINGLINKSWITHINTHEFIRSTHOUR.

50%


AdvancedThreatsAreHardtoFind

CyberCriminals

NationStates

InsiderThreats

Source: Mandiant M-Trends Report 2012/2013/2014

100%Validcredentialswereused

40Average#ofsystemsaccessed

229Median#ofdaysbeforedetection

67%Ofvictimswerenotifiedbyexternalentity


Thetraditionalway:Focusonmass mailingDirect delivery or indirect deliveryof malwareSpamfilters and sandboxingtechnologies aregood to detect

Tax return picture from https://www.proofpoint.com


TrueStory:Stateof Michigan(SOM)– Useraccount spoofing• PhishingMail:Mailboxreachedstorage

limit...• OutlookWebAccessPortalcustom design

of SOMwasrebuilt by attacker• Provide E-Mail,Username,Passwordand

Dateof Birth...To how many Userswasthemaildelivered?How manyclicked?Howmanyfilled out?

• Deliveredto 2800 Employees beforebeing blocked

• 155 Employees clicked the link• 144 Employees provided their credentials

6

Source: GISEC2015 KeyNote– ExMichigan‘s CSODanLohrmann


Thetrend:Which one is the validone?


Whyarephishingattacksseenas increased risk?

• More focused – social engineering researches• Localized• No longer bad google translations• Using validgraphics and formating• Sent out to target people or groups• Use e-mail accounts with good reputation• Use common use cases to click alink

– No longer aka„validate bank credential“– Downloadsignature of post delivery– Downloadof onlinePDFbill from YOURmobile

provider


KillChain—BreachExample

http(web)sessiontofakedwebportal

StealdataPersistincompanySellaccesstothirdparty

WEB

DiscoveryDeliveryExploitationInstallationCommandandControl(C2) ActionsonObjectives

EnterslogincredentialsDownloadsmalware

Attackercreatescustomwebpage

emailstothetarget

MAIL

Readsemail, clicklink

ThreatIntelligence

Access/Identity

Endpoint

NetworkVPN Portals

Actinglikea legitimate UserStealing furtherPIInformationUtilizingUserauthorizations


You need to have the capability to answerany question about anattack within your

organisation


NewapproachtosecurityoperationisneededTHREAT AttackApproach

Analytics-drivenSecurity

SecurityApproach

11

TECHNOLOGY

PEOPLE

PROCESS

• Humandirected

• Goal-oriented

• Dynamic(adjusttochanges)

• Coordinated

• Multipletools&activities

• Newevasiontechniques


Analytics-DrivenSecurity

Risk-Based

ContextandIntelligence

ConnectingDataandPeople

12


SecurityIntelligence

13

DeveloperPlatform

Reportand

analyze

Customdashboards

Monitorandalert

Adhocsearch

ThreatIntelligence

Asset&CMDB

EmployeeInfo

DataStoresApplications

OnlineServices

WebServices

SecurityGPS

Location

Storage

Desktops

Networks

PackagedApplications

CustomApplications

Messaging

TelecomsOnline

ShoppingCart

WebClickstreams

Databases

EnergyMeters

CallDetailRecords

SmartphonesandDevices

Firewall

Authentication

ThreatIntelligence

Servers

Endpoint

ExternalLookups


2013-08-0916:21:3810.11.36.2998483148TCP_HIT2002000622- - OBSERVEDGETwww.neverbeenseenbefore.comHTTP/1.10"Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR2.0.50727;InfoPath.1;MS-RTCLM8;.NETCLR1.1.4322;.NETCLR3.0.4506.2152;)UserJohnDoe,"

08/09/201316:23:51.0128event_status="(0)Theoperationcompletedsuccessfully."pid=1300process_image="\JohnDoe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“registry_type="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\PrintersPrint\Providers\ JohnDoe-PC\Printers\{}\ NeverSeenbefore"data_type""

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected],Pleaseopenthisattachmentwithpayrollinformation,,,2013-08-09T22:40:24.975Z

14

Phishing– AdvancedAnalyticsSources

TimeRange

EndpointLogs

WebProxy

EmailServer

Allthreeoccurringwithina24-hourperiod

UserName

UserName

Rarelyseenemaildomain

Rarelyvisitedwebsite

UserName Rarelyseenservice


UsingaKillChainFramework– EarlierStageDetection

15

Delivery&Installation

Rarelyseenemail,RarelyseenwebtrafficAbnormalregistryaccess

EmaillogWeblogHostlog

phishing example

Persist,RepeatDelivery,exploitinstallation

Gaintrustedaccess

ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement

Persist,Repeat

Useindicators&attributestofind infectedsystems,users&verifycontrols

Protect


Keyquestions that the press,investors, customers andmanagement asks anorganization that has publicly

disclosed anincident

• How did the attacker gain initialaccessto the environment?

• How did the attacker maintain accessto the environment?

• What is the storyline of the attack?• What data wasstolen from the

environment?• Have you contained the incident?

16

Source:Mandiant


Demo

SplunkEnterpriseSecurity

17


Splunk@MaastrichtUniversityBefore Splunk:

• Useraccounts got compromised and hajecked by phishingattacks

• Useraccounts have been used for sending out spam which did result ine-mail domain beeing blacklisted.

• interruption of e-mail service

• users getting locked outof their accounts, strugled to identify cause and fix

AfterSplunk:

• better understanding of what 'normal'looks likeintheir environment

• investigate any suspicious activities instudent and staff accounts

• monitoring access to important or sensitivemailboxes for any unauthorized access

• monitoring for abnormally largevolumes of mailto one inbox

• determine the attributes of aphishingattack

• react more quickly when other things go wrong

• sysadmin team can now immediately identify the device onwhich the wrong credentials were used


Splunk@PostFinance – PhishingAttack Workflow


Hunter UseCases

OnDemandAPTScanning

SSLcertificate analytics User Agent Stringanalytics

UseCaseOverviewIT-Security UseCases

Privileged usermonitoring

Botnet Detection Frauddetection in E-Payment

Unauthorized ServiceMonitoring

IdentifyPatient-Zero VulnerabilityManagementPosture

Frauddetection OnlineBanking

UpdateMonitoring

Detecting ZeroDayAttacks

Threat IntelligenceCorrelation

Frauddetection inproper serviceusage

Website defacement

Detect andStopDataExfiltration

UserAccount Sharing Defensein depthinvestigations

Spamto external

Phishing Attacks Incident Investigationacrossteam’s

Giveteam’sthevisibility theyneed

SQLInjections DynamicRiskandPatternManagement

Monitoring ofexpireduseraccounts

CISOUseCases

In thenews! Information DrivenSecurity

Compliance reporting Centralized SituationalAwareness


Thank You

21











Documents

2016-04-18 Fight against Phishing with Splunk - · PDF fileSplunk undertakes no obligation either to develop the featuresor functionality ... 2016-04-18 Fight against Phishing with