Taking on Security from a Data Analytics Point-of-View

FST Media's 7th annual ASEAN Banking Conference Philip Sow, CISSP SE Manager, SEA

splunk>

2

Top Security Concerns from CISO

3

Advanced Cyber-Attacks

Malicious Insider Threats

Online Account Take over

Ransomware

http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/

Ransomware : Cybercriminals new attack of choice

http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/

Ransomware : Cybercriminals new attack of choice

Advance Malware is hard to prevent - signature update is always not

fast enough - On target ( phishing email ) - Cannot be found in Security Logs

Machine data contains a definitive record of all interactions

Splunk is a very effective platform to collect, store, and analyze all of that data

Human Machine

Machine Machine

8

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type""

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-08-09T22:40:24.975Z

8

Security Analytic Example Sources

Time Range

Endpoint Logs

Web Proxy

Email Server

All three occurring within a 24-hour period

User Name

User Name

Rarely seen email domain

Rarely visited web site

User Name

Rarely seen service

9

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; www.neverbeenseenbefore.com InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

[2013-09-04-14.45.54.608000] proc_source="B24A", tmst_target="2013-09-04-14.45.54.724000", serv_id="ISS", proc_input="MAST", proc_target="B24H", interface_acq="BNET_1", interface_iss="02008", cod_msg="1110", oper_rrn="090448764439", card_id="526430VS350Y2992", oper_amount="000000008000", oper_ currency="978", oper_country="380", term_id="00599307", circuito="", sett_merc="4722", bin_acq="002111", id_merc="329017246168", prcode="003000", action_code="000", approval_code ="H8H766", oper_ mod_input="1", channel="O", flag_dupl="Y", flag_onus="N", auth_rout_dst="INTFHI93", auth_ rout_id="HISO_AUTH", msg_subst="", ndg="0000000078507391", station_acq="STA-BNET-MI1", acceptor =“ TRAWEL SPA\\MILANO\ 380", tmst_ins="2013-09-04-14.48.56.277466", lpar="B"

9

Critical Security, Fraud & Compliance Insights Sources

Authentication

Web Proxy

Card Payment System

Referring URL

20130806041221.000000 Caption=ACME-2975EB\JohnDoe Description=User account Built-in account for administering the computer/domainDo\n=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts

Source IP User Name

Card ID Amount

Source IP

Client ID

Merchant ID

10

Find Advanced, Hidden Threats

Step 1 • Collect ALL the data in one location

Step 2 • Baseline/identify normal activity

Step 3 • Find outliers/anomalies • Abnormal patterns/correlations within ‘normal’ activities

• What is rarely seen or standard deviations off the norm

• What is different/new/changed

• Helpful Splunk search commands using math/stats include: stddev, outlier, count, rare, top, stats, cluster, transaction, predict

Advance Threat Detection example : URL Length Analysis

11

Compare each URL statistically to

identify outliers

Investigate long URLs where no referrer

exists

See how many assets are talking to the URL

Look for long URLs that may include embedded

C&C instructions

A lot of web-based attack are using VERY long URL

12

Mean URL length for 128 Byte looks Normal But for Max URL length for 9KB size, it looks suspicious. We found a lot of LONG URLs which is trying to access the external site : “http://103.7.28.187/pingd?type-1&dm= www.discouss.com.hk … “ After verified with http://urlquery.net/report.php?id=2182484, they are Tencent QQ/wechat Message. The long http packages are encrypted SMS.

Six Windows Events to monitor

Win ID What Impact to Security Activity detected

4688/592 New Process executed Malware executed or malware actor trying to take action

New programs installed by attacker (not by user)

4624/528 /540 Some account logged in Attacker authenticated to the endpoint

What accounts did and what accounts at what times are normal?

5140/560 A share was accessed What endpoints were accessed

C$ share or File share accessed

5156 Windows Firewall Network connection by process

Command and Control or origin of attack

What application was used to communicate with external or internal IP

7045/601 Service added to the endpoint Persistence to load malware on restart

Service added or modified

4663/567 File & Registry auditing Modifications to the system that create holes or payloads used at a later time

Files added and Registry Keys added to audited locations

Detect CryptoLocker Type attack

14

http://hackerhurricane.blogspot.hk/2014/01/how-to-detect-cryptolocker-type-attack.html

View of a typical CryptoLocker events. EventID4663 = file deleted/write success

sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip you can see the events and setup alerts to trigger when a threshold outside the norm of your users is reached. E.g. "> 250 events per hour" sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip | where count > 250

Sample Use Cases of Security Analytics Detection

15

What to Look For Why Data

Source Attack Phase

On single endpoint: Rarely seen inbound email domain, then visit to rarely seen web site, then rarely seen service starts

Spear-phishing attack. Malicious link in email leads to malware being installed.

Mail/ Web/ OS

Infiltration/ Back Door

Account creation without corresponding IT help desk ticket

Hacker is creating new admin accounts AD/ Help Desk logs

Recon

For single employee: Badges in at one location, then logs in countries away

Stolen credentials Badge/ VPN/ Auth

Data gathering

Employee makes standard deviations more data requests from file server with confidential data than normal

Gathering confidential data for theft OS Data gathering

Standard deviations larger traffic flows (incl DNS) from a host to a given IP

Hacker exfiltrating info NetFlow Exfiltration

Security Analytics Needs > What are some of the technical challenges in managing data?

Ability to process

transactions in

real-time for

detection of fraud

Ability to process

large volumes of

transactional data

for long period of

time.

Ability to analyze

complex patterns

of transactions and

be able to profile

user objects

18

Internal Threat Intelligence Context for Security

19

• Application usage & consumption (in-house)

• Database usage / access monitoring (privileged)

• Entitlements / access outliers (in-house)

• User association based on geography, frequency, uniqueness, and privilege

• Directory user information (personal e-mail, access, user privilege)

• Proxy information (content)

• DLP & business unit risk (trade secrets / IP)

• Case history / ticket tracking

• Malware / AV

• HR / business role

Threat Data from Mandiant APT1

20

New Paradigm for Threat intelligence Needs to be live and real-time

Needs to be current – Many services provide information that’s days old

Needs to provide risk scoring for prioritization

Correlates among commercial/public threat feeding

21

Splunk + Threat Intelligence Framework

22

DNS

Firewall

Web

Mail

App

SIEM

Forwarder

dashboard

Incident

Predictive analytics Alert

Custom Threat List

Open Source Threat Intelligence

Paid Threat Intelligence

Internet

merge

Internal Threat DB

Custom dashboard

Real time Threat Intelligence Correlation: Threat List Activity Dashboard

23

Most active threat lists

Most active IPs across all threat lists

Threat list activities over time

Threat list activity detail (not shown)

Customer Case: Client running P2P ( BT bit torrent )

24

Client IP : 172.26.228.230 Time : 18:10 5/3/14 Threats : Accessing following Bad IP - Tor (anonymous proxy) - Piratebay (BT host) - Blocked IP site - Known spyware site

Verified with PC configuration and this PC has installed the BT client software.

25

Answers to When, What, Where = Visibilty

Servers

Service Desk

Storage

Desktops Email Web

Call Records

Network Flows

DHCP/ DNS

Hypervisor Custom

Apps

Industrial Control

Badges

Databases

Mobile Intrusion Detection

Firewall

Data Loss Prevention

Anti-Malware

Vulnerability Scans

Traditional SIEM

Authentication

Risk to Data Data Breach Minimise Risk

of Data

Compliance &

Policy

Data Security Consideration

Data Theft SOP Security

Control

Legal

Requirements

Insecure

Practices Communication Data Disposal Industry

Guidelines

27

Splunk Solutions

VMware

Platform for Machine Data

Exchange PCI Security

Across Data Sources, Use Cases and Consumption Models

IT Svc Int

Splunk Premium Solutions Ecosystem of Apps

ITSI

UBA

UBA

Mainframe Data

Relational Databases

Mobile Forwarders Syslog/TCP IoT Devices

Network Wire Data

Hadoop & NoSQL

28

Splunk Enterprise Security

28

*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in

its research publication and not advise technology users to select only those vendors with the highest ratings or other

designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not

be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research,

including any warranties of merchantability or fitness for a particular purpose.

Completeness of Vision Leader 2016: LEADER

2015: Leader

2014: Leader

2013: Leader

Gartner SIEM Magic Quadrant*

Splunk for Security

DETECTION OF CYBERATTACKS

INVESTIGATION OF THREATS AND

INCIDENTS

OPTIMIZED INCIDENT

RESPONSE AND BREACH ANALYSIS

DETECTION OF INSIDER THREATS

SECURITY & COMPLIANCE REPORTING

Thank you

splunk>