Scribd
Upload
99 views

APAC Splunk Attack Analyzer Webinar

Uploaded by

batuocandanh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views

APAC Splunk Attack Analyzer Webinar

Uploaded by

batuocandanh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

© 2024 SPLUNK INC.

Splunk Attack
Analyzer
Automatically analyze the
most complex credential
phishing and malware threats

Ray Huang
APAC Senior Security Solution Architect

Session starts 1:05 PM SGT


Security Operations Challenges
Investigating active credential phishing and malware threats

Velocity of credential
phishing and Limited visibility and Lack of analyst
malware context bandwidth

© 2024 SPLUNK INC.


Impact of Today’s Security Challenges

9 Weeks 64% 49%


Is the average dwell of SOC teams of SOCs lack the staff
time after a bad struggle to pivot to manually handle
actor penetrates an between security the increasing
organization’s tools volume of security
system events

© 2024 SPLUNK INC. Source: Splunk State of Security Report


© 2024 SPLUNK INC.

Splunk Attack
Analyzer
Automated Threat Analysis of
Malware and Credential
Phishing Threats
© 2024 SPLUNK INC.

Splunk Attack Analyzer automates


analysis of suspected malware and
credential phishing threats. Unlike
other analysis tools that require manual
workflows, the solution automatically
follows and analyzes each step in
complex attack chains to identify and
extract forensics and render a verdict to
help analysts understand active threats
and accelerate investigations.
Take the manual
work out of threat
analysis
Integrate seamlessly into SOC
workflows

● Immediately draw conclusions


and take action on the insights
generated without wasting manual
resources

● Save time and get through the


backlog of events faster and
process alerts with accuracy

© 2024 SPLUNK INC.


Consistent,
comprehensive,
high-quality
threat analysis
Ensure a baseline standard of
investigation

● Automatic visualization of where


malicious content is embedded;
providing a comprehensive view
showing the technical details of an
attack

● Keep up with the continual shift of


threat actor TTPs in order to
protect the enterprise

© 2024 SPLUNK INC.


Interact safely
with malicious
content
Seamlessly generate
non-attributed environments

● Access malicious content


originating from URLs and files

● Thoroughly conduct an
investigation and remain
confident the analyst and
enterprises’ identity is concealed

© 2024 SPLUNK INC.


Intelligent
automation for
end-to-end threat
analysis and
response
Integrate directly with Splunk SOAR

● Conduct automated analysis of identified


indicators without having to perform
manual investigative tasks

● Eliminate the need for complex


playbooks utilizing multiple threat
analysis products

● Splunk SOAR executes the appropriate


playbook once Splunk Attack Analyzer
has confirmed an active threat for an
automated response

© 2024 SPLUNK INC.


New Market Segment

There isn't any direct competition


● Sandboxes are closest
● Custom SOAR playbooks to do basic
lookups/enrichment (one at a time)
● In-house solutions (pride of ownership is primary
competition)

© 2024 SPLUNK INC.


Traditional Sandbox vs Splunk Attack Analyzer
Similar function, superior outcome!

● Reputation ● Reputation

● Antivirus ● Antivirus

● Dynamic Detonation ● Dynamic Detonation

● Purpose-built analysis engines

‒ Email Analyzer
‒ Web Analyzer
‒ Static Document Analysis
‒ Static File Analysis
‒ Archive Extractor

© 2024 SPLUNK INC.


How does SAA deliver superior outcomes in common
investigation scenarios?

Email Investigation File Investigation URL Investigation


Embedded QR codes, OCR PWs PDFs impersonating docusign, Bypass 90%+ of Captchas used by
and QR codes from Images Malware Analysis adversaries

© 2024 SPLUNK INC.


Traditional Sandbox vs Splunk Attack Analyzer
Similar function, superior outcome with email analyzer

Sandbox Analysis Sandbox Outcome SAA Analysis SAA Outcome

Processes run: No Threats Found Email Analyzer Detected Microsoft


● outlook.exe Email/Attachment Contains Phishing Attempt
Suspicious QR Code
© 2024 SPLUNK INC.
Traditional Sandbox vs Splunk Attack Analyzer
Similar function, superior outcome with document analysis

Sandbox Analysis Sandbox Outcome SAA Analysis SAA Outcome

Processes run: Detected single page Static document analysis Fake Docusign Lure
● acrobat.exe PDF with URL detected a likely docusign lure

© 2024 SPLUNK INC.


Traditional Sandbox vs Splunk Attack Analyzer
Similar function, superior outcome with web analyzer

Sandbox Analysis Sandbox Outcome SAA Analysis SAA Outcome

Processes run: No Threats Detected Web Analyzer detected a Microsoft Phishing


● chrome.exe cloudflare captcha on a suspicious Attempt
site and bypassed it to find
Microsoft phishing attempt
© 2024 SPLUNK INC.
How SAA reduces Phishing MTTR relative
to an MSSP
Phishing Attack leveraging Caffeine Phish kit targeting Microsoft Credentials
With SAA Current
1:39 PT - Email reported by user 1:39 PT - Email reported by user
1:39 PT - SAA receives email for analysis
TTR: TTR:
5 mins 3h 18 mins
1:44 PT - SAA declares email as phishing
1:46 PT - Incident created in MSSP
system

3:15 PT - Assigned for human review


3 hour+ reduction in
response time with SAA

4:36 PT - Declared as True threat and


assigned to tier 2 team
4:57 PT - Closed after response
© 2024 SPLUNK INC.
Splunk Attack Analyzer Use Cases

Incident Triage Incident Analysis


to decrease the daily grind to shorten investigation
cycles

© 2024 SPLUNK INC.


Expand Workflows and Automate Threat Analysis
to Achieve Consistent High-Quality Analysis of Alerts

Phishing SWG/Proxy
EDR Alerts
Alerts Alerts

© 2024 SPLUNK INC.


Gain Actionable Results
To enhance detection efficiency and accelerate investigations for rapid resolution

Splunk Attack Analyzer


High Scoring Artifacts
● Static Analysis
Advanced threats detected
Email Verdicts & forensics for scope discovery
● Dynamic Analysis
Mid Scoring Artifacts
● Attack Chain Following
Reduce investigation time
● Rich Forensics Attack chain forensics, screenshots,
File interactive detonation

● Malware Detonation
Low Scoring Artifacts
● Credential Phishing Detection Filter out as false positives
Eliminate SOC effort
URL

© 2024 SPLUNK INC.


Customer Workflow Example & Outcomes
Email Phishing Analysis with Splunk Attack Analyzer + Splunk SOAR

SOAR

Employee User Reported Phish Reporting


Phishing Email Service
Splunk Attack Analyzer

% %
66 90 Dramatically improved
and accelerated threat
investigation and
Significantly reduced effort to
construct and maintain
sophisticated threat analysis
reduction in reduction in false analysis playbooks
investigation time positives

© 2024 SPLUNK INC.


Power the SOC of the Future
Unified
Proactive Workflows
Guided Response Collaborate
Insights Get ahead of seamlessly
Foundational issues
Detect threats and
Visibility Automate Complete TDIR Life
issues with context Automate Threat Analysis Cycle
See across Automate Containment & Standardize SOC Processes
environments Threat Intelligence Response Actions using Response Templates
Enrichment Automate Recovery Playbooks
Orchestrate Response
Leverage Cybersecurity Workflows Federate Access & Analytics
Security Data Optimization
Security Monitoring
Frameworks
SecOps Incident Management
Risk Based Alerting
Anomaly Detection
Asset Discovery &
Threat Hunting
Management
Compliance
Visualization & Reporting

Accelerated by Splunk AI
© 2024 SPLUNK INC.
with the leading TDIR solution

© 2024 SPLUNK INC.


Thank You!

A Quick Demo

© 2024 SPLUNK INC.


© 2023 SPLUNK INC.

How Phishing Used to Look


© 2023 SPLUNK INC.

How Phishing has Evolved


Thank You!

Qualification &
Objection
Handling
© 2024 SPLUNK INC.
© 2023 SPLUNK INC.

Who do I sell to?


● Any customer who can buy
Splunk can buy Attack Analyzer
● Cloud-delivered
● Hosted in the US, APAC and
EMEA
● No other Splunk product
required
SAA Objection Handling – Part 1

● No Linux or Mac Sandbox - How many Linux or Mac investigations per day? SAA
Static File Analysis is cross platform (Mac, Linux, Windows, Android)
● Already have a Sandbox - SAA has a sandbox but also does URL/File Analysis, Web
Analysis, Doc Analysis, AV, and Archive Extraction
● We have Proofpoint/Mimecast for Phishing - SAA does not replace your SEG, it sits
behind it and focuses on the emails that reach the users inbox.
● We have tools that do all this - Automated Investigation and Time Savings

© 2024 SPLUNK INC.


SAA Objection Handling – Part 2

● No Budget or Need for SAA - 91% of breaches in 2023 started with a phishing email
compromise - Deloitte
● Our Manual Process is fine - SAA’s automated investigations complete in an average
of 1-3 minutes. Manual Analysis can take 15-30+ minutes.
● We have Crowdstrike/Recorded Future Sandboxes - How many submissions per
day/week is the license for? Often not enough to cover all submissions
● We have VirusTotal and Threat Intel - Most advanced adversaries switch URLs and IPs
often. Most don’t appear on TI or VT

© 2024 SPLUNK INC.


Thank You!

Assessing the
Demo
Environment
© 2024 SPLUNK INC.
Technical Badges
Splunk Attack Analyzer Technical Selling - Foundational

© 2024 SPLUNK INC.


Thank You!

Questions?

© 2024 SPLUNK INC.


Thank You!

Thank You

© 2024 SPLUNK INC.


Appendix

© 2024 SPLUNK INC.


Why Do Some Threats Get Through?
Attackers Put Hoops in the way to Evade Detection & Analysis

Bloated QR Lure Custom Corrupted Password


Captchas Redirection
EXEs Codes Pages Malware Zips Protection

© 2024 SPLUNK INC.


Why Do Some Threats Get Through?
Splunk Attack Analyzer
Jumps Through All the Hoops So Analysts Don’t Have To

Bloated QR Lure Custom Corrupted Password


Captchas Redirection
EXEs Codes Pages Malware Zips Protection

© 2024 SPLUNK INC.


Enhancing Your Security Architecture
with Automated Threat Analysis
Perimeter Protection
Secondary Defense

False Negatives
Threat
SEG / ICES
Detection
Email Need analysis to determine
verdict and full scope of
Vigilant impact Submit to
False Positives
Employees
Splunk
EDR / AV
Need analysis before Attack
File
Retroactive
Alerts
releasing from quarantine Analyzer
True Threats

SWG / Proxy Threat Hunting


Subset needs analysis for
secondary IoCs
URL

© 2024 SPLUNK INC.


Automated Threat Analysis There was a time when 27% of file
uploads were marked as malicious
Take the manual work out of phishing or suspicious and all of them ended
and malware analysis up being legitimate and clean. With
Attack Analyzer, we had near zero
Realize consistent, comprehensive, false positive in 6 months and
high-quality threat analysis complete most analysis in under 5
SOAR Integration to automate e2e mins.”
threat analysis and response Cybersecurity Architect at US Insurance Company

% %
66 90+ Dramatically improved
and accelerated threat
investigation and analysis
reduction in reduction in false
investigation time positives

Phishing SWG/Proxy EDR


Alerts Alerts Alerts

© 2024 SPLUNK INC.


Traditional Sandbox Splunk Attack Analyzer
Multiple Manual Analyst Interventions Fully Automated Threat Analysis

Static Doc

Email with Sandbox Fake DocuSign No Exploits… Email with Fake DocuSign Warning: Lure
PDF Attachment PDF Attachment

L
UR
ct
je
In
Web Analyzer
R L
it U
b m RL
Su kU
Splunk Clic Lure Page
Sandbox Lure Page No Exploits… Attack Warning: Lure
Sub
mit Analyzer
URL
Do
wn
loa
Su

Analyst dF Web Analyzer


ile
bm
it
Fil
e

Sandbox Download Site No Exploits… Download Site Warning: Lure

Static Doc

Sandbox
Sandbox Malicious File Malicious File Malicious File Malicious File
Detected Detected

© 2024 SPLUNK INC.


Traditional Sandbox Splunk Attack Analyzer
Multiple Manual Analyst Interventions Fully Automated Threat Analysis

Static Doc

Email with Sandbox Fake DocuSign No Exploits… Email with Fake DocuSign Warning: Lure
PDF Attachment PDF Attachment

L
UR
ct
je
In
Web Analyzer
R L
it U
b m RL
Su kU
Splunk Clic Lure Page
Sandbox Lure Page No Exploits… Attack Warning: Lure
Sub
mit Analyzer
URL
Do
wn
loa
Su

Analyst dF Web Analyzer


ile
bm
it
Fil
e

Sandbox Download Site No Exploits… Download Site Warning: Lure

Static Doc

Sandbox
Sandbox Malicious File Malicious File Malicious File Malicious File
Detected Detected

© 2024 SPLUNK INC.


Johnson Matthey Fights Phishing and
Closes Investigations 83% Faster With
Splunk Enterprise Security, Splunk
SOAR, and Splunk Attack Analyzer
“Using risk-based alerting in Splunk Enterprise Security, we’re able
to fine tune precisely what we want out of the system. Using SOAR
and Splunk Attack Analyzer has enabled us to automate part of
Manufacturing our phishing process. At this point, 61% of phishing threats are
analyzed and processed without us having to intervene.”

Nathan Lowey, Cybersecurity Engineer, Johnson Matthey

● Increased alert fidelity by 30%

● Reduced case management time by 83%

● 61% of phishing cases closed by automation with SOAR

© 2024 SPLUNK INC.


SFBLI Boosts Efficiency and
Strengthens Security Posture
“It was a night and day difference between what our
current sandboxes were doing and what Splunk Attack
Analyzer was doing for us.”
Financial
Cybersecurity Architect, SFBLI
Services
● 70% decrease in file scan time
● Reduced false positives from 26% to near zero in 6
months
● ~5 mins for analysis, orchestration and response
combined, down from ~20 mins for just analysis

© 2024 SPLUNK INC.


Splunk App
for Splunk
Attack
Analyzer
Usage and verdict
reporting to show threat
volume trends

© 2024 SPLUNK INC.


Splunk App
for Splunk
Attack
Analyzer
Phishing and malware
reports to show attacker
trends

© 2024 SPLUNK INC.


Splunk App
for Splunk
Attack
Analyzer
Phished brand reports
show what properties
attackers are going after

© 2024 SPLUNK INC.


Splunk App
for Splunk
Attack
Analyzer
Enhance Splunk Enterprise
Security (ES) notables with
automated analysis of
URLs.

© 2024 SPLUNK INC.


Better Together: Splunk Attack Analyzer + Splunk
SOAR
Intelligent automation for end-to-end threat analysis and response workflows

Case Case
Management Management
● Static & Dynamic Analysis
Reporting
Orchestration
● Attack Chain Following Reporting
Orchestration
and Metrics
● Rich Forensics and Metrics

SOAR ● Malware & Credential SOAR


Phishing Detection
Collaboration Automation Collaboration Automation

Event Event
Management
Splunk Attack Management

Analyzer

Splunk SOAR excels in case Splunk Attack Analyzer conducts Once Splunk Attack Analyzer has
management, initial enrichment, automated analysis of identified confirmed an active threat, Splunk
and orchestration to identify events indicators without SOC analysts having SOAR executes the appropriate
from the SIEM and user-reported to perform manual investigative tasks. response playbook to protect the
phishing, and open cases. enterprise.

© 2024 SPLUNK INC.

You might also like