Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Download as PPTX, PDF3 likes2,079 views
Threat Models and Methodologies such as MITRE’s ATT&CK knowledge base are growing in popularity to help track adversaries and map Tactics, Techniques and Procedures (TTP’s) to build and measure security defence profiles. This session will provide an introduction to MITRE’s ATT&CK Methodology and show how Splunk Enterprise Security (ES) and Splunk content updates can help you leverage MITRE ATT&CK in your defensive strategies.
Ad
More Related Content
What's hot (20)
Similar to Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework (20)
Ad
More from Splunk (20)
Ad
Recently uploaded (20)
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
- 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. ATT&CK your ES & SSE Leveraging Splunk Enterprise Security & Security Essentials with MITRE ATT&CK Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer May 2019 | v1.0
- 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
- 3. © 2019 SPLUNK INC. ► 20+ years IT & Security ► Security Consultant, Security Manager, Information Security Officer, Technical Specialist (Networks. & Security), Cisco Network Engineer, Programmer, Sys Admin ► But mostly wondering what the world would look like if only I could use GREP, SED & AWK proficiently ► Co-author Splunk Security Essentials, Contributor to BOTs & Author of Security Monitoring AppStaff Sales Engineer @network_slayer # whoami > Derek King CISSP, GIAC G*, MSc InfoSec(Dist)
- 4. © 2019 SPLUNK INC. ► 5 years at Splunk ► Splunk Security SME for the UK ► Active contributor to the Splunk community and Splunkbase ► Co-author of Splunk Security Essentials ► Author of Splunk App for Web Analytics Principal Sales Engineer [email protected] # whoami > Johan Bjerke CISSP, MSc
- 5. © 2019 SPLUNK INC. 1. Introduction 2. What exactly is a framework 3. MITRE ATT&CK explained 4. Good, Bad & Ugly for ATT&CK 5. ATT&CK in ES,ESCU,SSE (Demo) 6. Measuring up using Analytics Advisor (Demo) 7. Q&A Agenda
- 6. © 2019 SPLUNK INC. Tell me about these Frameworks
- 7. © 2019 SPLUNK INC. Colonel John Boyd
- 8. © 2019 SPLUNK INC. Lockheed Martin Cyber KillChain
- 9. © 2019 SPLUNK INC. Lockheed Martin Cyber Kill Chain
- 10. © 2019 SPLUNK INC.
- 11. © 2019 SPLUNK INC. Diamond Model
- 12. © 2019 SPLUNK INC. • Nation-state sponsored adversary • Located (+8.5 timezone) • Uses Korean encoded language • Uses Hancom Thinkfree Office • European VPS servers • Western innovative Brewers and Home Brewing companies • PowerShell Empire • Spearphishing • Seeking to obtain high end Western Beers for production in their breweries • Documents with .hwp suffix • PS exec lateral movement • YMLP • Self signed SSL/TLS certificates • +8.5 hour time zone • Korean fonts for English • Korean text google translated to English • Naenara useragent string A special thanks to
- 13. © 2019 SPLUNK INC.
- 14. © 2019 SPLUNK INC. So cyber looked for something different
- 15. © 2019 SPLUNK INC.
- 16. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
- 17. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
- 18. © 2019 SPLUNK INC.
- 19. © 2019 SPLUNK INC.
- 20. © 2019 SPLUNK INC.
- 21. © 2019 SPLUNK INC. So what is MITRE ATT&CK framework then?
- 22. © 2019 SPLUNK INC. ATT&CK is a collection of “techniques, tactics, and procedures” manually curated from APT reports. It helps: • Identify where you have gaps in knowledge • Compare adversaries to each other • Compare adversary behavior to
- 23. © 2019 SPLUNK INC. When is MITRE ATT&CK useful? • Tracking adversaries at a detailed level • Sharing TTPs with defenders in a common taxonomy • Measuring your defenses against your adversaries capabilities
- 24. © 2019 SPLUNK INC. What are limitations of ATT&CK • It has inherent biases of being based on APT reporting • It is tactical NOT strategic • Mapping Techniques/Tactics can be… hard • It doesn’t cover everything (no cloud)
- 25. © 2019 SPLUNK INC.
- 26. © 2019 SPLUNK INC.
- 27. © 2019 SPLUNK INC.
- 28. © 2019 SPLUNK INC. Who is APT 10?
- 29. © 2019 SPLUNK INC. Am I a target?
- 30. © 2019 SPLUNK INC. What is a MenuPass?
- 31. © 2019 SPLUNK INC. How do I defend my org?
- 32. © 2019 SPLUNK INC. One screen. All the answers*
- 33. © 2019 SPLUNK INC. Who and am I a target?
- 34. © 2019 SPLUNK INC. What’s a menuPass?
- 35. © 2019 SPLUNK INC. How do I defend my org?
- 36. © 2019 SPLUNK INC. Discovering Accounts menuPass uses a tool called csvde.exe to export AD data
- 37. © 2019 SPLUNK INC. csvde.exe will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
- 38. © 2019 SPLUNK INC. menuPass uses a global service provider for a c2
- 39. © 2019 SPLUNK INC. C2 is in network traffic ▶ Stream/Zeek/Wiredata ▶ DNS ▶ Firewall traffic ▶ Netflow traffic
- 40. © 2019 SPLUNK INC. menuPass uses stages data in the Recylcing Bin
- 41. © 2019 SPLUNK INC. Files written to disk ▶ Sysmon logging ▶ Carbon Black/EDR
- 42. © 2019 SPLUNK INC. menuPass collects data with “net use” and robocopy
- 43. © 2019 SPLUNK INC. “net use” will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
- 44. © 2019 SPLUNK INC. When Does ATT&CK go off the rails
- 45. © 2019 SPLUNK INC. Don’t assume all techniques are equal https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
- 46. © 2019 SPLUNK INC. Don’t misunderstand your coverage and the bias of the data https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
- 47. © 2019 SPLUNK INC. Don’t stay in the matrix https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
- 48. © 2019 SPLUNK INC.
- 49. © 2019 SPLUNK INC. That said….Johan….
- 50. © 2019 SPLUNK INC.
- 51. © 2019 SPLUNK INC. Demo Time
- 52. © 2019 SPLUNK INC. ► 12 Threat Hunts with Sysmon, Suricata, Palo Alto, Stream, Windows Events… ► Workshop Logistics • In Your Organization • 5-12 Participants • 16-20 Hours, Modularized to shorten possible • Ask Your Splunk Contact Person. Don‘t know? Inquery: [email protected] and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Hands-On Workshop Advanced APT Hunting
- 53. © 2019 SPLUNK INC. Q&A
- 54. © 2019 SPLUNK INC. Thank You Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer