Splunk Enterprise for InfoSec Hands-On
1 like734 views
This document contains a list of signs of the zodiac and corresponding numbers. It begins with Aquarius assigned to number 01 and ends with Capricorn (N~Z) assigned to number 20. The list assigns a range of the alphabet to different signs, splitting some signs into two groups.
![11
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-site request forgery
[7] Missing function level access control
[6] Sensitive data exposure
[5] Security misconfiguration
[4] Insecure direct object reference
[3] Cross-site scripting (XSS)
[2] Broken authentication and session management](https://image.slidesharecdn.com/splunklivesantaclara2016securityhandsonfinalfinal-161110075305/85/Splunk-Enterprise-for-InfoSec-Hands-On-11-320.jpg)
![12
[1] Injection
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow
Why did I get breached?
SQLi has been around a very,
very long time …](https://image.slidesharecdn.com/splunklivesantaclara2016securityhandsonfinalfinal-161110075305/85/Splunk-Enterprise-for-InfoSec-Hands-On-12-320.jpg)
*=(%20)*[%27|'])|w*[%27|']or)
Which means: In the string we are given, look for ANY of the following matches
and put that into the “injection” field.
Anything containing SELECT followed by FROM
Anything containing UNION followed by SELECT
Anything with a ‘ at the end
Anything containing DELETE followed by FROM
Anything containing UPDATE followed by SET
Anything containing ALTER followed by TABLE
A %27 OR a ‘ and then a %20 and any amount of characters then a %20 and then a %27 OR a ‘
Note: %27 is encoded “’” and %20 is encoded <space>
Any amount of word characters followed by a %27 OR a ‘ and then “or”
Regular Expressions FTW](https://image.slidesharecdn.com/splunklivesantaclara2016securityhandsonfinalfinal-161110075305/85/Splunk-Enterprise-for-InfoSec-Hands-On-26-320.jpg)
Ad
More Related Content
More from Splunk (20)
Recently uploaded (20)
Ad
Splunk Enterprise for InfoSec Hands-On
- 1. 1 Aquarius – 01 Pisces (A~M) – 02 Pisces (N~Z) – 03 Aries – 04 Taurus (A~M) – 05 Taurus (N~Z) – 06 Gemini (A~M) – 07 Gemini (N~Z) – 08 Cancer (A~M) – 09 Cancer (N~Z) – 10 Leo – 11 Virgo (A~M) – 12 Virgo (N~Z) – 13 Libra (A~M) – 14 Libra (N~Z) – 15 Scorpio (A~M) – 16 Scorpio (N~Z) – 17 Sagittarius – 18 Capricorn (A~M) – 19 Capricorn (N~Z) – 20 https://od-splunklivesantaclara-XX.splunkoxygen.com Username: splunklive Password: security Security Hands-On: What’s Your Sign?
- 3. 3 Safe Harbor Statement During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 7. Mainframe Data Platform for Machine Data Splunk Solutions > Easy to Adopt Relational Databases MobileForwarders Syslog / TCP / Other Sensors & Control Systems Across Data Sources, Use Cases & Consumption Models Wire Data Splunk Premium Solutions & Apps Rich Ecosystem of Apps VMware Exchange PCISecurity ITSI IT Svc Int UBA UBA Cisco PAN SNOW AWS
- 8. Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Ø Four years in a row as a leader Ø Furthest overall in Completeness of Vision Ø Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three use cases
- 17. 17 Why Did Bobby’s School Lose Their Records? $sql = "INSERT INTO Students (Name) VALUES ('" . $studentName . "');"; execute_sql($sql); $studentName 1 2
- 18. 18 INSERT INTO Students (Name) VALUES ('John'); Why Did Bobby’s School Lose Their Records? John $studentName
- 19. 19 Why Did Bobby’s School Lose Their Records? Robert'); DROP TABLE Students;-- INSERT INTO Students (Name) VALUES ('Robert'); DROP TABLE Students;--');
- 21. 21 Aquarius – 01 Pisces (A~M) – 02 Pisces (N~Z) – 03 Aries – 04 Taurus (A~M) – 05 Taurus (N~Z) – 06 Gemini (A~M) – 07 Gemini (N~Z) – 08 Cancer (A~M) – 09 Cancer (N~Z) – 10 Leo – 11 Virgo (A~M) – 12 Virgo (N~Z) – 13 Libra (A~M) – 14 Libra (N~Z) – 15 Scorpio (A~M) – 16 Scorpio (N~Z) – 17 Sagittarius – 18 Capricorn (A~M) – 19 Capricorn (N~Z) – 20 https://od-splunklivesantaclara-XX.splunkoxygen.com Username: splunklive Password: security Security Hands-On: What’s Your Sign?
- 22. 22 A Little About Our Environment Our learning environment consists of ~5.5M events, from real environments, but sanitized: • Windows Security events • Apache web access logs • Bro DNS & HTTP • Palo Alto traffic logs • Some other various bits
- 25. 25 https://splunkbase.splunk.com/app/1528/ Search for possible SQL injection in your events: ü looks for patterns in URI query field to see if anyone has injected them with SQL statements ü use standard deviations that are 2.5 times greater than the average length of your URI query field Macros used • sqlinjection_pattern(sourcetype, uri query field) • sqlinjection_stats(sourcetype, uri query field)
- 44. 44 DNS exfil tends to be overlooked within an ocean of DNS data. Let’s fix that! DNS Exfiltration
- 45. 45 FrameworkPOS: a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos- variant-exfiltrates-data-via-dns-requests “ ” … few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally- beauty-breach/#more-30872 “ ” DNS Exfiltration
- 46. 46 https://splunkbase.splunk.com/app/2734/ DNS exfil detection – tricks of the trade ü parse URLs & complicated TLDs (Top Level Domain) ü calculate Shannon Entropy List of provided lookups • ut_parse_simple(url) • ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word) • ut_countset(word, set) • ut_suites(word, sets) • ut_meaning(word) • ut_bayesian(word) • ut_levenshtein(word1, word2)
- 47. 47 Examples • The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string Shannon Entropy
- 48. 48 Detecting Data Exfiltration index=bro sourcetype=bro_dns | `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen TIPS q Leverage our Bro DNS data q Calculate Shannon Entropy scores q Calculate subdomain length q Display Details
- 50. 50 Detecting Data Exfiltration … | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS q Leverage our Bro DNS data q Calculate Shannon Entropy scores q Calculate subdomain length q Display count, scores, lengths, deviations
- 51. 51 Detecting Data Exfiltration RESULTS • Exfiltrating data requires many DNS requests – look for high counts • DNS exfiltration to mooo.com and chickenkiller.com
- 55. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM The 8th Annual Splunk Worldwide Users’ Conference
- 56. Thank You