SlideShare a Scribd company logo

Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework

Download as PPTX, PDF
Splunk, profile picture
Splunk

The document presents an overview of leveraging Splunk Enterprise Security and Security Essentials with the MITRE ATT&CK framework for cybersecurity strategies. It explains the purpose, utility, and limitations of the ATT&CK framework, alongside techniques for threat hunting and measuring defenses against adversaries. The document also includes a demo agenda and identifies key speakers with their backgrounds in cybersecurity.

Technology
1 of 54
Downloaded 95 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
© 2019 SPLUNK INC.© 2019 SPLUNK INC. ATT&CK your ES & SSE Leveraging Splunk Enterprise Security & Security Essentials with MITRE ATT&CK Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer May 2019 | v1.0
© 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
© 2019 SPLUNK INC. ► 20+ years IT & Security ► Security Consultant, Security Manager, Information Security Officer, Technical Specialist (Networks. & Security), Cisco Network Engineer, Programmer, Sys Admin ► But mostly wondering what the world would look like if only I could use GREP, SED & AWK proficiently ► Co-author Splunk Security Essentials, Contributor to BOTs & Author of Security Monitoring AppStaff Sales Engineer @network_slayer # whoami > Derek King CISSP, GIAC G*, MSc InfoSec(Dist)
© 2019 SPLUNK INC. ► 5 years at Splunk ► Splunk Security SME for the UK ► Active contributor to the Splunk community and Splunkbase ► Co-author of Splunk Security Essentials ► Author of Splunk App for Web Analytics Principal Sales Engineer johan@splunk.com # whoami > Johan Bjerke CISSP, MSc
© 2019 SPLUNK INC. 1. Introduction 2. What exactly is a framework 3. MITRE ATT&CK explained 4. Good, Bad & Ugly for ATT&CK 5. ATT&CK in ES,ESCU,SSE (Demo) 6. Measuring up using Analytics Advisor (Demo) 7. Q&A Agenda
© 2019 SPLUNK INC. Tell me about these Frameworks
© 2019 SPLUNK INC. Colonel John Boyd
© 2019 SPLUNK INC. Lockheed Martin Cyber KillChain
© 2019 SPLUNK INC. Lockheed Martin Cyber Kill Chain
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Diamond Model
© 2019 SPLUNK INC. • Nation-state sponsored adversary • Located (+8.5 timezone) • Uses Korean encoded language • Uses Hancom Thinkfree Office • European VPS servers • Western innovative Brewers and Home Brewing companies • PowerShell Empire • Spearphishing • Seeking to obtain high end Western Beers for production in their breweries • Documents with .hwp suffix • PS exec lateral movement • YMLP • Self signed SSL/TLS certificates • +8.5 hour time zone • Korean fonts for English • Korean text google translated to English • Naenara useragent string A special thanks to
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. So cyber looked for something different
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
© 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
© 2019 SPLUNK INC.
© 2019 SPLUNK INC.
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. So what is MITRE ATT&CK framework then?
© 2019 SPLUNK INC. ATT&CK is a collection of “techniques, tactics, and procedures” manually curated from APT reports. It helps: • Identify where you have gaps in knowledge • Compare adversaries to each other • Compare adversary behavior to
© 2019 SPLUNK INC. When is MITRE ATT&CK useful? • Tracking adversaries at a detailed level • Sharing TTPs with defenders in a common taxonomy • Measuring your defenses against your adversaries capabilities
© 2019 SPLUNK INC. What are limitations of ATT&CK • It has inherent biases of being based on APT reporting • It is tactical NOT strategic • Mapping Techniques/Tactics can be… hard • It doesn’t cover everything (no cloud)
© 2019 SPLUNK INC.
© 2019 SPLUNK INC.
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Who is APT 10?
© 2019 SPLUNK INC. Am I a target?
© 2019 SPLUNK INC. What is a MenuPass?
© 2019 SPLUNK INC. How do I defend my org?
© 2019 SPLUNK INC. One screen. All the answers*
© 2019 SPLUNK INC. Who and am I a target?
© 2019 SPLUNK INC. What’s a menuPass?
© 2019 SPLUNK INC. How do I defend my org?
© 2019 SPLUNK INC. Discovering Accounts menuPass uses a tool called csvde.exe to export AD data
© 2019 SPLUNK INC. csvde.exe will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
© 2019 SPLUNK INC. menuPass uses a global service provider for a c2
© 2019 SPLUNK INC. C2 is in network traffic ▶ Stream/Zeek/Wiredata ▶ DNS ▶ Firewall traffic ▶ Netflow traffic
© 2019 SPLUNK INC. menuPass uses stages data in the Recylcing Bin
© 2019 SPLUNK INC. Files written to disk ▶ Sysmon logging ▶ Carbon Black/EDR
© 2019 SPLUNK INC. menuPass collects data with “net use” and robocopy
© 2019 SPLUNK INC. “net use” will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
© 2019 SPLUNK INC. When Does ATT&CK go off the rails
© 2019 SPLUNK INC. Don’t assume all techniques are equal https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
© 2019 SPLUNK INC. Don’t misunderstand your coverage and the bias of the data https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
© 2019 SPLUNK INC. Don’t stay in the matrix https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. That said….Johan….
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Demo Time
© 2019 SPLUNK INC. ► 12 Threat Hunts with Sysmon, Suricata, Palo Alto, Stream, Windows Events… ► Workshop Logistics • In Your Organization • 5-12 Participants • 16-20 Hours, Modularized to shorten possible • Ask Your Splunk Contact Person. Don‘t know? Inquery: sales@splunk.com and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Hands-On Workshop Advanced APT Hunting
© 2019 SPLUNK INC. Q&A
© 2019 SPLUNK INC. Thank You Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer

More Related Content

PPTX
Splunk Overview
Splunk
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
PPTX
Make Your SOC Work Smarter, Not Harder
Splunk
 
DOCX
Approach to fine tune dlp policies
Kishorilal Sharma
 
PDF
Empire Kurulumu ve Kullanımı
BGA Cyber Security
 
PDF
Threat Hunting
Splunk
 
PDF
Exploring the Defender's Advantage
Raffael Marty
 
PPTX
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Splunk Overview
Splunk
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
Edureka!
 
Make Your SOC Work Smarter, Not Harder
Splunk
 
Approach to fine tune dlp policies
Kishorilal Sharma
 
Empire Kurulumu ve Kullanımı
BGA Cyber Security
 
Threat Hunting
Splunk
 
Exploring the Defender's Advantage
Raffael Marty
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 

What's hot (20)

PDF
PaloAlto Enterprise Security Solution
Prime Infoserv
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
PPTX
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
PDF
SOC, Amore Mio! | Security Webinar
Splunk
 
PDF
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPT
Best practises for log management
Brian Honan
 
PDF
QRadar Architecture.pdf
PencilData
 
PDF
introduction to Azure Sentinel
Robert Crane
 
PDF
ATT&CKcon Intro
MITRE ATT&CK
 
PPTX
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
PPTX
Splunk Enterprise Security
Splunk
 
PDF
Osint presentation nov 2019
Priyanka Aash
 
PDF
Netflix in the Cloud
Adrian Cockcroft
 
PPTX
Awareness Security 123.pptx
RajuSingh730938
 
PPTX
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PPTX
SplunkLive! Splunk for Security
Splunk
 
PDF
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
PPTX
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
jenny_splunk
 
PaloAlto Enterprise Security Solution
Prime Infoserv
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
SOC, Amore Mio! | Security Webinar
Splunk
 
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
Splunk-Presentation
PrasadThorat23
 
Best practises for log management
Brian Honan
 
QRadar Architecture.pdf
PencilData
 
introduction to Azure Sentinel
Robert Crane
 
ATT&CKcon Intro
MITRE ATT&CK
 
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Splunk Enterprise Security
Splunk
 
Osint presentation nov 2019
Priyanka Aash
 
Netflix in the Cloud
Adrian Cockcroft
 
Awareness Security 123.pptx
RajuSingh730938
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
Threat Hunting with Splunk Hands-on
Splunk
 
SplunkLive! Splunk for Security
Splunk
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
jenny_splunk
 
Ad

Similar to Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework (20)

PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PDF
March 2023 PNW User Group
Amanda Richardson
 
PDF
SSE Overview Deck - Swedish User Group.pdf
Ulf Thornander
 
PPTX
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
PPTX
Taking Splunk to the Next Level - Manager
Splunk
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PPTX
What's New with the Latest Splunk Platform Release
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
PDF
Evento anual Splunk .conf24 Highlights recap
Rafael Santos
 
PDF
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
 
PPTX
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
PDF
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
PPTX
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 
PDF
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
PDF
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
PDF
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
March 2023 PNW User Group
Amanda Richardson
 
SSE Overview Deck - Swedish User Group.pdf
Ulf Thornander
 
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Taking Splunk to the Next Level - Manager
Splunk
 
Needlesand haystacks i360-dublin
Derek King
 
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
Evento anual Splunk .conf24 Highlights recap
Rafael Santos
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
 
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
A Presentation on Artificial Intelligence
memembruh336
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework

  • 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. ATT&CK your ES & SSE Leveraging Splunk Enterprise Security & Security Essentials with MITRE ATT&CK Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer May 2019 | v1.0
  • 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 3. © 2019 SPLUNK INC. ► 20+ years IT & Security ► Security Consultant, Security Manager, Information Security Officer, Technical Specialist (Networks. & Security), Cisco Network Engineer, Programmer, Sys Admin ► But mostly wondering what the world would look like if only I could use GREP, SED & AWK proficiently ► Co-author Splunk Security Essentials, Contributor to BOTs & Author of Security Monitoring AppStaff Sales Engineer @network_slayer # whoami > Derek King CISSP, GIAC G*, MSc InfoSec(Dist)
  • 4. © 2019 SPLUNK INC. ► 5 years at Splunk ► Splunk Security SME for the UK ► Active contributor to the Splunk community and Splunkbase ► Co-author of Splunk Security Essentials ► Author of Splunk App for Web Analytics Principal Sales Engineer johan@splunk.com # whoami > Johan Bjerke CISSP, MSc
  • 5. © 2019 SPLUNK INC. 1. Introduction 2. What exactly is a framework 3. MITRE ATT&CK explained 4. Good, Bad & Ugly for ATT&CK 5. ATT&CK in ES,ESCU,SSE (Demo) 6. Measuring up using Analytics Advisor (Demo) 7. Q&A Agenda
  • 6. © 2019 SPLUNK INC. Tell me about these Frameworks
  • 7. © 2019 SPLUNK INC. Colonel John Boyd
  • 8. © 2019 SPLUNK INC. Lockheed Martin Cyber KillChain
  • 9. © 2019 SPLUNK INC. Lockheed Martin Cyber Kill Chain
  • 11. © 2019 SPLUNK INC. Diamond Model
  • 12. © 2019 SPLUNK INC. • Nation-state sponsored adversary • Located (+8.5 timezone) • Uses Korean encoded language • Uses Hancom Thinkfree Office • European VPS servers • Western innovative Brewers and Home Brewing companies • PowerShell Empire • Spearphishing • Seeking to obtain high end Western Beers for production in their breweries • Documents with .hwp suffix • PS exec lateral movement • YMLP • Self signed SSL/TLS certificates • +8.5 hour time zone • Korean fonts for English • Korean text google translated to English • Naenara useragent string A special thanks to
  • 14. © 2019 SPLUNK INC. So cyber looked for something different
  • 16. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
  • 17. © 2019 SPLUNK INC. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18- technical-s05-att&cking-fin7.pdf
  • 21. © 2019 SPLUNK INC. So what is MITRE ATT&CK framework then?
  • 22. © 2019 SPLUNK INC. ATT&CK is a collection of “techniques, tactics, and procedures” manually curated from APT reports. It helps: • Identify where you have gaps in knowledge • Compare adversaries to each other • Compare adversary behavior to
  • 23. © 2019 SPLUNK INC. When is MITRE ATT&CK useful? • Tracking adversaries at a detailed level • Sharing TTPs with defenders in a common taxonomy • Measuring your defenses against your adversaries capabilities
  • 24. © 2019 SPLUNK INC. What are limitations of ATT&CK • It has inherent biases of being based on APT reporting • It is tactical NOT strategic • Mapping Techniques/Tactics can be… hard • It doesn’t cover everything (no cloud)
  • 28. © 2019 SPLUNK INC. Who is APT 10?
  • 29. © 2019 SPLUNK INC. Am I a target?
  • 30. © 2019 SPLUNK INC. What is a MenuPass?
  • 31. © 2019 SPLUNK INC. How do I defend my org?
  • 32. © 2019 SPLUNK INC. One screen. All the answers*
  • 33. © 2019 SPLUNK INC. Who and am I a target?
  • 34. © 2019 SPLUNK INC. What’s a menuPass?
  • 35. © 2019 SPLUNK INC. How do I defend my org?
  • 36. © 2019 SPLUNK INC. Discovering Accounts menuPass uses a tool called csvde.exe to export AD data
  • 37. © 2019 SPLUNK INC. csvde.exe will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
  • 38. © 2019 SPLUNK INC. menuPass uses a global service provider for a c2
  • 39. © 2019 SPLUNK INC. C2 is in network traffic ▶ Stream/Zeek/Wiredata ▶ DNS ▶ Firewall traffic ▶ Netflow traffic
  • 40. © 2019 SPLUNK INC. menuPass uses stages data in the Recylcing Bin
  • 41. © 2019 SPLUNK INC. Files written to disk ▶ Sysmon logging ▶ Carbon Black/EDR
  • 42. © 2019 SPLUNK INC. menuPass collects data with “net use” and robocopy
  • 43. © 2019 SPLUNK INC. “net use” will be executed on an endpoint ▶ 4688 Windows event code ▶ Sysmon logging ▶ Carbon Black/EDR
  • 44. © 2019 SPLUNK INC. When Does ATT&CK go off the rails
  • 45. © 2019 SPLUNK INC. Don’t assume all techniques are equal https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  • 46. © 2019 SPLUNK INC. Don’t misunderstand your coverage and the bias of the data https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  • 47. © 2019 SPLUNK INC. Don’t stay in the matrix https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
  • 49. © 2019 SPLUNK INC. That said….Johan….
  • 51. © 2019 SPLUNK INC. Demo Time
  • 52. © 2019 SPLUNK INC. ► 12 Threat Hunts with Sysmon, Suricata, Palo Alto, Stream, Windows Events… ► Workshop Logistics • In Your Organization • 5-12 Participants • 16-20 Hours, Modularized to shorten possible • Ask Your Splunk Contact Person. Don‘t know? Inquery: sales@splunk.com and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Hands-On Workshop Advanced APT Hunting
  • 53. © 2019 SPLUNK INC. Q&A
  • 54. © 2019 SPLUNK INC. Thank You Derek King | Staff Sales Engineer Johan Bjerke | Principal Sales Engineer