Transcription

the do-it-yourself guide toioc integration with splunk

who the is this guy?about me i am a digital security person with a diverse technology background and extensive experience building andsupporting internet systems. i enjoy drawing on my varied skill set to understand emerging technologies,attack types, and other complex problems in the security space. my recent focus has been on continuousmonitoring, forensics, incident response, and the creation of data-driven tools and solutions for gmail.comtwitter.com/adamjnicholsabout the ministry the { ministry of promise } is dedicated to the evangelism of code-driven, data-centric solutions to thechallenges posed by the modern global threat landscape. we believe that orwellian data collection coupledwith custom solutions based on open standards and technologies are the only way organizations stand achance of defending themselves in the modern mise.co.ukministryofpromise.co.uk

obligatory disclaimeri have a lot of opinions those expressed are my own, and do not reflect those ofmy employer i’ll probably keep many of them to myself if you’d like to hear more about them or share yours,please find me later!

what are we talking about again?agenda threat intel what we did how we did it why we didn’t just buy a thing q&a

threat intel

threat inteldisclaimer #2 means many different things to many people remember what i said about opinions? i am not an expert many here are please seek them out accordingly

"threat intelligence is evidence-basedknowledge, including context,mechanisms, indicators, implications andactionable advice, about an existing oremerging menace or hazard to assets thatcan be used to inform decisions regardingthe subject's response to that menace orhazard."- gartner

threat intelare iocs ‘intel’.? some would say no fintel iocs, ipso facto but even scant knowledge is power any information that improves your posture can be intel even if they aren’t intel, using iocs has become compulsory

threat intelstill more opinions i don't like ‘sharing formats’ i don't think they work we won’t use them here allow the data to describe itself you should control of the way you use your data insert obligatory xkcd here

what we did

whatproblem statement

whatno, but really 2011-ish complete overhaul of dfir function; proactive focus lots of threat intel data coming online no ‘good’ way to use it we’ll make a database or something.? maybe one day it will be useful

whatok, we need a thing SPLUNK

whatok, we need a thing SPLUNKTHING

whatok, we need a thing SPLUNKDATABASE THING

whatok, we need a thing SPLUNKDATABASE THING

whatwhat kind of database thing? a thing to combine external (threat) data with audit (log)data for the purpose of detecting badness must require minimal care and feeding must be scalable must be modular should be highly usable and useful

whatcould splunk work? maybe lots of complexity not a lot of flexibility cumbersome interface yo dawg, we heard you like to pay for intel

whatwhy you might use splunk for threat data you’re still trying to figure out what you want to do you lack the resources to create your own solutions off-the-shelf integrations appeal to you you enjoy spending money on things you find the next few slides snore-worthy

whatwhy splunk for threat data is a bad idea index relationships in splunk kinda suck finding collisions via sub searches is slooooooow finding multiple collisions via multiple sub searches is evenmooooorrrrreeee slooooowwwerrrerr complex queries are hard to write (well) only works for static, local data you enjoy usability

whatwhy splunk for threat data is a bad idea - a use case i want to find bad c2 activity on my firewall i’ll start by looking at drops to external ip addresses then try to find collisions with threat data improve fidelity of those collisions by using domain namesassociated with those ips to search for dns resolutions observed dns resolutions of known bad domains bad

whatwhy splunk for threat data is a bad ideaSPLUNK[index firewalldest ip! 192.168.0.0/16action drop renamedest ip as bad ip fields bad ip]FIREWALL INDEX

whatwhy splunk for threat data is a bad ideaSPLUNK[index ioc index[index firewall ] fields bad domain][index firewalldest ip! 192.168.0.0/16action drop renamedest ip as bad ip fields bad ip]FIREWALL INDEXIOC INDEX

whatwhy splunk for threat data is a bad ideaSPLUNK[index ioc index[index firewall ] fields bad domain][index firewalldest ip! 192.168.0.0/16action drop renamedest ip as bad ip fields bad ip]FIREWALL INDEX[index dns index[index ioc index [index firewall index ]] fieldssource ip]IOC INDEXDNS INDEX

whatwhy splunk for threat data is a bad ideaSPLUNK[index ioc index[index firewall ] fields bad domain][index firewalldest ip! 192.168.0.0/16action drop renamedest ip as bad ip fields bad ip]FIREWALL INDEX[index dns index[index ioc index [index firewall index ]] fieldssource ip]IOC INDEXDNS INDEXPROXY INDEX

whatwhy splunk for threat data is a bad ideaSPLUNK[index ioc index[index firewall ] fields bad domain][index firewalldest ip! 192.168.0.0/16action drop renamedest ip as bad ip fields bad ip]FIREWALL INDEX[index dns index[index ioc index [index firewall index ]] fieldssource ip]IOC INDEXDNS INDEXPROXY INDEXUSER INDEX

whatwhy splunk for threat data is a bad idea - the worst bits how long would that query take to run? and over what timescale? how much data are you working with? what if your indexed threat data is incomplete, or out-of-date? multiply these problems x sources, logic streams, concurrency ingestion, normalization, retention, etc. this is to say nothing of the narrow usefulness of these results live apis, anyone?

whatwhy splunk for threat data is a bad idea - some rebuttals “you just suck at splunk” probably “why not use a lookup table?” spreadsheets? for real? “my ‘security’ cloud offering/mssp/intel repo/feed/guy has a t.a. for that” if you like it, use it! we haven’t liked anything we’ve seen :( “isn’t building your own toolchain expensive?” as compared to what, exactly?

how we did it

howa database thing to the rescue?! provide static and live data to splunk at search time allow fine-grained control over what is requested/returned permit compound queries empower use of the pipeline do all this without impacting performance

howdbthing is commodity lamp-ish stack https server w/tls client auth serving a restful api some static html/js/css too mysql/redis for data python for data ingestion/etl good, fast, and cheap!

howdbthing high-level architectureto interpipesDATA TIERSCHEDULED ETL PROCESSDBDBDBCACHECACHECACHE HTTP/PHP TIERAPI FRAMEWORKABUSE.CHTOR EXITSEMERGINGTHREATSFOWLER PREPUICOMPONENTSPAID PROVIDERPAID PROVIDER DATA BROKERhttps://dbthing.com/ resource / plugin SPLUNKSOC USER-INTERFACE/html/js/css/img

howDATA TIERdbthing plug-in detailABUSE.CHDBTOR EXITSDBETDBFOWLER IPREPCACHEHTTP/PHP TIERAPI FRAMEWORKABUSE.CHTOR EXITSEMERGINGTHREATSFOWLER IPREPif(query IP){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}if(query DOMAIN){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}DATA BROKER- receive request- determine type (regex)- handle sanity- manage response object- provide responsehttps://dbthing.com/ resource / plugin

howDATA TIERdbthing plug-in modularityABUSE.CHDBTOR EXITSDBETDBFOWLER IPREPCACHEHTTP/PHP TIERAPI FRAMEWORKABUSE.CHTOR EXITSEMERGINGTHREATSFOWLER IPREPif(query IP){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}if(query DOMAIN){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}DATA BROKER- receive request- determine type (regex)- handle sanity- manage response object- provide responsehttps://dbthing.com/ resource / plugin

howDATA TIERdbthing plug-in modularityABUSE.CHDBTOR EXITSDBETDBHTTP/PHP TIERAPI FRAMEWORKABUSE.CHTOR EXITSEMERGINGTHREATSif(query IP){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}if(query DOMAIN){if(data ! null){return data;}else {return “no results”;}DATA BROKER- receive request- determine type (regex)- handle sanity- manage response object- provide responsehttps://dbthing.com/ resource / plugin

howDATA TIERdbthing plug-in modularityABUSE.CHDBTOR EXITSDBETDBMOON DOMAINREPCACHEHTTP/PHP TIERAPI FRAMEWORKABUSE.CHTOR EXITSEMERGINGTHREATSMOONDOMAINREPif(query IP){if(data ! null){return data;}else {return “no results”;}if(query IP){if(data ! null){return data;}else {return “no results”;}if(query DOMAIN){if(data ! null){return data;}else {return “no results”;}if(query DOMAIN){if(data ! null){return data;}else {return “no results”;}DATA BROKER- receive request- determine type (regex)- handle sanity- manage response object- provide responsehttps://dbthing.com/ resource / plugin

howdbthing modularity seamlessly board new data easily jettison poor (viking grade) data minimal changes required sometimes as quick as a few minutes

howthe splunk side of dbthing leverages splunk custom commands essentially a python script that imports a module(splunk.Intersplunk) can interact directly with search results in the pipeline employs threaded parallelism to decrease latency very lightweight; no app, no t.a. augments log events with additional fields in-line

howthe splunk side of dbthing - how it worksindex proxy index sourcetype proxy sourcetype auth group executives stats count by dst ip search dst ip! 192.168.0.0/16 user starts with a query that yields a result set of interest

howthe splunk side of dbthing - how it worksindex proxy index sourcetype proxy sourcetype auth group executives stats count by dst ip search dst ip! 192.168.0.0/16 dbthing dst ip do other cool splunk stuff here user invokes dbthing, providing field of interest as arg

howthe splunk side of dbthing - how it worksindex proxy index sourcetype proxy sourcetype auth group executives stats count by dst ip search dst ip! 192.168.0.0/16 dbthing dst ip do other cool splunk stuff here user invokes dbthing, providing field of interest as arg dbthing python queries dbthing rest api value of the arg field in each event is the resource thatdbthing queries

howthe splunk side of dbthing - how it worksindex proxy index sourcetype proxy sourcetype auth group executives stats count by dst ip search dst ip! 192.168.0.0/16 dbthing dst ip do other cool splunk stuff here user invokes dbthing, providing field of interest as arg dbthing python queries dbthing rest api value of the arg field in each event is the resource thatdbthing queries all available data is added to json response from dbthing those json fields are added to splunk event as k v pairs augmented data is returned to pipeline via Intersplunk

howthe splunk side of dbthing - how it worksSPLUNKSPLUNK EVENT16.180.70.237 - - [10/Apr/2016:20:59:29 ]"GET /handle-bars HTTP/1.0" 200 2527 "http://bestcyclingreviews.com/top online shops""Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"DBTHINGDBTHING API REQUESTGET https://dbthing.com/dbthing/16.180.70.237src ip 16.180.70.237 http method GET http response 200http domain bestcyclingreviews.comDBTHING API RESPONSEDBTHING CMD dbthing src ip search src ip match trueDBTHING PYTHONSPLUNK EVENT16.180.70.237 - - [10/Apr/2016:20:59:29 ]"GET /handle-bars HTTP/1.0" 200 2527 "http://bestcyclingreviews.com/top online shops""Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"src ip 16.180.70.237 http method GET http response 200http domain bestcyclingreviews.com{'et match': 'false','fowler match': 'false','k match': 'false','match': 'true','match count': 2,'paid provider detectedat':'2016-05-29t13:37:55.000-0700','paid provider ip': '16.180.70.237','paid provider id': '1699279','paid provider malware': '1','paid provider match': 'true','paid provider matchtype': 'host,host','paid provider rank': '2147483647','paid provider score': '46','paid provider spam': '','siirt block': 'true','siirt blockloc': 'pxy','siirt comments': '','siirt confidence': 'high','siirt created by': 'bobama','siirt description': 'Angler ','siirt effective date': '2016-05-31 00:00:00','siirt indicator': '16.180.70.237','siirt match': 'true','siirt source': ‘intel sharing','success': 'true','torexits match': 'false'}

howthe splunk side of dbthing - how it worksSPLUNKSPLUNK EVENT16.180.70.237 - - [10/Apr/2016:20:59:29 ]"GET /handle-bars HTTP/1.0" 200 2527 "http://bestcyclingreviews.com/top online shops""Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"DBTHINGDBTHING API REQUESTGET https://dbthing.com/dbthing/16.180.70.237src ip 16.180.70.237 http method GET http response 200http domain bestcyclingreviews.comDBTHING API RESPONSEDBTHING CMD dbthing src ip search src ip match trueDBTHING PYTHONSPLUNK EVENT16.180.70.237 - - [10/Apr/2016:20:59:29 ]"GET /handle-bars HTTP/1.0" 200 2527 "http://bestcyclingreviews.com/top online shops""Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"src ip 16.180.70.237 http method GET http response 200http domain bestcyclingreviews.com{'et match': 'false','fowler match': 'false','k match': 'false','match': 'true','match count': 2,'paid provider detectedat':'2016-05-29t13:37:55.000-0700','paid provider ip': '16.180.70.237','paid provider id': '1699279','paid p