Copyright © 2014 Splunk Inc.
Fred Wilmot
Director, Global Security PracCce
Brad Lindow
a.k.a. Superman Global Security Strategist, SplunkThreat Intelligence:
STIX and Stones Will
Break Your Foes
Disclaimer
During the course of this presentaCon, we may make forward looking statements regarding future events or the expected performance of the company. We cauCon you that such statements reflect our current expectaCons and
esCmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentaCon are being made as
of the Cme and date of its live presentaCon. If reviewed aTer its live presentaCon, this presentaCon may not contain current or accurate informaCon. We do not assume any obligaCon to update any forward looking statements we may make. In addiCon, any informaCon about our roadmap outlines our general product direcCon and is subject to change
at any Cme without noCce. It is for informaConal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaCon either to develop the features or funcConality described or to
Fred Wilmot | Director, Global Security PracCce
(fred|Securityczar)@splunk.com
• Strategy
§ Drives Security PracCce Strategy globally
§ Works on Splunk’s hardest Security Use Cases § VisualizaCon and AnalyCcs using Splunk
§ Solves strategic product/implementaCon challenges
• Research
• Digital Forensics /Assessment Tools • Social Risk/User behavior modeling • ML/Advanced StaCsCcal Analysis • Threat Intelligence
• Product
§ Influence product strategy for security content and features in the field and through the factory.
“Electric Mayhem” @fewdisc
Brad Lindow | Global Security Strategist
Former aeorney, current aeending SecPrax Legal…Dr.Strangepork Worked with some of the largest compuCng environments in the world: Orbitz, Department of Commerce, ConsulCng organizaCon, and Sears
Global Security Strategist for Splunk
Drive customer success and security innovaCon around Splunk’s products, customers, partners and the worldwide security community.
Research
Threat Intelligence Enterprise Security
Hadoop Security Use Cases Minister of JusCce
Agenda
"
Threat intelligence today
"
Challenges with today’s threat intelligence
"
What should next generaCon threat intelligence look like?
"
How can you uClize these threat intelligence sources despite
their complexity?
"
SPLICE -‐ Splunk’s soluCon for IOC threat intelligence
"
SPLICE Demo
Today’s Threat Landscape
" You’ve all heard this many Cmes before (and you probably live it)
but:
– Bad guys are genng more sophisCcated and organized – Its genng increasingly more difficult to defend
– Tools, tacCcs and procedures change during the course of campaign aeacks
" We need to move quicker and share informaCon
– Bad guys are watching us and we need to be “watching” them – Threat Intelligence is old in a week
– Triaging mulCple sources of Threat Intel makes them hard to acCon on YOUR data
Current Threat Intelligence
" Some intelligence sharing is happening but:
– Limited in detail and simplisCc (lists, spreadsheets) – Human readable only
– Derived from various sources (.xls,.PDF,RSS, XML objects,e-‐mail) – Intel Not leveraged fast enough in the SOC
– Not leveraged historically AND in real-‐Cme
– Requires manicuring (watchlists aren’t good forever) – No context to any other indicator
– Shortage in talented analysts reduces kill chain visibility
Watchlists of 10,000 IP addresses or Hashes are not enough, we need context…
External Threat Intelligence Sources
" OSINT
" Dell SecureWorks " Verisign iDefense " Symantec Deepsight
" McAfee Threat Intelligence " SANS
" CVEs, CWEs, OSVDB (Vulns) " iSight Partners
" ThreatStream " OpenDNS
" Palo Alto Wildfire " Crowdstrike " AlienVault OTX " RecordedFuture " Team Cymru " ISACs / US-‐CERT " FireEye/Mandiant " Vorstack " cyberUnited " Norse IPViking/Darklist
Internal Threat Intelligence Sources
" Directory user informaCon (personal
e-‐mail, access, user privilege, start/end date)
" Proxy informaCon (content) " DLP & business unit risk
(trade secrets / IP sensiCve docs)
" IT Case history / Ccket tracking " Malware detecCon / AV alerts " SensiCve business roles
" ApplicaCon usage & consumpCon
events (in-‐house)
" Database usage / access monitoring
(privileged)
" EnCtlements / access outliers (in-‐
house)
" User behavior associaCon based on
geography, frequency, uniqueness, and privilege
Challenges InteracCng with Threat Intel
Most complete
Next GeneraCon Threat Intelligence
" In today’s threat landscape, threat intelligence using structured
indicators of compromise (IOC) should enable:
– AutomaCc consumpCon and parsing (at least largely) – Shareable IOCs, internally and externally
– NormalizaCon of key indicators
– Contextual enrichment for data in Splunk
– CreaCon of STIX objects from internal Threat Intelligence and Incidents – Efficient use of Internal Threat Intelligence as context sources
– MulCple chains of indicators increase urgency for invesCgaCon – Indicators with Deeper Meaning than a list of IP addresses
Threat Intelligence “Standards”
" STIX -‐ Structured Threat InformaEon eXpression
" A standardized language uClizing XML to represent structured cyber threat informaCon.
Conveys the full range of potenCal cyber threat informaCon and strives to be fully expressive, flexible, extensible, automatable, and as human-‐readable as possible.
" TAXII -‐ Trusted Automated eXchange of Indicator InformaEon
" Transport mechanism for cyber threat informaCon represented as STIX. Through the use of
TAXII services, organizaCons can share cyber threat informaCon in a secure and automated manner.
" OpenIOC – Open sourced schema from Mandiant
" An extensible XML schema that enables you to describe the technical characterisCcs that
InteracCng with IOCs in Splunk
MILE
VERIS
InteracCng with threat IOCs in Splunk (current)
Start with the most
widely adopted…
Predominantin confidenCal informaCon-‐ sharing
associaCons… Predominant in vendor and researcher world – lots of useful data available on the public internet…
Example of STIX object
...
<stix:Observables cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2"> ...
Splunking IOCs with
SPLICE
What is SPLICE?
• SPLICE is a free Splunk App that enables you to easily consume IOCs
(STIX, CybOX, OpenIOC) and use them to quickly evaluate your own environment for potenCal security issues
• SPLICE easily installs like any other Splunk App and just requires an
instance of MongoDB on the search head Splice is installed on
• Get Splice RIGHT NOW by following @SplunkSec at
How can SPLICE help you?
" Facilitates automated IOC consumpCon " Provides you richer threat intelligence data
" Provides the intel in Splunk to correlate with all of your other data " Provides searching, reporCng and visualizaCon capabiliCes
" Enables less experienced personnel to uClize the data
How does it reduce the complexity?
" Splunk has chosen to iniCally reduce the IOC surface area to ‘atomic’
indicators for usability and to allow for more flexibility in IOC analyCcs
" Splunk has also partnered with FS-‐ISAC (who have also chosen the
same approach) to integrate with their Avalanche product for IOC federaCon and collaboraCon
SPLICE – Supported Indicators
" Supports STIX 1.1 (more than 80 Objects!) – FileObjectType (Hash values, File names)
ê Examples: “64ef07ce3e4b420c334227eecb3b3f4c” or “virus.exe”
– DomainNameObjectType (Domains, URLs)
ê Examples: “malicious1.example.com” or “h9p://malicious1.example.com/
clickme.html”
– URIObjectType (Domains, URLs)
ê Examples: “h9p://malicious1.example.com/clickme.html” or “>p://
badfiles.example.com/data.txt”
– AddressObjectType (IP Addresses)
ê Example: “1.2.3.4”
SPLICE – Supported Indicators
" Supports CybOX 2.1
– Same indicators as STIX
SPLICE Architecture
1. SPLICE consumes IOCs (STIX, CybOX,
OpenIOC) through either a monitored directory path or via TAXII (including Avalanche)
2. IOCs are parsed and the atomic
indicators (along with the raw IOC) are stored in MongoDB
3. Security Analyst uses the Splice Splunk
App to search, report, visualize and alert on the IOCs
Using SPLICE – Searching Your Data
iocsearch sourcetype=access_combined_wcookie | iocsearch map="clienCp:ipv4-‐addr” | search ioc_indicators_count>0 | `parse_ioc_indicators_json`
Using SPLICE – Searching IOCs
iocfilter | iocfilter regex=”1.2.3.4"
Using SPLICE – Retrieve the full raw IOC data
iocdisplay | iocdisplay object_id="example:Object-‐12c760ba-‐cd2c-‐4f5d-‐a37d-‐18212eac7928"
Using SPLICE – StaCsCcs about ingested IOCs
iocstats | iocstats stat=list
Using SPLICE –Export atomic indicators as a CSV
iocexportcsv | iocexportcsv value_type="ipv4-‐addr" alias="ip" directory="/tmp" filename="myIpList.csv"
SPLICE Challenges
" SPLICE has been largely tested against public datasets, requires
more sample data
" Some IOCs cannot be converted due to parser errors
" STIX libraries, framework, other standards are sCll works in progress
SPLICE – Future
" Next Steps:
– Support addiConal indicators
– Improved dashboards and default searches – Export Splunk content as a STIX object
– UClize TAXII to serve IOC data FROM Splunk – Beeer Enterprise Security integraCon
– Improved features around how closely data matches IOCs – Improved support for addiConal indicators
How you can get involved
We are looking for feedback to further enhance SPLICE
" Download Splice and play with it! Tell us what you want and how
you want Splice or IOCs to interoperate with your data.
" Get a demo of how Splice works from the Security PracCce " GIVE US FEEDBACK! [email protected] is a perfect way! " Support the STIX community heps://github.com/STIXProject
Summary
" Threat Landscape is rapidly changing, threat data from yesterday,
may not be valuable today
" Threat Intelligence provides context, but formats, diversity limit
adopCon to lowest common denominator
" TradiConal things like IP lists are ineffecCve without context " IOCs through STIX gives us context
" SPLICE gives you a way to uClize IOCs across your Splunk data today " Get Splice RIGHT NOW by following @SplunkSec at