Splunk Defense on a Budget

Presentation by Robert Wagner from Splunk (@mr_minion)

Well as someone who has used Splunk this was a fantastic presentation that was not just about Splunk, it was focused more on tools and techniques needed for proper defense and some cheap/free ways to meet those needs. Robert Wagner was the speaker from Splunk and you could tell he loves what he does, he was very animated throughout the talk and is pretty active in the community which is always great to see.

Something I really liked about the talk was how he focused on how the security team itself is the greatest security asset for a company, not any of the tools. He had some fresh ideas that were unique ways to help increase security such as the security "contest" that helps educate the general users in a company and a good comic to demonstrate what constitutes a good password. There was a story about the security contest that someone that implemented it had it work within 15 minutes of starting the contest so apparently it does work! Until the users get overzealous and try to download vulnerability scanners... Anyway after the general security talk he did go on to talk about some specific Splunk searches that you can do to detect specific behaviors such as DNS exfil. All in all it was a great talk, I'll post my notes below as well as a link to the recording if you want to watch it yourself (this talk was only the first 50 minutes but the video is over 3 hours long)

  • The problem

    • Many organizations get too fixated on technology to fix problems

    • Not enough security budget to buy everything we want

    • Everyone needs easy, free, or cheap ways to fill security gaps

    • Best place to start is with most important security tool

      • The security team itself

  • Info from hackers and researchers

    • Free videos online

      • Defcon

      • Shmoocon

      • Torcon

      • Grrcon

      • Ccc

    • Bsides & hackercons

      • Bsides calgary

      • Edmonton

      • Vancouver

      • The longcon

    • Chicagos burpsec style meetups

    • Infosec taylor swift - decentsecurity.com

    • @hacks4pancakes - tisiphone.net

  • Start security contests in your company

    • Who can report the most security issues

      • Phishing email

      • Workstations behaving strangely

      • Strangers roaming the halls without badges

    • Winner gets $100? $200?

    • Turns your users into Intrusion Detection Systems

      • Credit to Ben0xA

  • EMET (enhance mitigation experience toolkit)

    • Protect the memory of apps you designate

    • It can be hard to deploy

    • There are bypasses

    • Went EOL in July 2018

    • If you have any devices not up to Win 10 it can make it much harder for attackers

  • Passwords and password managers

    • 2FA for the win

    • Authy is great low cost

    • Duo for enterprise

    • Encourage "password phrases" along with numbers/symbols thrown in for extra entropy

  • Java problems?

    • Pull your proxy logs and get the list of versions

    • The version is un the user agent string

      • -e.g. java/1.6.0_26

    • Block JAVA user agent string at the gateway

    • At the very least, the out of date version

    • Do you really need java going to the outside for more than a few sites?

  • Block extensions at the email gateway

    • Cue screenshot below, I'm definitely not typing all of them out

  • Antivirus

    • Not completely useless

    • Can be used to search for IOCs

    • Heuristics still find some malicious code

      • Do you have it enabled?

    • Is anyone checking the AV alerts?

  • Lay down some land mines

    • Honey Files

      • Files with names like "password list"

      • Alert on access

    • Honey accounts

      • DomainAdmin_x

        • Put the password in the description

      • Put in admins group

      • Logon hours = 0

  • Honey database / Honey tables

  • Honey Tokens

    • Use CreatProcessWithLogonW

      • Free tool github.com/fuzzysecurity/powershell-suite/blob/master/invoke-runas.ps1

      • Load fake admin account & fake credentials into memory

      • Alert on use

  • Stop attackers in their tracks

    • Use a web form to authenticate to the proxy

      • Even go so far as asking users to allow a site - 1/day a week or so

      • Stop some automated attacks

    • WPAD vulnerability mitigation

      • Make a null routed DNS entry (127.0.0.1) for WPAD

      • Make a null routed (::1) DNS entry for WPADWPADWPAD

      • Disable NetBIOS

    • Disable DNS internally for external names space

      • Let the proxies handle external dns lookups

      • Turn off forward lookups on internal dns servers

      • Point proxies at dns servers that only they are allowed

  • More roadblocks

    • Local administrator password solutions (LAPS)

      • Randomizes local admin password

    • Deny access to this computer from the network

      • Computer configuration\WindowsSettings\Security Settings\Local Policies\User Rights Assignment

      • Apply to local admin group

  • Pass the hash detection

    • Check screenshot for splunk search

  • Finding unauthorized DNS

    • Using Stream, Bro, Tag

      • DNS screenshots

    • Queries with high entropy

      • Measure of randomness in a variable

        • The higher the randomness, the higher the measure

  • Free run with algorithms

    • "R"

      • R-project.org

    • Scientific tools for python -SciPy

      • SciPy.org

    • Free splunk developers license