Splunk Defense on a Budget
Presentation by Robert Wagner from Splunk (@mr_minion)
Well as someone who has used Splunk this was a fantastic presentation that was not just about Splunk, it was focused more on tools and techniques needed for proper defense and some cheap/free ways to meet those needs. Robert Wagner was the speaker from Splunk and you could tell he loves what he does, he was very animated throughout the talk and is pretty active in the community which is always great to see.
Something I really liked about the talk was how he focused on how the security team itself is the greatest security asset for a company, not any of the tools. He had some fresh ideas that were unique ways to help increase security such as the security "contest" that helps educate the general users in a company and a good comic to demonstrate what constitutes a good password. There was a story about the security contest that someone that implemented it had it work within 15 minutes of starting the contest so apparently it does work! Until the users get overzealous and try to download vulnerability scanners... Anyway after the general security talk he did go on to talk about some specific Splunk searches that you can do to detect specific behaviors such as DNS exfil. All in all it was a great talk, I'll post my notes below as well as a link to the recording if you want to watch it yourself (this talk was only the first 50 minutes but the video is over 3 hours long)
The problem
Many organizations get too fixated on technology to fix problems
Not enough security budget to buy everything we want
Everyone needs easy, free, or cheap ways to fill security gaps
Best place to start is with most important security tool
The security team itself
Info from hackers and researchers
Free videos online
Defcon
Shmoocon
Torcon
Grrcon
Ccc
Bsides & hackercons
Bsides calgary
Edmonton
Vancouver
The longcon
Chicagos burpsec style meetups
Infosec taylor swift - decentsecurity.com
@hacks4pancakes - tisiphone.net
Start security contests in your company
Who can report the most security issues
Phishing email
Workstations behaving strangely
Strangers roaming the halls without badges
Winner gets $100? $200?
Turns your users into Intrusion Detection Systems
Credit to Ben0xA
EMET (enhance mitigation experience toolkit)
Protect the memory of apps you designate
It can be hard to deploy
There are bypasses
Went EOL in July 2018
If you have any devices not up to Win 10 it can make it much harder for attackers
Passwords and password managers
2FA for the win
Authy is great low cost
Duo for enterprise
Encourage "password phrases" along with numbers/symbols thrown in for extra entropy
Java problems?
Pull your proxy logs and get the list of versions
The version is un the user agent string
-e.g. java/1.6.0_26
Block JAVA user agent string at the gateway
At the very least, the out of date version
Do you really need java going to the outside for more than a few sites?
Block extensions at the email gateway
Cue screenshot below, I'm definitely not typing all of them out
Antivirus
Not completely useless
Can be used to search for IOCs
Heuristics still find some malicious code
Do you have it enabled?
Is anyone checking the AV alerts?
Lay down some land mines
Honey Files
Files with names like "password list"
Alert on access
Honey accounts
DomainAdmin_x
Put the password in the description
Put in admins group
Logon hours = 0
Honey database / Honey tables
Honey Tokens
Use CreatProcessWithLogonW
Free tool github.com/fuzzysecurity/powershell-suite/blob/master/invoke-runas.ps1
Load fake admin account & fake credentials into memory
Alert on use
Stop attackers in their tracks
Use a web form to authenticate to the proxy
Even go so far as asking users to allow a site - 1/day a week or so
Stop some automated attacks
WPAD vulnerability mitigation
Make a null routed DNS entry (127.0.0.1) for WPAD
Make a null routed (::1) DNS entry for WPADWPADWPAD
Disable NetBIOS
Disable DNS internally for external names space
Let the proxies handle external dns lookups
Turn off forward lookups on internal dns servers
Point proxies at dns servers that only they are allowed
More roadblocks
Local administrator password solutions (LAPS)
Randomizes local admin password
Deny access to this computer from the network
Computer configuration\WindowsSettings\Security Settings\Local Policies\User Rights Assignment
Apply to local admin group
Pass the hash detection
Check screenshot for splunk search
Finding unauthorized DNS
Using Stream, Bro, Tag
DNS screenshots
Queries with high entropy
Measure of randomness in a variable
The higher the randomness, the higher the measure
Free run with algorithms
"R"
R-project.org
Scientific tools for python -SciPy
SciPy.org
Free splunk developers license
Last updated