conf2015 sami final 150908 - splunkconf · agenda iad*top*10*mi=gaons*...
TRANSCRIPT
Copyright © 2015 Splunk Inc.
NSA Informa=on Assurance Directorate Cyber Defense R&T Team
SAMI -‐ Splunk Assessment of Mi=ga=on Implementa=ons
Disclaimer
2
During the course of this presenta=on, we may make forward looking statements regarding future events or the expected performance of the company. We cau=on you that such statements reflect our current expecta=ons and es=mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta=on are being made as of the =me and date of its live presenta=on. If reviewed aRer its live presenta=on, this presenta=on may not contain current or
accurate informa=on. We do not assume any obliga=on to update any forward looking statements we may make.
In addi=on, any informa=on about our roadmap outlines our general product direc=on and is subject to change at any =me without no=ce. It is for informa=onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga=on either to develop the features
or func=onality described or to include any such feature or func=onality in a future release.
Agenda
IAD Top 10 Mi=ga=ons SAMI – Using Splunk to measure mi=ga=ons Network vulnerability scoring
3
Na=onal Security Agency Informa=on Assurance Directorate
4
“Confidence in Cyberspace” “Protect Informa7on – Outmaneuver Cyber Adversaries”
Enable informed risk decisions through analysis and fusion of cyber baXlespace awareness, threat, technology vulnerabili=es, and deployed mi=ga=ons.
Cyber Defense Research & Technology – Focus on assessing and priori=zing mi=ga=on
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
5
Drive Down Adversary’s Impact
Time
Impa
ct/D
epth of A
ccess
Enterprise Root
None 6
months 0 day 1
day 1
week 2
weeks 1
month 2
months
Cri3cal IP Accounts
Domain Root
Ownership of the Enterprise
Worksta3on
All Worksta3ons
6
Time
Impa
ct/D
epth of A
ccess
Enterprise Root
None 6
months 0 day 1
day 1
week 2
weeks 1
month 2
months
Worksta3on
All Worksta3ons
Cri3cal IP Accounts
Domain Root
Prevent ability to maintain access – minimize impact
Detected, access eliminated
Held to worksta3on access/user privileges
Held at domain level
Drive Down Adversary’s Impact
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
✗
✗
✗ ✗ ✗
✗
✗ ✗
8
Network Compromise
4-‐ Obtain Enterprise Admin creden3als
5-‐ Other Enterprise domains
Domain
AD root domain
Domain Controller
2 -‐ Expand Access (Stay in)
6-‐ Data Exfiltra3on Damage (Act)
Domain Controller
3-‐ Obtain Domain Admin creden3als
1 -‐ Ini3al Access (Get in)
✗
✗
✗ ✗ ✗
✗
✗
Device Integrity
Defense of Accounts
Secure avail transport
Damage containment
Secure avail transport
IAD Mi=ga=on Goals
9
IAD Top 10 Mi=ga=ons
10
1) Applica3on Whitelis3ng – A proac=ve security technique that allows a limited set of approved programs to run
2) Control Administra3ve Privileges – Network owners should only grant Administrator privileges when absolutely necessary and should take steps to ensure Administrator accounts are not exposed to the Internet and other sources of increased risk.
3) Limit Worksta3on-‐to-‐Worksta3on Communica3on – One scalable and highly effec=ve mi=ga=on involves limi=ng worksta=on-‐to-‐worksta=on communica=on, thereby thwar=ng an aXacker’s ability to leverage PtH to move laterally within the network.
4) Use An3-‐Virus File Reputa3on Services – Most of today’s host security products augment their product’s core host controls with intelligence from cloud-‐hosted threat databases.
5) Enable An3-‐Exploita3on Features – Many opera=ng systems and applica=ons have advanced an=-‐exploita=on and sandboxing features that should be harnessed to defend against common aXacks.
IAD Top 10 Mi=ga=ons
11
6) Implement Host Intrusion Preven3on System (HIPS) rules – For an enterprise with a well configured and managed network, HIPS can be tuned to learn and allow normal network func=onality while flagging anomalies characteris=c of intrusions.
7) Set a Secure Baseline Configura3on – This includes genera=on of standard images which provide approved and secured applica=on and opera=ng system configura=ons with layered security containing best prac=ce mi=ga=on strategies to counter cyber threats.
8) Use Web Domain Name System (DNS) Reputa3on – Enterprises can protect their hosts by screening web accesses against such services and redirec=ng dangerous web requests to a warning page.
9) Take Advantage of So_ware Improvements – Opera=ng systems and applica=on soRware rou=nely have security upgrades through new versions and intermediate patches.
10) Segregate Networks and Func3ons – Plan for the possibility of a successful intrusion and design the network architecture and management procedures to separate segments based on role and func=onality.
IAD Top 10 Mi=ga=ons
12
Detailed informa=on available at hXps://www.nsa.gov/ia/mi=ga=on_guidance
SAMI
SAMI
14
SAMI – An App built to assess IAD Top 10 Mi=ga=ons – Audit and track implementa=on and effec=veness – You can apply techniques to build your own
Experience has shown mi=ga=ons aren’t always implemented consistently or correctly.
Splunk Assessment of Mi=ga=on Implementa=ons
SAMI
SAMI
15
Goals Approach Architecture Ini=al 7 metrics with examples
SAMI
SAMI Goals
16
Evaluate implementa=on of mi=ga=ons using machine data Track progress deploying mi=ga=ons Track and report security posture Iden=fy configura=on driR Iden=fy specific ac=ons to improve security posture
SAMI
SAMI Approach
17
Iden=fy desired mi=ga=on behaviors Determine whether to test specific configura=ons or behaviors Iden=fy cri=cal sehngs or behaviors to measure Iden=fy required data objects and condi=ons Determine efficient collec=on method – Na=ve Splunk capabili=es or custom scripts
Build searches to interpret the data Priori=ze results
SAMI
Mi=ga=on Evalua=on
18
Supported by hardware and OS Installed Updated Turned on Configured Demonstra=ng expected behavior
SAMI
SAMI Architecture
19
Target Windows endpoints only Some checks assume a specific solu=on Splunk Universal Forwarders on all endpoints Deployment server – TA-‐SAMI app includes scripts and inputs.conf to guide collec=on
Indexer/Search head
SAMI
Collec=on & Analysis
20
Regmon WMI WinHostMon
Custom scripts – CPUID – PE Header – DNS query – Port scan – LDAP query
Evalua=on of collected values encoded in Splunk search
Criteria evaluated and saved to summary indexes as condi=ons and penal=es
SAMI
21
recon exploit Establish persistence Install tools Move
laterally
Collect, exfil,
destroy
Device Integrity
Defense of Accounts
Damage Containment
Secure and Available Transport
Mitigation Goals
• An=-‐Exploita=on Features • Host Intrusion Preven=on System • Applica=on Whitelis=ng • Modern Opera=ng System
• An=-‐Virus File Reputa=on Services
• Worksta=on-‐to-‐Worksta=on Communica=ons
• Control Admin Privileges SAMI Metrics
Attack Lifecycle
An=-‐Exploita=on Features (5)
22
Provides protec=on against exploits in a broad, generic manner – May mi=gate zero-‐day aXacks
MicrosoR Enhanced Mi=ga=on Experience Toolkit (EMET) – DEP – Data Execu=on Preven=on – ASLR – Address Space Layout Randomiza=on – SEHOP – Structured Excep=on Handler Overwrite Protec=on – Kernel Null Page
Other key features – Cer=ficate Padding – Secure Search Path
Some sehngs per app; 50 common executables of main interest – Office, 7-‐Zip, IE, Adobe Reader, Skype, etc.
Collec=on: Registry keys, WMI, CPUID, PE Header, custom script
Device Integrity
An=-‐Exploita=on -‐ DEP
23
Data Execu=on Preven=on – Helps prevent exploits that execute code in data memory (e.g., buffer
overflow)
Some features dependent on hardware and OS BeXer to check sehngs configured by EMET rather than EMET policy itself
An=-‐Exploita=on -‐ DEP
24
OS supports DEP – HW supports DEP
ê DEP enabled (x32, x32 on x64) – DEP configured appropriately (x32, x32 on x64) – DEP not overridden for installed soRware – Installed soRware not opted in for DEP | opted out for DEP
Installed SoRware Not Opted In for DEP
25
An applica=on of interest (archive apps, browsers, communica=on app, document viewers/editors, media viewers/players, Java, etc.) is not opted in for DEP – Check configura=on for every app – Config of last resort – DEP should really be “always on” or “opt out”
Only 32bit sw (DEP applies to 64 bits sw by default) Policy not overridden (for all or per sw)
SW Not Opted In for DEP
26
Mi=ga=on op=ons from registry – HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Kernel\Mi=ga=onOp=ons
DEP Policy from registry – HKLM\SYSTEM\CurrentControlSet\Control\SystemStartOp=ons
List of SW of interest from script – Recursive search for specific EXEs (e.g., iexplore.exe, AcroRd32.exe)
SW details (bits, nxcompat) from script – Custom script to inspect PE Header – IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER –
IMAGE_DLLCHARACTERISTICS_NX_COMPAT SW details (mi=ga=on op=ons, execute op=ons) from registry – HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File
Execu=on Op=ons\[app exe name]\Mi=ga=onOp=ons – HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File
Execu=on Op=ons\[app exe name]\executeOp=ons
An=-‐Exploita=on Collec=on
27
SAMI currently uses a custom exe to collect all data – A variety of objects are checked
[script://$SPLUNK_HOME\etc\apps\sami\bin\ae.bat] disabled = false interval = 86400 index = sami_script [monitor://C:\Windows\System32\ae.txt] index = sami_script sourcetype = samiAE
pae: YES depPolicy: OptIn ableToMapNullPage: No hotFix: KB2893294 app_path="C:\Program Files\Internet Ex… nxcompat: YES ...
An=-‐Exploita=on Collec=on
28
CPUID – EAX=1 (EDX bit 6)
WMI – select * from Win32_QuickFixEngineering
Test effect – DWORD *pNullPage = NULL;
PE Header – IMAGE_OPTIONAL_HEADER – IMAGE_DLLCHARACTERISTICS_NX_COMPAT
Registry – HKLM\SYSTEM\CCS\Control\SystemStartOptions
App Not Opted In for DEP
29
Find all 32 bit applica=ons with data Determine the app mi=ga=on op=ons policy (0x3 & mi=ga=onOp=ons) – Extract value from hex – Use “mod 4” since there is no bitwise “and” – Fill missing values; evaluate only apps where =0
Evaluate only if system DEP policy is “OptIn” Apply logic – app passes if nxcompat=YES or executeOp=ons=0 Check policy override not set – (System mi=ga=on op=ons & 4) >>2 – Use ÷4, mod 2 since there is no bitwise “and” or bit shiR
Ac=onable Results
30
Opt In applica=on in ques=on Upgrade app for DEP Override policy Set system mi=ga=on op=ons Alterna=ves – Change DEP policy – Uninstall applica=on
Host Intrusion Preven=on System (6)
31
Proac=ve mi=ga=on to iden=fy and block suspicious ac=vity – Doesn’t include host firewall or registry monitor configura=ons
Collec=on: Regmon, WMI (or WinHostMon://Services) McAfee only
Device Integrity
Host Intrusion Preven=on System (6)
32
Current version of HIPS is installed HIPS Service is running HIPS Service starts by default HIPS Content is current HIPS is enabled and in enforcement (not audit) mode Reac=on mode is set to prevent for high and medium severity events; log for low severity events
Applica=on Whitelis=ng (1)
33
Blocks most current malware Prevents use of unauthorized applica=ons Does not require daily defini=on updates Requires standardized process for administrator installa=on and approval of new applica=on
Path-‐based AW avoids problem of iden=fying every program
Device Integrity
Applica=on Whitelis=ng (1)
34
Desired effect – prevent unauthorized soRware execu=on Tes=ng sehngs vs. tes=ng behavior (method vs. effect) – Specific products limit applicability – Permissions problem with tes=ng behavior
Focus – SRP, AppLocker – Path-‐based whitelis=ng
Device Integrity
Applica=on Whitelis=ng -‐ SRP
35
Configured for whitelis=ng mode Policy applies to users and administrators Policy applies to EXEs and DLLs Default executable types exist Required path-‐based whitelis=ng rules exist Required path-‐based blacklis=ng rules exist No unenforced rules (audit or inert)
Device Integrity
SRP Required Blacklisted Paths
36
Blacklist paths included in required whitelist paths – These are writeable by more Windows groups (users, auth users, everyone) – Non-‐admins should not execute from these paths
%SystemRoot%\Debug %SystemRoot%\Temp %SystemRoot%\System32\Tasks … (16 total)
1. hHps://www.nsa.gov/ia/_files/os/win2k/applica7on_whitelis7ng_using_srp.pdf
1
SRP Required Blacklisted Paths
37
SRP configured in local or group policy Blacklist paths stored in the registry
[WinRegMon://SRPBlacklisted]baseline = 1baseline_interval = 86400disabled = 0proc = .*hive = \\REGISTRY\\MACHINE\\software\\policies\\microsoft\\windows\\safer\\codeidentifiers\\0\\.*\\itemdata*index = regmontype = set|create|open|delete
inputs.conf
Regmon
38
Baseline collected only on splunkd restart when last collec=on =me more than baseline_interval in the past
Baseline =mestamp is =me of last key mod, NOT =me of collec=on – Will see iden=cal (including =me) events
key_path prefix – REGISTRY\MACHINE (baseline) – HKLM (set|create|open|delete)
No regex, no subnodes or values Collect only what you need to limit license impact
SRP Required Blacklisted Paths (find the absence of something)
39
Get a list of current hosts For each host, make a list of expected blacklist paths From the registry, get a list of all blacklisted paths – join this list by host and path to get a dis=nct list of paths by host
Entries not found in the registry will have null key paths Null paths => required path that doesn’t exist => penalty
Host Required Path Registry Path
ABCDEF %SystemRoot%\Debug %hkey_local_machine\soRware\microsoR\windows nt\currentversion\systemroot%\debug
ZYXWVU %SystemRoot%\Debug 0
Ac=onable Results
40
Searches result in a list of hostname, finding, and penalty Penal=es help priori=ze fixes for each host Findings each have specific fixes SRP required blacklist paths fix -‐ add required paths
Modern OS Take advantage of soRware improvements (9)
41
Are hosts running the latest OS? – New versions incorporate new security features
High impact, high cost, infrequent change OS version and service pack evaluated with registry keys OS/architecture/role data used as a lookup for other metrics (|outputlookup) – Defines which hosts should be evaluated
Doesn’t include checking patches or applica=ons
Device Integrity
An=-‐Virus File Reputa=on Services (4)
42
AV Cloud Lookup to leverage large catalog of file reputa=ons – More =mely and more complete coverage
Requires configura=on checks and connec=vity checks Collec=on: Regmon, custom script (DNS query) SAMI implements checks for McAfee only
Device Integrity
An=-‐Virus File Reputa=on Services (4)
43
Server reachable Cloud lookup enabled Sensi=vity high – Desktop protec=on, email scanner, on delivery, on access
DAT current AV engine current VSE (VirusScan Enterprise) current Service installed Service running Service automa=c
Device Integrity
Worksta=on-‐to-‐Worksta=on Communica=ons (3)
44
Limits aXackers’ freedom of movement via techniques such as PtH and creden=al reuse – Aids detec=on of malicious ac=vity
Collec=on: custom script (port scan neighbors) Large-‐scale port scanning, requires a target list; scans only three ports
W-‐to-‐W connec=ons should fail
Damage Containment
Secure and Available Transport
Control Admin Privileges (2)
45
Domain admin privileges should only be used on limited systems to prevent exposure
Collec=on: custom script (list domain admins, check logs for logons)
Should not find domain admin logons on worksta=ons
Defense of Accounts
Damage Containment
SAMI app
46
Endpoint custom scripts run daily, results indexed Regmon, WinHostMon running and indexing
Searches to analyze data and assign penal=es run daily -‐> summary index
Daily summary data -‐> summary index Views computed off summary indexes
SAMI
47
(sample data)
(sample data)
48
(sample data)
49
Network Vulnerability Scoring
Network Vulnerability Scoring
51
SAMI evaluates mi=ga=on configura=ons for each host Turn evalua=on findings into priori=zed ac=onable instruc=ons – Use data to drive desired behavior
Report security posture Provide network owners comparison with peers DoD, DHS, others have exis=ng automated scoring
systems for priori=zing patching and configura=on – Expand to include all mi=ga=ons data
Automated Scoring
52
Exis=ng systems have lists of requirements to check – Each requirement has a normalized weight – Checks per host aggregated by network and owning organiza=on
Average scores per host graded on a curve – Organiza=ons see where they rank among peers
Raw scores used to iden=fy priori=zed tasks to improve
Automated Scoring with SAMI
53
Normalize weights across mi=ga=ons Normalize weights with exis=ng compliance-‐oriented checks Iden=fy areas where mi=ga=ons replace exis=ng compliance checks in part or in full
Balance scores across mi=ga=on goals / aXack lifecycle – Success in any one category alone does not make a secure network
SAMI Summary
54
SAMI provides health and status rather than incident detec=on SAMI app will be available soon – Detailed documenta=on of the business logic and source code for exis=ng
scripts will be included – Everything will be open source
Mi=ga=ons for the four mi=ga=on goals are a useful part of measuring network health; build addi=onal measures to evaluate your own status
SAMI Lessons Learned (Bonus)
55
Verify host data is current – Iden=fy missing hosts (forwarders but no recent data) – Fixing the data stream is a top priority
SUF audi=ng – Use other data sources to make sure all hosts have SUFs
Summary indexing – Especially useful for data that doesn’t change oRen and can be slow to
search
SAMI Lessons Learned (Bonus) stats product(x)
56
Ini=al scoring model required mul=plying penal=es to produce score – Each penalty reduced score by a frac=on
Data table -‐ host, fault, penalty – Need to mul=ply penal=es together for each host – Would be easy if it were a sum (stats sum(penalty) by host)
Solu=on: |stats list(penalty) as penlist by host | eval Score=tonumber(mvindex(penlist,mvcount(penlist)-‐1),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐2),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐3),1)… – Create MV field and mul7ply each item
Limita=on – only good for the number of items checked
THANK YOU CD R&T Team
Backup Slides
Spearphishing e-‐mails with malware
Malware on removable media
1) Implement Applica=on Whitelis=ng The Problem: • Compromise from malware
delivered via e-‐mail, websites, and removable media
The Mi3ga3on: • Allow only approved soXware • Block most common aHack
vectors and zero-‐day malware • Provide applica7on installa7on
control
Websites with malware
59
2) Control Administra=ve Privileges The Problem: • Compromise of privileged
accounts and/or privilege escala7on can lead to compromise of cri7cal systems and informa7on The Mi3ga3on: • Grant admin privileges only when
necessary • Don’t allow admin accounts
exposure to Internet • Implement two-‐factor
authen7ca7on
Internet
User Worksta=ons
Management Worksta=ons
Trusted Cri=cal Servers
Domain Controllers
Domain
Management Worksta=ons
60
LOCAL WORKSTATION
LOCAL WORKSTATION
LOCAL WORKSTATION
ALL SERVERS
DOMAIN CONTROLLER
3) Limit Worksta=on-‐to-‐Worksta=on Communica=on
ADMIN WORKSTATION
ALL WORKSTATIONS
The Problem: • Compromised devices used to
springboard to other devices, grabbing higher privileged creden7als along the way
The Mi3ga3on: • Deny local account logon across
network • Restrict lateral movement on
network with access control lists
61
4) Use An=-‐Virus File Reputa=on Services
The Problem: • An7-‐virus signature files are not
updated real-‐7me • Host protec7on products rely on
the cloud for full coverage
The Mi3ga3on: • Leverage real-‐7me intelligence
from cloud-‐hosted threat databases
62
5) Enable An=-‐Exploita=on Features The Problem: • Malware exploits soXware
vulnerabili7es • Zero-‐days
The Mi3ga3on: • Use opera7ng system and
applica7on an7-‐exploita7on and sandboxing features such as EMET (Enhanced Mi7ga7ons Experience Toolkit)
63
6) Implement Host Intrusion Preven=on System (HIPS) Rules
The Problem: • Standard signature-‐based host
defenses don’t defend against zero days and can’t keep up with exploita7on kits that con7nually morph aHack components
The Mi3ga3on: • Use HIPS to focus on threat
behaviors and flag anomalous ac7vity on the host and/or network
64
7) Set a Secure Baseline Configura=on
The Problem: • Security configura7ons are
applied inconsistently across an enterprise
• One weakly configured device can endanger the en7re network
The Mi3ga3on: • Establish baselines for various
components in the enterprise that include approved and secure applica7on and opera7ng system configura7ons
65
8) Use Web DNS Reputa=on The Problem: • Accessing the internet poses a
threat to aHacks such as Drive-‐By Downloads
The Mi3ga3on: • Screen web accesses against a
commercial web domain ra7ng service
• Redirect dangerous web requests to a warning page
66
9) Take Advantage of SoRware Improvements The Problem: • Out of date and unpatched
soXware have vulnerabili7es that can be exploited by an adversary
The Mi3ga3on: • Apply updates in a 7mely manner
to reduce vulnerability exposure
67
10) Segregate Networks & Func=ons The Problem: • When an adversary gains access
to the network they will move laterally and try to gain control of the whole network
The Mi3ga3on: • Design the network architecture
into separate segments based on role and func7onality
• Closely monitor user interac7ons between the segments
68
AE Checks
69
Data Execu=on Preven=on -‐ prevents data from execu=ng Address Space Layout Randomiza=on -‐ randomizes the addresses where modules are loaded to help prevent an aXacker from leveraging data at predictable loca=ons
Structured Enhanced Handler Overwrite Protec=on -‐prevents malware from overwri=ng entries in the structured event handler and malicious code referenced by that entry
Kernel Null Page -‐ prevent poten=al null dereference issues in user mode Cer=ficate Padding -‐ Windows Authen=code signature verifica=on will no longer allow extraneous informa=on in the WIN_CERTIFICATE structure
Secure Search Path -‐ blocks a DLL Load from the current working directory if the current working directory is set to a remote folder