conf2015 sami final 150908 - splunkconf · agenda iadtop10mi=gaons...

Copyright © 2015 Splunk Inc.

NSA Informa=on Assurance Directorate Cyber Defense R&T Team

SAMI -‐ Splunk Assessment of Mi=ga=on Implementa=ons

Disclaimer

2

During the course of this presenta=on, we may make forward looking statements regarding future events or the expected performance of the company. We cau=on you that such statements reflect our current expecta=ons and es=mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta=on are being made as of the =me and date of its live presenta=on. If reviewed aRer its live presenta=on, this presenta=on may not contain current or

accurate informa=on. We do not assume any obliga=on to update any forward looking statements we may make.

In addi=on, any informa=on about our roadmap outlines our general product direc=on and is subject to change at any =me without no=ce. It is for informa=onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga=on either to develop the features

or func=onality described or to include any such feature or func=onality in a future release.

Agenda

  IAD Top 10 Mi=ga=ons   SAMI – Using Splunk to measure mi=ga=ons   Network vulnerability scoring

3

Na=onal Security Agency Informa=on Assurance Directorate

4

  “Confidence in Cyberspace”   “Protect Informa7on – Outmaneuver Cyber Adversaries”

  Enable informed risk decisions through analysis and fusion of cyber baXlespace awareness, threat, technology vulnerabili=es, and deployed mi=ga=ons.

  Cyber Defense Research & Technology –  Focus on assessing and priori=zing mi=ga=on

Network Compromise

4-‐ Obtain Enterprise Admin creden3als

5-‐ Other Enterprise domains

Domain

AD root domain

Domain Controller

2 -‐ Expand Access (Stay in)

6-‐ Data Exfiltra3on Damage (Act)

Domain Controller

3-‐ Obtain Domain Admin creden3als

1 -‐ Ini3al Access (Get in)

5

Drive Down Adversary’s Impact

Time

Impa

ct/D

epth of A

ccess

Enterprise Root

None 6

months 0 day 1

day 1

week 2

weeks 1

month 2

months

Cri3cal IP Accounts

Domain Root

Ownership of the Enterprise

Worksta3on

All Worksta3ons

6

Time

Impa

ct/D

epth of A

ccess

Enterprise Root

None 6

months 0 day 1

day 1

week 2

weeks 1

month 2

months

Worksta3on

All Worksta3ons

Cri3cal IP Accounts

Domain Root

Prevent ability to maintain access – minimize impact

Detected, access eliminated

Held to worksta3on access/user privileges

Held at domain level

Drive Down Adversary’s Impact

Network Compromise



Domain

AD root domain

Domain Controller



Domain Controller



✗

✗

✗ ✗ ✗

✗

✗ ✗

8

Network Compromise



Domain

AD root domain

Domain Controller



Domain Controller



✗

✗

✗ ✗ ✗

✗

✗

Device Integrity

Defense of Accounts

Secure avail transport

Damage containment

Secure avail transport

IAD Mi=ga=on Goals

9

IAD Top 10 Mi=ga=ons

10

1)  Applica3on Whitelis3ng – A proac=ve security technique that allows a limited set of approved programs to run

2)  Control Administra3ve Privileges – Network owners should only grant Administrator privileges when absolutely necessary and should take steps to ensure Administrator accounts are not exposed to the Internet and other sources of increased risk.

3)  Limit Worksta3on-‐to-‐Worksta3on Communica3on – One scalable and highly effec=ve mi=ga=on involves limi=ng worksta=on-‐to-‐worksta=on communica=on, thereby thwar=ng an aXacker’s ability to leverage PtH to move laterally within the network.

4)  Use An3-‐Virus File Reputa3on Services – Most of today’s host security products augment their product’s core host controls with intelligence from cloud-‐hosted threat databases.

5)  Enable An3-‐Exploita3on Features – Many opera=ng systems and applica=ons have advanced an=-‐exploita=on and sandboxing features that should be harnessed to defend against common aXacks.


11

6)  Implement Host Intrusion Preven3on System (HIPS) rules – For an enterprise with a well configured and managed network, HIPS can be tuned to learn and allow normal network func=onality while flagging anomalies characteris=c of intrusions.

7)  Set a Secure Baseline Configura3on – This includes genera=on of standard images which provide approved and secured applica=on and opera=ng system configura=ons with layered security containing best prac=ce mi=ga=on strategies to counter cyber threats.

8)  Use Web Domain Name System (DNS) Reputa3on – Enterprises can protect their hosts by screening web accesses against such services and redirec=ng dangerous web requests to a warning page.

9)  Take Advantage of So_ware Improvements – Opera=ng systems and applica=on soRware rou=nely have security upgrades through new versions and intermediate patches.

10)  Segregate Networks and Func3ons – Plan for the possibility of a successful intrusion and design the network architecture and management procedures to separate segments based on role and func=onality.


12

  Detailed informa=on available at hXps://www.nsa.gov/ia/mi=ga=on_guidance

SAMI

14

  SAMI – An App built to assess IAD Top 10 Mi=ga=ons –  Audit and track implementa=on and effec=veness –  You can apply techniques to build your own

  Experience has shown mi=ga=ons aren’t always implemented consistently or correctly.

Splunk Assessment of Mi=ga=on Implementa=ons

SAMI

SAMI

15

  Goals   Approach   Architecture   Ini=al 7 metrics with examples

SAMI

SAMI Goals

16

  Evaluate implementa=on of mi=ga=ons using machine data   Track progress deploying mi=ga=ons   Track and report security posture   Iden=fy configura=on driR   Iden=fy specific ac=ons to improve security posture

SAMI

SAMI Approach

17

  Iden=fy desired mi=ga=on behaviors   Determine whether to test specific configura=ons or behaviors   Iden=fy cri=cal sehngs or behaviors to measure   Iden=fy required data objects and condi=ons   Determine efficient collec=on method –  Na=ve Splunk capabili=es or custom scripts

  Build searches to interpret the data   Priori=ze results

SAMI

Mi=ga=on Evalua=on

18

  Supported by hardware and OS   Installed   Updated   Turned on   Configured   Demonstra=ng expected behavior

SAMI

SAMI Architecture

19

  Target Windows endpoints only   Some checks assume a specific solu=on   Splunk Universal Forwarders on all endpoints   Deployment server –  TA-‐SAMI app includes scripts and inputs.conf to guide collec=on

  Indexer/Search head

SAMI

Collec=on & Analysis

20

Regmon   WMI WinHostMon

  Custom scripts –  CPUID –  PE Header –  DNS query –  Port scan –  LDAP query

  Evalua=on of collected values encoded in Splunk search

  Criteria evaluated and saved to summary indexes as condi=ons and penal=es

SAMI

21

recon exploit Establish persistence Install tools Move

laterally

Collect, exfil,

destroy

Device Integrity

Defense of Accounts

Damage Containment

Secure and Available Transport

Mitigation Goals

•  An=-‐Exploita=on Features •  Host Intrusion Preven=on System •  Applica=on Whitelis=ng •  Modern Opera=ng System

•  An=-‐Virus File Reputa=on Services

•  Worksta=on-‐to-‐Worksta=on Communica=ons

•  Control Admin Privileges SAMI Metrics

Attack Lifecycle

An=-‐Exploita=on Features (5)

22

  Provides protec=on against exploits in a broad, generic manner –  May mi=gate zero-‐day aXacks

  MicrosoR Enhanced Mi=ga=on Experience Toolkit (EMET) –  DEP – Data Execu=on Preven=on –  ASLR – Address Space Layout Randomiza=on –  SEHOP – Structured Excep=on Handler Overwrite Protec=on –  Kernel Null Page

  Other key features –  Cer=ficate Padding –  Secure Search Path

  Some sehngs per app; 50 common executables of main interest –  Office, 7-‐Zip, IE, Adobe Reader, Skype, etc.

  Collec=on: Registry keys, WMI, CPUID, PE Header, custom script

Device Integrity

An=-‐Exploita=on -‐ DEP

23

  Data Execu=on Preven=on –  Helps prevent exploits that execute code in data memory (e.g., buffer

overflow)

  Some features dependent on hardware and OS   BeXer to check sehngs configured by EMET rather than EMET policy itself

An=-‐Exploita=on -‐ DEP

24

  OS supports DEP –  HW supports DEP

ê DEP enabled (x32, x32 on x64) –  DEP configured appropriately (x32, x32 on x64) –  DEP not overridden for installed soRware –  Installed soRware not opted in for DEP | opted out for DEP

Installed SoRware Not Opted In for DEP

25

  An applica=on of interest (archive apps, browsers, communica=on app, document viewers/editors, media viewers/players, Java, etc.) is not opted in for DEP –  Check configura=on for every app –  Config of last resort – DEP should really be “always on” or “opt out”

  Only 32bit sw (DEP applies to 64 bits sw by default)   Policy not overridden (for all or per sw)

SW Not Opted In for DEP

26

  Mi=ga=on op=ons from registry –  HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Kernel\Mi=ga=onOp=ons

  DEP Policy from registry –  HKLM\SYSTEM\CurrentControlSet\Control\SystemStartOp=ons

  List of SW of interest from script –  Recursive search for specific EXEs (e.g., iexplore.exe, AcroRd32.exe)

  SW details (bits, nxcompat) from script –  Custom script to inspect PE Header – IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER –

IMAGE_DLLCHARACTERISTICS_NX_COMPAT   SW details (mi=ga=on op=ons, execute op=ons) from registry –  HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File

Execu=on Op=ons\[app exe name]\Mi=ga=onOp=ons –  HKLM\SOFTWARE\[Wow6432Node\]MicrosoR\Windows NT\CurrentVersion\Image File

Execu=on Op=ons\[app exe name]\executeOp=ons

An=-‐Exploita=on Collec=on

27

  SAMI currently uses a custom exe to collect all data –  A variety of objects are checked

[script://$SPLUNK_HOME\etc\apps\sami\bin\ae.bat] disabled = false interval = 86400 index = sami_script [monitor://C:\Windows\System32\ae.txt] index = sami_script sourcetype = samiAE

pae: YES depPolicy: OptIn ableToMapNullPage: No hotFix: KB2893294 app_path="C:\Program Files\Internet Ex… nxcompat: YES ...

An=-‐Exploita=on Collec=on

28

CPUID – EAX=1 (EDX bit 6)

WMI – select * from Win32_QuickFixEngineering

Test effect – DWORD *pNullPage = NULL;

PE Header – IMAGE_OPTIONAL_HEADER – IMAGE_DLLCHARACTERISTICS_NX_COMPAT

Registry – HKLM\SYSTEM\CCS\Control\SystemStartOptions

App Not Opted In for DEP

29

  Find all 32 bit applica=ons with data   Determine the app mi=ga=on op=ons policy (0x3 & mi=ga=onOp=ons) –  Extract value from hex –  Use “mod 4” since there is no bitwise “and” –  Fill missing values; evaluate only apps where =0

  Evaluate only if system DEP policy is “OptIn”   Apply logic – app passes if nxcompat=YES or executeOp=ons=0   Check policy override not set –  (System mi=ga=on op=ons & 4) >>2 –  Use ÷4, mod 2 since there is no bitwise “and” or bit shiR

Ac=onable Results

30

  Opt In applica=on in ques=on   Upgrade app for DEP   Override policy   Set system mi=ga=on op=ons   Alterna=ves –  Change DEP policy –  Uninstall applica=on

Host Intrusion Preven=on System (6)

31

  Proac=ve mi=ga=on to iden=fy and block suspicious ac=vity –  Doesn’t include host firewall or registry monitor configura=ons

  Collec=on: Regmon, WMI (or WinHostMon://Services)   McAfee only

Device Integrity

Host Intrusion Preven=on System (6)

32

  Current version of HIPS is installed   HIPS Service is running   HIPS Service starts by default   HIPS Content is current   HIPS is enabled and in enforcement (not audit) mode   Reac=on mode is set to prevent for high and medium severity events; log for low severity events

Applica=on Whitelis=ng (1)

33

  Blocks most current malware   Prevents use of unauthorized applica=ons   Does not require daily defini=on updates   Requires standardized process for administrator installa=on and approval of new applica=on

  Path-‐based AW avoids problem of iden=fying every program

Device Integrity

Applica=on Whitelis=ng (1)

34

  Desired effect – prevent unauthorized soRware execu=on   Tes=ng sehngs vs. tes=ng behavior (method vs. effect) –  Specific products limit applicability –  Permissions problem with tes=ng behavior

  Focus – SRP, AppLocker –  Path-‐based whitelis=ng

Device Integrity

Applica=on Whitelis=ng -‐ SRP

35

  Configured for whitelis=ng mode   Policy applies to users and administrators   Policy applies to EXEs and DLLs   Default executable types exist   Required path-‐based whitelis=ng rules exist   Required path-‐based blacklis=ng rules exist   No unenforced rules (audit or inert)

Device Integrity

SRP Required Blacklisted Paths

36

  Blacklist paths included in required whitelist paths –  These are writeable by more Windows groups (users, auth users, everyone) –  Non-‐admins should not execute from these paths

  %SystemRoot%\Debug   %SystemRoot%\Temp   %SystemRoot%\System32\Tasks   … (16 total)

1.  hHps://www.nsa.gov/ia/_files/os/win2k/applica7on_whitelis7ng_using_srp.pdf

1

SRP Required Blacklisted Paths

37

  SRP configured in local or group policy   Blacklist paths stored in the registry

[WinRegMon://SRPBlacklisted]baseline = 1baseline_interval = 86400disabled = 0proc = .*hive = \\REGISTRY\\MACHINE\\software\\policies\\microsoft\\windows\\safer\\codeidentifiers\\0\\.*\\itemdata*index = regmontype = set|create|open|delete

inputs.conf

Regmon

38

  Baseline collected only on splunkd restart when last collec=on =me more than baseline_interval in the past

  Baseline =mestamp is =me of last key mod, NOT =me of collec=on –  Will see iden=cal (including =me) events

key_path prefix –  REGISTRY\MACHINE (baseline) –  HKLM (set|create|open|delete)

  No regex, no subnodes or values   Collect only what you need to limit license impact

SRP Required Blacklisted Paths (find the absence of something)

39

  Get a list of current hosts   For each host, make a list of expected blacklist paths   From the registry, get a list of all blacklisted paths – join this list by host and path to get a dis=nct list of paths by host

  Entries not found in the registry will have null key paths   Null paths => required path that doesn’t exist => penalty

Host Required Path Registry Path

ABCDEF %SystemRoot%\Debug %hkey_local_machine\soRware\microsoR\windows nt\currentversion\systemroot%\debug

ZYXWVU %SystemRoot%\Debug 0

Ac=onable Results

40

  Searches result in a list of hostname, finding, and penalty   Penal=es help priori=ze fixes for each host   Findings each have specific fixes   SRP required blacklist paths fix -‐ add required paths

Modern OS Take advantage of soRware improvements (9)

41

  Are hosts running the latest OS? –  New versions incorporate new security features

  High impact, high cost, infrequent change   OS version and service pack evaluated with registry keys   OS/architecture/role data used as a lookup for other metrics (|outputlookup) –  Defines which hosts should be evaluated

  Doesn’t include checking patches or applica=ons

Device Integrity

An=-‐Virus File Reputa=on Services (4)

42

  AV Cloud Lookup to leverage large catalog of file reputa=ons –  More =mely and more complete coverage

  Requires configura=on checks and connec=vity checks   Collec=on: Regmon, custom script (DNS query)   SAMI implements checks for McAfee only

Device Integrity

An=-‐Virus File Reputa=on Services (4)

43

  Server reachable   Cloud lookup enabled   Sensi=vity high –  Desktop protec=on, email scanner, on delivery, on access

  DAT current   AV engine current   VSE (VirusScan Enterprise) current   Service installed   Service running   Service automa=c

Device Integrity

Worksta=on-‐to-‐Worksta=on Communica=ons (3)

44

  Limits aXackers’ freedom of movement via techniques such as PtH and creden=al reuse –  Aids detec=on of malicious ac=vity

  Collec=on: custom script (port scan neighbors)   Large-‐scale port scanning, requires a target list; scans only three ports

  W-‐to-‐W connec=ons should fail

Damage Containment

Secure and Available Transport

Control Admin Privileges (2)

45

  Domain admin privileges should only be used on limited systems to prevent exposure

  Collec=on: custom script (list domain admins, check logs for logons)

  Should not find domain admin logons on worksta=ons

Defense of Accounts

Damage Containment

SAMI app

46

  Endpoint custom scripts run daily, results indexed Regmon, WinHostMon running and indexing

  Searches to analyze data and assign penal=es run daily -‐> summary index

  Daily summary data -‐> summary index   Views computed off summary indexes

SAMI

47

(sample data)

(sample data)

48

(sample data)

49

Network Vulnerability Scoring

Network Vulnerability Scoring

51

  SAMI evaluates mi=ga=on configura=ons for each host   Turn evalua=on findings into priori=zed ac=onable instruc=ons –  Use data to drive desired behavior

  Report security posture   Provide network owners comparison with peers DoD, DHS, others have exis=ng automated scoring

systems for priori=zing patching and configura=on –  Expand to include all mi=ga=ons data

Automated Scoring

52

  Exis=ng systems have lists of requirements to check –  Each requirement has a normalized weight –  Checks per host aggregated by network and owning organiza=on

  Average scores per host graded on a curve –  Organiza=ons see where they rank among peers

  Raw scores used to iden=fy priori=zed tasks to improve

Automated Scoring with SAMI

53

  Normalize weights across mi=ga=ons   Normalize weights with exis=ng compliance-‐oriented checks   Iden=fy areas where mi=ga=ons replace exis=ng compliance checks in part or in full

  Balance scores across mi=ga=on goals / aXack lifecycle –  Success in any one category alone does not make a secure network

SAMI Summary

54

  SAMI provides health and status rather than incident detec=on   SAMI app will be available soon –  Detailed documenta=on of the business logic and source code for exis=ng

scripts will be included –  Everything will be open source

  Mi=ga=ons for the four mi=ga=on goals are a useful part of measuring network health; build addi=onal measures to evaluate your own status

SAMI Lessons Learned (Bonus)

55

  Verify host data is current –  Iden=fy missing hosts (forwarders but no recent data) –  Fixing the data stream is a top priority

  SUF audi=ng –  Use other data sources to make sure all hosts have SUFs

  Summary indexing –  Especially useful for data that doesn’t change oRen and can be slow to

search

SAMI Lessons Learned (Bonus) stats product(x)

56

  Ini=al scoring model required mul=plying penal=es to produce score –  Each penalty reduced score by a frac=on

  Data table -‐ host, fault, penalty –  Need to mul=ply penal=es together for each host –  Would be easy if it were a sum (stats sum(penalty) by host)

  Solu=on: |stats list(penalty) as penlist by host | eval Score=tonumber(mvindex(penlist,mvcount(penlist)-‐1),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐2),1) * tonumber(mvindex(penlist,mvcount(penlist)-‐3),1)… –  Create MV field and mul7ply each item

  Limita=on – only good for the number of items checked

THANK YOU CD R&T Team

Backup Slides

Spearphishing e-‐mails with malware

Malware on removable media

1) Implement Applica=on Whitelis=ng The Problem: •  Compromise from malware

delivered via e-‐mail, websites, and removable media

The Mi3ga3on: •  Allow only approved soXware •  Block most common aHack

vectors and zero-‐day malware •  Provide applica7on installa7on

control

Websites with malware

59

2) Control Administra=ve Privileges The Problem: •  Compromise of privileged

accounts and/or privilege escala7on can lead to compromise of cri7cal systems and informa7on The Mi3ga3on: •  Grant admin privileges only when

necessary •  Don’t allow admin accounts

exposure to Internet •  Implement two-‐factor

authen7ca7on

Internet

User Worksta=ons

Management Worksta=ons

Trusted Cri=cal Servers

Domain Controllers

Domain

Management Worksta=ons

60

LOCAL WORKSTATION

LOCAL WORKSTATION

LOCAL WORKSTATION

ALL SERVERS

DOMAIN CONTROLLER

3) Limit Worksta=on-‐to-‐Worksta=on Communica=on

ADMIN WORKSTATION

ALL WORKSTATIONS

The Problem: •  Compromised devices used to

springboard to other devices, grabbing higher privileged creden7als along the way

The Mi3ga3on: •  Deny local account logon across

network •  Restrict lateral movement on

network with access control lists

61

4) Use An=-‐Virus File Reputa=on Services

The Problem: •  An7-‐virus signature files are not

updated real-‐7me •  Host protec7on products rely on

the cloud for full coverage

The Mi3ga3on: •  Leverage real-‐7me intelligence

from cloud-‐hosted threat databases

62

5) Enable An=-‐Exploita=on Features The Problem: •  Malware exploits soXware

vulnerabili7es •  Zero-‐days

The Mi3ga3on: •  Use opera7ng system and

applica7on an7-‐exploita7on and sandboxing features such as EMET (Enhanced Mi7ga7ons Experience Toolkit)

63

6) Implement Host Intrusion Preven=on System (HIPS) Rules

The Problem: •  Standard signature-‐based host

defenses don’t defend against zero days and can’t keep up with exploita7on kits that con7nually morph aHack components

The Mi3ga3on: •  Use HIPS to focus on threat

behaviors and flag anomalous ac7vity on the host and/or network

64

7) Set a Secure Baseline Configura=on

The Problem: •  Security configura7ons are

applied inconsistently across an enterprise

•  One weakly configured device can endanger the en7re network

The Mi3ga3on: •  Establish baselines for various

components in the enterprise that include approved and secure applica7on and opera7ng system configura7ons

65

8) Use Web DNS Reputa=on The Problem: •  Accessing the internet poses a

threat to aHacks such as Drive-‐By Downloads

The Mi3ga3on: •  Screen web accesses against a

commercial web domain ra7ng service

•  Redirect dangerous web requests to a warning page

66

9) Take Advantage of SoRware Improvements The Problem: •  Out of date and unpatched

soXware have vulnerabili7es that can be exploited by an adversary

The Mi3ga3on: •  Apply updates in a 7mely manner

to reduce vulnerability exposure

67

10) Segregate Networks & Func=ons The Problem: •  When an adversary gains access

to the network they will move laterally and try to gain control of the whole network

The Mi3ga3on: •  Design the network architecture

into separate segments based on role and func7onality

•  Closely monitor user interac7ons between the segments

68

AE Checks

69

  Data Execu=on Preven=on -‐ prevents data from execu=ng   Address Space Layout Randomiza=on -‐ randomizes the addresses where modules are loaded to help prevent an aXacker from leveraging data at predictable loca=ons

  Structured Enhanced Handler Overwrite Protec=on -‐prevents malware from overwri=ng entries in the structured event handler and malicious code referenced by that entry

  Kernel Null Page -‐ prevent poten=al null dereference issues in user mode   Cer=ficate Padding -‐ Windows Authen=code signature verifica=on will no longer allow extraneous informa=on in the WIN_CERTIFICATE structure

  Secure Search Path -‐ blocks a DLL Load from the current working directory if the current working directory is set to a remote folder

conf2015 sami final 150908 - splunkconf · agenda iad*top*10*mi=gaons*...

Documents

conf2015 sami final 150908 - splunkconf · agenda iadtop10mi=gaons...