AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
© 2018 SPLUNK INC. Automating Malware Sandbox Analysis With Splunk The accelerated Incident Response Nick Crofts | Senior Security SME Shafqat Mehmood – Manager Information Security Operations October 2018 | Version 2.0
© 2018 SPLUNK INC.
Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
© 2018 SPLUNK INC.
Who Are We?
Nick and Shaf
© 2018 SPLUNK INC.
Who is Nick?
Senior Security SME @Splunk (Melbourne Australia)
▶ Education
− BS in Business Systems – Monash University
− CISSP, CCNA, MCP
▶ Background
− Sales Engineer last 4 years, Splunk & RSA
− Security Engineer 10 years, SOC @ small MSSP
▶ Hobbies
− Snowboarding
− Long distance Running
− Keeping fit
− DLT / Blockchain / Cryptocurrencies
© 2018 SPLUNK INC.
Who is Shaf?
Manager Information Security Operations @ KPMG (Australia)
▶ Education
− PhD-(in progress) Artificial Intelligence
− Advance Computer Security Certificate
(Stanford University)
− Over 25 professional certifications
▶ Background
− Manager SOC last 3 years, KPMG
− Security Operations Specialist 10 years,
SOC @ Big 4’s
− Malware researcher
▶ Hobbies
− Aeromodeling
− Cycling, Skiing
− AI Research
© 2018 SPLUNK INC.
Agenda
Going Cuckoo with Malware Analysis
▶ Problem
▶ Before Splunk & Cuckoo / After Splunk & Cuckoo
▶ Cuckoo Sandbox
▶ Splunk Stream
− Stream 7.1, File Extraction
▶ Phantom Orchestration
▶ Use Cases
− Using Stream
− Symantec Endpoint Protection
▶ Demo
▶ Questions
© 2018 SPLUNK INC.
Problem
Lack of open source malware analysis
No in-house threat intelligence
Inefficient incident response
© 2018 SPLUNK INC.
Problem
▶ Open Source malware analysis ▶ Current State
• Lack off in house malware analysis capability • Manual process of collecting
• Skill deficiency • submitting and analyzing suspicious file samples.
• Management support - $$
• Company privacy policies
▶ Ideal end state
▶ In-House Threat Intelligence • Automated: using stream, cuckoo and Splunk.
• Inefficient threat management
• Time consuming – manual threat feed/IOC enrichment
• Ongoing staff education and engagement.
▶ -Incident Response
• People, process, technology and information.
• Preparedness, response and follow up activities.
© 2018 SPLUNK INC.
Before Splunk-Cuckoo
Incident Flow
▶ Bad File Every SOC’s worst nightmare, it’s time consuming!
False Positive
© 2018 SPLUNK INC.
Before Splunk Cuckoo
▶ Use case 1: Bad File. Every SOC’s worst nightmare, time consuming! (Hrs)
Malware Detected
Analyze Threat
Download Malware
Malware Analysis
Review Result
Blacklist/Whitelist the File
Close Incident
Time Line: Ave Response18 hours© 2018 SPLUNK INC.
Components of Solution
Going Cuckoo with Malware Analysis
▶ Cuckoo
▶ Splunk Stream
▶ Phantom© 2017 SPLUNK INC.
Cuckoo?
Cuckoo is an open source automated malware analysis system
▶ It can record the
following results
• Take memory dumps of
malware processes
• Network traffic traces
• Take screenshots during
execution
• Track files created,
deleted, downloaded or
encrypted© 2018 SPLUNK INC.
Cuckoo – Let’s Configure
Some tips for setting up Cuckoo
▶ Centos Desktop Server with Cuckoo installed
• Virtualbox needed for guests. Virtual box doesn’t like AWS
▶ Windows 7 and Windows 10 Guests
▶ Splunk and Cuckoo on same box originally - Both use Port 8000!
▶ Use isolated networks for testing!
▶ Malware samples downloaded from malware zoo to test. Careful, real malware
here!
• https://github.com/ytisf/theZoo
▶ One of the best guides for setting up cuckoo. Covers Masquerading guests,
packages needed, virtualbox config and tcpdump permissions
• https://blog.nviso.be/2018/04/12/painless-cuckoo-sandbox-installation/© 2018 SPLUNK INC. Splunk Stream
© 2018 SPLUNK INC.
Deploy, Collect & Monitor Data with Stream
Stream has two deployment ▶ New Content Extraction
architectures and two
collection methodologies Types (7.0)
• MD5 Hash: Automatic Hashing
▶ Deployment:
(Production) for files over HTTP and SMTP
• Out-of-band (stub) with tap or ▶ Targeted Packet Capture
SPAN port • Supports capture of full network
• In-line directly on monitored packets
host ▶ File Extraction for metadata
Streams
▶ Collection: (Lab) • Extract Content files from
• Technical Add-On (TA) with network
Splunk Universal Forwarder • SMTP and HTTP protocols
(UF)
• Download files for analysis
• Independent Stream
Forwarder using HTTP Event
Collector (HEC)© 2018 SPLUNK INC. Phantom How it saved us time
© 2018 SPLUNK INC.
Automation
• Automate repetitive tasks to force multiply team efforts.
• Execute automated actions in seconds versus hours.
• Pre-fetch intelligence to support decision making.© 2018 SPLUNK INC. Solution Overview
© 2018 SPLUNK INC.
Splunk Stream - Cuckoo Malware Sandbox
2 Use Case 1
3 - Suspicious file transferred over the network,
Malicious File
HTTP/HTTPS ES via HTTP/S
Tap/SPAN or
NFS SSH
- Splunk stream can decrypt any HTTPS
traffic, using SSL proxy cert.
Forwarder - All potentially malicious file types are sent to
NFS share. We filter out some here using
1 stream filters
- Splunk Correlation search matches on
indicators (threat intel) and sends key event to
phantom
Network Switch - Phantom initiates a playbook, and retrieves
file over SSH from NFS Share, sends to
cuckoo,
4 - Cuckoo sends results back to phantom
which determines if file is malicious.
- Loop closed and results sent back to
Splunk
Client
1 HTTP/S traffic between 2 Stream saves extracted 3 Correlation search sends 4 Phantom sends sample to
client and server directed payloads to NFS share. event to Phantom initiating cuckoo, determines if
towards Stream. a playbook that retrieves file malicious and creates
Added stream filters to and further filtering the list Notable event in Splunk
reduce volume of data. of samples sent to sandbox© 2018 SPLUNK INC. Demonstration Cuckoo / ES & Phantom Together
© 2018 SPLUNK INC.
(Malware) Quarantined to Symantec
Symantec – Cuckoo Malware Sandbox
Use Case 2
File - Suspicious file enters network via
1 3 USB.
USB - Symantec will detect a suspicious file
Key File with inconclusive results
- Symantec quarantines file or in some
C&C Logs cases marks as “left alone”
- Correlation rule creates incident in
2 Splunk for detecting an unknown
Client suspicious file which initiates Scrip/
ES phantom playbook to talk to cuckoo
- Cuckoo results fed back to Splunk /
ES
Logs
SEP Server
1 Symantec detects 2 Splunk correlation rule 3 Results of file detonation 4 Incident created in ES if
suspicious file from USB creates incident and go to both Splunk and malicious. Higher fidelity
and places in quarantine initiates Phantom Playbook, Phantom alert than before
which detonates the file
with cuckoo© 2018 SPLUNK INC. Demonstration
© 2018 SPLUNK INC. AV actions on Files
© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC.
After Splunk-Cuckoo
▶ Welcome to Cuckoo Land What’s the response time?
PHANTOM
Malware
Detected Trigger
Script or Good File
Script Or Playbook
Playbook Whitelist the
Fetch
file
Hash
form
Endpoi
Bad File
nt
Close ES
File Submitted Incident
to Cuckoo
Result
Analysis >Splu
Adaptive Add IP to Black list the
nk Resposive Threat Intel Hash
2 Minutes 3 Minutes 1 Minute 1 Minute© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC. Submitting File to Cuckoo
© 2018 SPLUNK INC.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. Actioning the High Scores
© 2018 SPLUNK INC.
Backlisting the Hash
ssss© 2018 SPLUNK INC. Phantom Playbook
© 2018 SPLUNK INC. Cuckoo Reporting
© 2018 SPLUNK INC.
Cuckoo – Data into Splunk
▶ Cuckoo creates xml files, and json
▶ We installed splunk forwarder to monitor Reports directory
• Looking for report.json
▶ Props.conf
• Indexed_extractions= JSON
▶ All fields automatically extracted in Splunk to create reports© 2018 SPLUNK INC. Cuckoo Result in Splunk
© 2018 SPLUNK INC. Challenges Section subtitle goes here
© 2018 SPLUNK INC.
Challenges & Lessons Learnt
▶ Setting up Cuckoo sandbox securely, tcpdump, sandbox detection, guest isolation.
Build Vs Buy?
▶ Networking for guest machines. Most issues reported to cuckoo support are virtual
machine network related.
▶ Filtering Stream sessions affectively
• Only specific files Cuckoo accepts such PDF, Binaries
• We set Max size to 5mb
• Threat feeds, uncategorized websites with high risk score but not blocked
• Phantom to filter further before sending to cuckoo, otherwise too much noise.
• EG check further threat intel, check what your AV thought about the file before detonating. Use all your tools!
• Roll the NFS directory after 3 days© 2018 SPLUNK INC.
Challenges & Lessons Learnt
▶ Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known
usermode bypass issues. https://github.com/angelkillah/zer0m0n
▶ Cuckoo automation scripts help but don’t get you the whole way
▶ SSL encrypted traffic would prove difficult but doable!
• Decryption Certificate needed for stream.
• Stream encrypts this in its store
• Tap fabric would make life easy
▶ Phantom made life even easier
• Initially used scripts to SEP API
• Wrote a script that monitored Stream directory and submitted manually via REST api to
cuckoo© 2018 SPLUNK INC.
References
▶ Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known
usermode bypass issues. https://github.com/angelkillah/zer0m0n
• Sandbox API https://pypi.org/project/sandboxapi/
• Cuckoo API https://github.com/keithjjones/cuckoo-api
• Python Sandbox API https://github.com/InQuest/python-sandboxapi
• Malware Samples: http://dasmalwerk.eu/
• Free MS Virtual Machine Images: https://github.com/magnetikonline/linux-microsoft-ie-virtual-
machines/blob/master/README.md#general-notes
“C:\> slmgr /ato” will give you 90 day trial.
• Symantec Rest API https://apidocs.symantec.com/home/saep© 2018 SPLUNK INC.
Q&A
Nick Crofts| Senior Security SME
Shafqat Mehmood | SOC Manager© 2018 SPLUNK INC.
Thank You
Don't forget to rate this session
in the .conf18 mobile appYou can also read
