AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS

Page created by Christopher Kim
 
CONTINUE READING
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

Automating Malware Sandbox
Analysis With Splunk
The accelerated Incident Response

Nick Crofts | Senior Security SME
Shafqat Mehmood – Manager Information Security Operations
October 2018 | Version 2.0
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                                Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

Who Are We?
     Nick and Shaf
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                                              Who is Nick?
                         Senior Security SME @Splunk (Melbourne Australia)

▶   Education
      − BS in Business Systems – Monash University
      − CISSP, CCNA, MCP

▶   Background
      − Sales Engineer last 4 years, Splunk & RSA
      − Security Engineer 10 years, SOC @ small MSSP

▶   Hobbies
      − Snowboarding
      − Long distance Running
      − Keeping fit
      − DLT / Blockchain / Cryptocurrencies
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                                                Who is Shaf?
                     Manager Information Security Operations @ KPMG (Australia)

▶   Education
      − PhD-(in progress) Artificial Intelligence
      − Advance Computer Security Certificate
        (Stanford University)
      − Over 25 professional certifications

▶   Background
      − Manager SOC last 3 years, KPMG
      − Security Operations Specialist 10 years,
        SOC @ Big 4’s
      − Malware researcher

▶   Hobbies
      − Aeromodeling
      − Cycling, Skiing
      − AI Research
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                                                 Agenda
                                       Going Cuckoo with Malware Analysis

▶   Problem
▶   Before Splunk & Cuckoo / After Splunk & Cuckoo
▶   Cuckoo Sandbox
▶   Splunk Stream
       − Stream 7.1, File Extraction

▶   Phantom Orchestration
▶   Use Cases
       − Using Stream
       − Symantec Endpoint Protection

▶   Demo
▶   Questions
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                   Problem
Lack of open source malware analysis
       No in-house threat intelligence
         Inefficient incident response
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                                                         Problem
▶   Open Source malware analysis                              ▶   Current State
    • Lack off in house malware analysis capability               • Manual process of collecting
    • Skill deficiency                                            • submitting and analyzing suspicious file samples.
    • Management support - $$
    • Company privacy policies
                                                              ▶   Ideal end state
▶    In-House Threat Intelligence                                 • Automated: using stream, cuckoo and Splunk.

    • Inefficient threat management
    • Time consuming – manual threat feed/IOC enrichment
    • Ongoing staff education and engagement.

▶   -Incident Response
    • People, process, technology and information.
    • Preparedness, response and follow up activities.
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                         Before Splunk-Cuckoo
                                    Incident Flow

▶   Bad File Every SOC’s worst nightmare, it’s time consuming!

      False Positive
AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
© 2018 SPLUNK INC.

                         Before Splunk Cuckoo
▶   Use case 1: Bad File. Every SOC’s worst nightmare, time consuming! (Hrs)

                  Malware Detected

                             Analyze Threat

                                          Download Malware

                                               Malware Analysis

                                                        Review Result
                                                                   Blacklist/Whitelist the File

                                                                               Close Incident

                         Time Line: Ave Response18 hours
© 2018 SPLUNK INC.

             Components of Solution
              Going Cuckoo with Malware Analysis

▶   Cuckoo

▶   Splunk Stream

▶   Phantom
© 2017 SPLUNK INC.

                     Cuckoo?
Cuckoo is an open source automated malware analysis system

                                                 ▶   It can record the
                                                     following results
                                                     • Take memory dumps of
                                                       malware processes
                                                     • Network traffic traces
                                                     • Take screenshots during
                                                       execution
                                                     • Track files created,
                                                       deleted, downloaded or
                                                       encrypted
© 2018 SPLUNK INC.

                                  Cuckoo – Let’s Configure
                                          Some tips for setting up Cuckoo

▶   Centos Desktop Server with Cuckoo installed
    • Virtualbox needed for guests. Virtual box doesn’t like AWS
▶   Windows 7 and Windows 10 Guests
▶   Splunk and Cuckoo on same box originally - Both use Port 8000!
▶   Use isolated networks for testing!
▶   Malware samples downloaded from malware zoo to test. Careful, real malware
    here!
    • https://github.com/ytisf/theZoo
▶   One of the best guides for setting up cuckoo. Covers Masquerading guests,
    packages needed, virtualbox config and tcpdump permissions
    • https://blog.nviso.be/2018/04/12/painless-cuckoo-sandbox-installation/
© 2018 SPLUNK INC.

Splunk Stream
© 2018 SPLUNK INC.

Deploy, Collect & Monitor Data with Stream
Stream has two deployment             ▶   New Content Extraction
architectures and two
collection methodologies                  Types (7.0)
                                          • MD5 Hash: Automatic Hashing
▶ Deployment:
  (Production)                              for files over HTTP and SMTP

  • Out-of-band (stub) with tap or    ▶   Targeted Packet Capture
      SPAN port                           • Supports capture of full network
    • In-line directly on monitored         packets
      host                            ▶   File Extraction for metadata
                                          Streams
▶   Collection: (Lab)                     • Extract Content files from
    • Technical Add-On (TA) with            network
      Splunk Universal Forwarder          • SMTP and HTTP protocols
      (UF)
                                          • Download files for analysis
    • Independent Stream
      Forwarder using HTTP Event
      Collector (HEC)
© 2018 SPLUNK INC.

 Phantom
How it saved us time
© 2018 SPLUNK INC.

                Automation

• Automate repetitive tasks to force multiply team efforts.
• Execute automated actions in seconds versus hours.
• Pre-fetch intelligence to support decision making.
© 2018 SPLUNK INC.

Solution Overview
© 2018 SPLUNK INC.

                             Splunk Stream - Cuckoo Malware Sandbox
                                            2                                                                                Use Case 1
                                                                3                                                - Suspicious file transferred over the network,
Malicious File

            HTTP/HTTPS                                                           ES                              via HTTP/S

                            Tap/SPAN or
                                            NFS         SSH
                                                                                                                 - Splunk stream can decrypt any HTTPS
                                                                                                                 traffic, using SSL proxy cert.
                            Forwarder                                                                            - All potentially malicious file types are sent to
                                                                                                                 NFS share. We filter out some here using
                                 1                                                                               stream filters
                                                                                                                 - Splunk Correlation search matches on
                                                                                                                 indicators (threat intel) and sends key event to
                                                                                                                 phantom
    Network Switch                                                                                               - Phantom initiates a playbook, and retrieves
                                                                                                                 file over SSH from NFS Share, sends to
                                                                                                                 cuckoo,
                                                                                           4                     - Cuckoo sends results back to phantom
                                                                                                                 which determines if file is malicious.
                                                                                                                 - Loop closed and results sent back to
                                                                                                                     Splunk
                 Client

                 1      HTTP/S traffic between    2     Stream saves extracted        3     Correlation search sends           4     Phantom sends sample to
                     client and server directed       payloads to NFS share.              event to Phantom initiating              cuckoo, determines if
                     towards Stream.                                                      a playbook that retrieves file           malicious and creates
                     Added stream filters to                                              and further filtering the list           Notable event in Splunk
                     reduce volume of data.                                               of samples sent to sandbox
© 2018 SPLUNK INC.

Demonstration
  Cuckoo / ES & Phantom Together
© 2018 SPLUNK INC.

(Malware) Quarantined to Symantec
                                                        Symantec – Cuckoo Malware Sandbox
                                                                                                                                              Use Case 2
                                                                               File                                                 - Suspicious file enters network via
                                                  1                                                      3                          USB.
                                    USB                                                                                             - Symantec will detect a suspicious file
                                    Key          File                                                                               with inconclusive results
                                                                                                                                    - Symantec quarantines file or in some
                                                                            C&C                Logs                                 cases marks as “left alone”
                                                                                                                                    - Correlation rule creates incident in
                                                                   2                                                                Splunk for detecting an unknown
                                        Client                                                                                      suspicious file which initiates Scrip/
                                                                                        ES                                          phantom playbook to talk to cuckoo
                                                                                                                                    - Cuckoo results fed back to Splunk /
                                                                                                                                    ES
                                                        Logs

                                    SEP Server

                                    1     Symantec detects             2      Splunk correlation rule    3     Results of file detonation      4     Incident created in ES if
                                        suspicious file from USB           creates incident and              go to both Splunk and                 malicious. Higher fidelity
                                        and places in quarantine           initiates Phantom Playbook,       Phantom                               alert than before
                                                                           which detonates the file
                                                                           with cuckoo
© 2018 SPLUNK INC.

Demonstration
© 2018 SPLUNK INC.

AV actions on Files
© 2018 SPLUNK INC.

Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC.

                                 After Splunk-Cuckoo
▶   Welcome to Cuckoo Land                 What’s the response time?

                           PHANTOM

       Malware
       Detected                              Trigger
                                                              Script or   Good File
                         Script Or                            Playbook
                         Playbook                                               Whitelist the
          Fetch
            file
                                                                                  Hash
           form
          Endpoi
                                                              Bad File
             nt

                                                                                                 Close ES
     File Submitted                                                                              Incident
       to Cuckoo

                      Result
       Analysis       >Splu
                                      Adaptive           Add IP to              Black list the
                       nk            Resposive          Threat Intel               Hash

2 Minutes                3 Minutes                         1 Minute            1 Minute
© 2018 SPLUNK INC.

Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC.

Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC.

Submitting File to Cuckoo
© 2018 SPLUNK INC.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC.

Actioning the High Scores
© 2018 SPLUNK INC.

       Backlisting the Hash

ssss
© 2018 SPLUNK INC.

Phantom Playbook
© 2018 SPLUNK INC.

Cuckoo Reporting
© 2018 SPLUNK INC.

                       Cuckoo – Data into Splunk
▶   Cuckoo creates xml files, and json
▶   We installed splunk forwarder to monitor Reports directory
    • Looking for report.json
▶   Props.conf
    • Indexed_extractions= JSON
▶   All fields automatically extracted in Splunk to create reports
© 2018 SPLUNK INC.

Cuckoo Result in Splunk
© 2018 SPLUNK INC.

 Challenges
Section subtitle goes here
© 2018 SPLUNK INC.

                            Challenges & Lessons Learnt
▶   Setting up Cuckoo sandbox securely, tcpdump, sandbox detection, guest isolation.
    Build Vs Buy?
▶   Networking for guest machines. Most issues reported to cuckoo support are virtual
    machine network related.
▶   Filtering Stream sessions affectively
      • Only specific files Cuckoo accepts such PDF, Binaries
      • We set Max size to 5mb
      • Threat feeds, uncategorized websites with high risk score but not blocked
      • Phantom to filter further before sending to cuckoo, otherwise too much noise.
       •   EG check further threat intel, check what your AV thought about the file before detonating. Use all your tools!
       • Roll the NFS directory after 3 days
© 2018 SPLUNK INC.

                      Challenges & Lessons Learnt
▶   Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known
    usermode bypass issues. https://github.com/angelkillah/zer0m0n
▶   Cuckoo automation scripts help but don’t get you the whole way
▶   SSL encrypted traffic would prove difficult but doable!
    • Decryption Certificate needed for stream.
    • Stream encrypts this in its store
    • Tap fabric would make life easy
▶   Phantom made life even easier
    • Initially used scripts to SEP API
    • Wrote a script that monitored Stream directory and submitted manually via REST api to
     cuckoo
© 2018 SPLUNK INC.

                                          References
▶   Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known
    usermode bypass issues. https://github.com/angelkillah/zer0m0n
    • Sandbox API https://pypi.org/project/sandboxapi/
    • Cuckoo API https://github.com/keithjjones/cuckoo-api
    • Python Sandbox API https://github.com/InQuest/python-sandboxapi
    • Malware Samples: http://dasmalwerk.eu/
    • Free MS Virtual Machine Images: https://github.com/magnetikonline/linux-microsoft-ie-virtual-
      machines/blob/master/README.md#general-notes
             “C:\> slmgr /ato” will give you 90 day trial.
    • Symantec Rest API https://apidocs.symantec.com/home/saep
© 2018 SPLUNK INC.

                    Q&A
Nick Crofts| Senior Security SME
Shafqat Mehmood | SOC Manager
© 2018 SPLUNK INC.

     Thank You
Don't forget to rate this session
  in the .conf18 mobile app
You can also read