AUTOMATING MALWARE SANDBOX ANALYSIS WITH SPLUNK - RAINFOCUS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
© 2018 SPLUNK INC. Automating Malware Sandbox Analysis With Splunk The accelerated Incident Response Nick Crofts | Senior Security SME Shafqat Mehmood – Manager Information Security Operations October 2018 | Version 2.0
© 2018 SPLUNK INC. Forward-Looking Statements During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
© 2018 SPLUNK INC. Who is Nick? Senior Security SME @Splunk (Melbourne Australia) ▶ Education − BS in Business Systems – Monash University − CISSP, CCNA, MCP ▶ Background − Sales Engineer last 4 years, Splunk & RSA − Security Engineer 10 years, SOC @ small MSSP ▶ Hobbies − Snowboarding − Long distance Running − Keeping fit − DLT / Blockchain / Cryptocurrencies
© 2018 SPLUNK INC. Who is Shaf? Manager Information Security Operations @ KPMG (Australia) ▶ Education − PhD-(in progress) Artificial Intelligence − Advance Computer Security Certificate (Stanford University) − Over 25 professional certifications ▶ Background − Manager SOC last 3 years, KPMG − Security Operations Specialist 10 years, SOC @ Big 4’s − Malware researcher ▶ Hobbies − Aeromodeling − Cycling, Skiing − AI Research
© 2018 SPLUNK INC. Agenda Going Cuckoo with Malware Analysis ▶ Problem ▶ Before Splunk & Cuckoo / After Splunk & Cuckoo ▶ Cuckoo Sandbox ▶ Splunk Stream − Stream 7.1, File Extraction ▶ Phantom Orchestration ▶ Use Cases − Using Stream − Symantec Endpoint Protection ▶ Demo ▶ Questions
© 2018 SPLUNK INC. Problem Lack of open source malware analysis No in-house threat intelligence Inefficient incident response
© 2018 SPLUNK INC. Problem ▶ Open Source malware analysis ▶ Current State • Lack off in house malware analysis capability • Manual process of collecting • Skill deficiency • submitting and analyzing suspicious file samples. • Management support - $$ • Company privacy policies ▶ Ideal end state ▶ In-House Threat Intelligence • Automated: using stream, cuckoo and Splunk. • Inefficient threat management • Time consuming – manual threat feed/IOC enrichment • Ongoing staff education and engagement. ▶ -Incident Response • People, process, technology and information. • Preparedness, response and follow up activities.
© 2018 SPLUNK INC. Before Splunk-Cuckoo Incident Flow ▶ Bad File Every SOC’s worst nightmare, it’s time consuming! False Positive
© 2018 SPLUNK INC. Before Splunk Cuckoo ▶ Use case 1: Bad File. Every SOC’s worst nightmare, time consuming! (Hrs) Malware Detected Analyze Threat Download Malware Malware Analysis Review Result Blacklist/Whitelist the File Close Incident Time Line: Ave Response18 hours
© 2018 SPLUNK INC. Components of Solution Going Cuckoo with Malware Analysis ▶ Cuckoo ▶ Splunk Stream ▶ Phantom
© 2017 SPLUNK INC. Cuckoo? Cuckoo is an open source automated malware analysis system ▶ It can record the following results • Take memory dumps of malware processes • Network traffic traces • Take screenshots during execution • Track files created, deleted, downloaded or encrypted
© 2018 SPLUNK INC. Cuckoo – Let’s Configure Some tips for setting up Cuckoo ▶ Centos Desktop Server with Cuckoo installed • Virtualbox needed for guests. Virtual box doesn’t like AWS ▶ Windows 7 and Windows 10 Guests ▶ Splunk and Cuckoo on same box originally - Both use Port 8000! ▶ Use isolated networks for testing! ▶ Malware samples downloaded from malware zoo to test. Careful, real malware here! • https://github.com/ytisf/theZoo ▶ One of the best guides for setting up cuckoo. Covers Masquerading guests, packages needed, virtualbox config and tcpdump permissions • https://blog.nviso.be/2018/04/12/painless-cuckoo-sandbox-installation/
© 2018 SPLUNK INC. Splunk Stream
© 2018 SPLUNK INC. Deploy, Collect & Monitor Data with Stream Stream has two deployment ▶ New Content Extraction architectures and two collection methodologies Types (7.0) • MD5 Hash: Automatic Hashing ▶ Deployment: (Production) for files over HTTP and SMTP • Out-of-band (stub) with tap or ▶ Targeted Packet Capture SPAN port • Supports capture of full network • In-line directly on monitored packets host ▶ File Extraction for metadata Streams ▶ Collection: (Lab) • Extract Content files from • Technical Add-On (TA) with network Splunk Universal Forwarder • SMTP and HTTP protocols (UF) • Download files for analysis • Independent Stream Forwarder using HTTP Event Collector (HEC)
© 2018 SPLUNK INC. Phantom How it saved us time
© 2018 SPLUNK INC. Automation • Automate repetitive tasks to force multiply team efforts. • Execute automated actions in seconds versus hours. • Pre-fetch intelligence to support decision making.
© 2018 SPLUNK INC. Solution Overview
© 2018 SPLUNK INC. Splunk Stream - Cuckoo Malware Sandbox 2 Use Case 1 3 - Suspicious file transferred over the network, Malicious File HTTP/HTTPS ES via HTTP/S Tap/SPAN or NFS SSH - Splunk stream can decrypt any HTTPS traffic, using SSL proxy cert. Forwarder - All potentially malicious file types are sent to NFS share. We filter out some here using 1 stream filters - Splunk Correlation search matches on indicators (threat intel) and sends key event to phantom Network Switch - Phantom initiates a playbook, and retrieves file over SSH from NFS Share, sends to cuckoo, 4 - Cuckoo sends results back to phantom which determines if file is malicious. - Loop closed and results sent back to Splunk Client 1 HTTP/S traffic between 2 Stream saves extracted 3 Correlation search sends 4 Phantom sends sample to client and server directed payloads to NFS share. event to Phantom initiating cuckoo, determines if towards Stream. a playbook that retrieves file malicious and creates Added stream filters to and further filtering the list Notable event in Splunk reduce volume of data. of samples sent to sandbox
© 2018 SPLUNK INC. Demonstration Cuckoo / ES & Phantom Together
© 2018 SPLUNK INC. (Malware) Quarantined to Symantec Symantec – Cuckoo Malware Sandbox Use Case 2 File - Suspicious file enters network via 1 3 USB. USB - Symantec will detect a suspicious file Key File with inconclusive results - Symantec quarantines file or in some C&C Logs cases marks as “left alone” - Correlation rule creates incident in 2 Splunk for detecting an unknown Client suspicious file which initiates Scrip/ ES phantom playbook to talk to cuckoo - Cuckoo results fed back to Splunk / ES Logs SEP Server 1 Symantec detects 2 Splunk correlation rule 3 Results of file detonation 4 Incident created in ES if suspicious file from USB creates incident and go to both Splunk and malicious. Higher fidelity and places in quarantine initiates Phantom Playbook, Phantom alert than before which detonates the file with cuckoo
© 2018 SPLUNK INC. Demonstration
© 2018 SPLUNK INC. AV actions on Files
© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC. After Splunk-Cuckoo ▶ Welcome to Cuckoo Land What’s the response time? PHANTOM Malware Detected Trigger Script or Good File Script Or Playbook Playbook Whitelist the Fetch file Hash form Endpoi Bad File nt Close ES File Submitted Incident to Cuckoo Result Analysis >Splu Adaptive Add IP to Black list the nk Resposive Threat Intel Hash 2 Minutes 3 Minutes 1 Minute 1 Minute
© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC. Files with Inconclusive Analysis by AV
© 2018 SPLUNK INC. Submitting File to Cuckoo
© 2018 SPLUNK INC.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. Actioning the High Scores
© 2018 SPLUNK INC. Backlisting the Hash ssss
© 2018 SPLUNK INC. Phantom Playbook
© 2018 SPLUNK INC. Cuckoo Reporting
© 2018 SPLUNK INC. Cuckoo – Data into Splunk ▶ Cuckoo creates xml files, and json ▶ We installed splunk forwarder to monitor Reports directory • Looking for report.json ▶ Props.conf • Indexed_extractions= JSON ▶ All fields automatically extracted in Splunk to create reports
© 2018 SPLUNK INC. Cuckoo Result in Splunk
© 2018 SPLUNK INC. Challenges Section subtitle goes here
© 2018 SPLUNK INC. Challenges & Lessons Learnt ▶ Setting up Cuckoo sandbox securely, tcpdump, sandbox detection, guest isolation. Build Vs Buy? ▶ Networking for guest machines. Most issues reported to cuckoo support are virtual machine network related. ▶ Filtering Stream sessions affectively • Only specific files Cuckoo accepts such PDF, Binaries • We set Max size to 5mb • Threat feeds, uncategorized websites with high risk score but not blocked • Phantom to filter further before sending to cuckoo, otherwise too much noise. • EG check further threat intel, check what your AV thought about the file before detonating. Use all your tools! • Roll the NFS directory after 3 days
© 2018 SPLUNK INC. Challenges & Lessons Learnt ▶ Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known usermode bypass issues. https://github.com/angelkillah/zer0m0n ▶ Cuckoo automation scripts help but don’t get you the whole way ▶ SSL encrypted traffic would prove difficult but doable! • Decryption Certificate needed for stream. • Stream encrypts this in its store • Tap fabric would make life easy ▶ Phantom made life even easier • Initially used scripts to SEP API • Wrote a script that monitored Stream directory and submitted manually via REST api to cuckoo
© 2018 SPLUNK INC. References ▶ Use Zer0m0n, driver for cuckoo that performs kernel analysis. Helps with known usermode bypass issues. https://github.com/angelkillah/zer0m0n • Sandbox API https://pypi.org/project/sandboxapi/ • Cuckoo API https://github.com/keithjjones/cuckoo-api • Python Sandbox API https://github.com/InQuest/python-sandboxapi • Malware Samples: http://dasmalwerk.eu/ • Free MS Virtual Machine Images: https://github.com/magnetikonline/linux-microsoft-ie-virtual- machines/blob/master/README.md#general-notes “C:\> slmgr /ato” will give you 90 day trial. • Symantec Rest API https://apidocs.symantec.com/home/saep
© 2018 SPLUNK INC. Q&A Nick Crofts| Senior Security SME Shafqat Mehmood | SOC Manager
© 2018 SPLUNK INC. Thank You Don't forget to rate this session in the .conf18 mobile app
You can also read