Preparing users for phishing attacks with Splunk

Why waste time and energy trying to crack passwords or hack through some obscure and complex vulnerability when there is a much easier way to breach a computer network?

Want a break in? Just ask for an invitation.

Phishing is probably the simplest way to get reliable, authentic access to a target network. By baiting users into visiting a website or downloading code, hackers can persuade them to hand over valuable access to vital data stored in even the most secure environments.

One Splunk customer in the healthcare industry found an ingenious way to fight back. Techniques they developed with Splunk have helped them harden their network against social engineering attacks and better protect patient data. The tactic has been …

» Continue reading

Mitigating the POODLE Attack in Splunk

By now you are probably tired of seeing poodle memes. Fear not! Instead, I will share mitigation techniques on how to protect Splunk against this attack and leave out the memes.

Let me preface the different techniques by adding some context to the exploitability of POODLE: This attack requires that an attacker have MITM (Man In The Middle) access to your communication between the client and Splunk. This is a important point to keep in mind when considering different mitigation techniques and their aggressiveness. I mention this because many of you do not have your Splunk deployment exposed to the internet architecturally, or require VPN access to your corporate network before a client can access Splunk. This reduces the risk …

» Continue reading

Look at all the pretty colors!

Well, it’s Sunday here in Las Vegas, and  .conf2014 is about to go down. I’m sitting in one of our Splunk University classes at the MGM, with many of our fine customers.

The class is our Power User Bootcamp, and we just finished talking about Splunk’s tagging, event types, and lookup functionalities. One of our more security-minded customers asked “hey – that ability to assign a color to event types in the Splunk search GUI is pretty cool – I’d like to use that to prioritize the events I’m looking at based on the risk profile assigned to a user. From a lookup. Can I do that?”

A second customer said “I like that idea.”

So, since this …

» Continue reading

Finding shellshock (CVE-2014-6271, 7169, 7186, 7187) with Splunk forwarders

UPDATE 9/24/14 (evening): I changed the script a little bit to include platform information in the output by using the uname command and bash version information in the output with –version. This should work on Linux and OSX.

UPDATE 9/25/14: The first script below is specific to find the original shellshock: CVE-2014-6271. The second shellshock vulnerability, CVE-2014-7169, requires a different test. See the script later in the post to cover this.

UPDATE 9/26/14: A whole bunch of useful comments have been added to this post. I have added information at the end of the post in response. I have further updated the scripts. Also, I should point out – if you are looking for information about how Splunk products are

» Continue reading

Dude! Did you see that YouTube video?

NOTE: Rather than read this post, you can come see this use case presented live at our upcoming Worldwide User Conference in Las Vegas. My colleague Andrew Gerber from Wipro will be reviewing this and a few other recent use cases we have worked on together.

For the past 14 years (yes, I am old) I have worked out of a home office. This means that during my workdays, I can freely receive YouTube cat video links from my high-school ex-girlfriends, grab some carrot sticks and hummus from the kitchen, and watch as many of them as I care to using my trusty copy of Internet Explorer 6. The reason I can do this? No pesky corporate web proxy monitoring …

» Continue reading

Use Splunk to detect and defeat fraud, theft, and abuse

In case you haven’t heard, an emerging and fast-growing use case for Splunk is using Splunk for anti-fraud, theft, and abuse (which I will just call “fraud”). Many Splunk customers across a wide range of industries Splunk their machine data and log files for a wide range of anti-fraud use cases, including fraud investigations, detection, and analytics/reporting. They also put the event data from other point anti-fraud tools into Splunk and use Splunk to: (1) break down the siloed nature of these point tools to present a more unified view on fraud, and (2) correlate fraud events with other data sources. Splunk’s flexibility enables it to be an anti-fraud solution and/or enhance existing fraud tools.

A few weeks ago, Splunk …

» Continue reading

Battling APTs with the Kill Chain Method

Recently I had the privilege of presenting to a monthly meeting of the Raleigh, NC chapter of the ISSA. My presentation focused on educating the audience of security professionals on advanced persistent threats (APTs) and how they can use the kill chain method to battle them. I’d like to share some of the key points and highlights here in an effort to help readers better defend themselves against motivated attackers.

There are 3 main points about APTs that must be established before we dive into the kill chain method itself, namely:

1)    Unlike automated, technology-driven attacks of years past, APTs are driven by a combination of people, processes, and technology. APTs are therefore goal-oriented (financial, political, etc.), human-directed, coordinated, …

» Continue reading

Risk Analysis With Enterprise Security 3.1

    The Risk Analysis Framework was introduced as a new feature in Splunk App for Enterprise Security 3.1, and provides users with the ability to utilize a risk scoring system for assigning varying levels of risk to a multitude of different assets and identities.

    In the context of the Risk Analysis Framework- assets, identities, and anything else you would consider assigning a risk score to, is referred to as a Risk Object. Risk Objects are categorized under different Risk Object Types. For example, if ‘brians_laptop’ was our Risk Object it would be categorized under the ‘system’ Risk Object Type. Out of the box, Enterprise Security 3.1 comes configured with 3 different risk object types: ‘system’ for assigning risk …

» Continue reading

Updated Keyword App

Last year I created a simple app called Keyword that consists of a series of form search dashboards that perform Splunk searches in the background without having to know the Splunk search language. You can read about the original app here and see how it easy it is to use. This year, I added some dashboards for the Rare Command, but I didn’t think it was newsworthy to blog about it.

Then, Joe Welsh wrote a blog entry about using the cluster command in Splunk, which allows you to find anomalies using a log reduction approach. Joe’s example using Nagios is easy to follow and gives the novice a useful approach to get rare events. So, using this approach, I …

» Continue reading

Deploying Splunk Securely with Ansible Config Management – Part 1

Intro

More times than not I have seen corporations struggle with config management and it is key for concise mitigation and remediation plan. Interfacing with a variety of Splunk customers the corporations whom do implement a config management system usually have a different tactic on how to manage Splunk while doing it in a secure fashion. In this series of blog posts which will hopefully walk you through a simple deployment of Ansible all the way to the most complex use-cases I have seen. I will first be covering how Ansible can be leverage to manage a simple Splunk deployment on your own hosts. Part 2 we will cover how this can be done in a larger scale with EC2 …

» Continue reading