21 June 2018

Sifting through the SPLurge! Writing Effective Queries for Splunk with SPL

Splunk is arguably one of the most popular and powerful tools across the security space at the moment, and for good reason. It is an incredibly powerful way to sift through and analyze big sets of data in an intuitive manner. SPL is the Splunk Processing Language which is used to generate queries for searching through data within Splunk.

The organization I have in mind when writing this is a SOC or CSIRT, in which large scale hunting via Splunk is likely to be conducted, though it can apply just about any where. It is key to be able to have relevant data sets for which to properly vet queries against. Fortunately, there are many example data sets available for testing on GitHub, from Splunk, and some mentioned below. There are also "data generators" which can generate noise for testing. Best of all would be to create your own though :).

I was fortunate to have had the enjoyable experience of participating in a Boss of the SOC CTF a few years back, which had some pretty good exemplar security related data. Earlier this year, they released the data set publicly here.

This guide is not meant to be a deep dive into the structuring of a query using the SPL. The best place for that is the Splunk documentation itself, starting with this. This is geared more towards operations in which multiple queries are written, maintained, and used in an operational capacity. Many of these concepts can be generalized and applied to other signatures, rules, code or programmatic functions, such as Snort, YARA, or ELK, in which a large quantity of multi-version discrete units must be maintained.

1. Balance efficiency with enough specificity to minimize false positives

27 April 2017

Cyber Threat Hunting - Leveraging the Kill Chain

*update: this was also released, in a shorter, modified version at this blog here*

Cyber Threat Hunting is a critical component necessary to ensuring comprehensive defense and response measures are in place by taking a proactive approach to detecting threats. While threat hunting itself is not a new concept, the actual execution of it is constantly evolving. The current inception of threat hunting is enabled by the fact that big data handling has become more feasible along with the advent of advanced statistical analysis and machine learning.

There are many frameworks and methodologies that have been created around modern cyber threat hunting. Some of these particular implementations are specialized for specific environments, circumstances, or data sources, while others are more generic, applicable across any situation. The one thing which the majority of these methodologies have in common however, is the fact that they all leverage or reference an attacker lifecycle in some way.

There are many considerations and components which should be accounted for while preparing to execute a hunting mission, but a few of those include the following:

14 April 2017

Tool to Pull Falcon Host Alerts for Multiple Instances

Crowdstrike has an agent-based, cloud-processed endpoint monitoring tool known as Falcon Host (or various other Falcon-esque extensions). To view alerts within the UI, you must navigate to the proper window and tab. If there is more than one customer, this becomes a pain to click the drop down and manually iterate through each customer instance.

I wrote a quick script called toruk that iterates through all of the instances automatically to pull the alert information, without messing with the UI. It can easily be extended to pull whatever additional information is available (which is usually in a structured format (JSON) due to Crowdstrike using their back end API's). View the source code here: https://github.com/brokensound77/toruk