SlideShare a Scribd company logo
© 2 0 2 0 S P L U N K I N C .
Virtual Splunk User
Group
Starting at 16:00PM BST
April 2020
This will be recorded!
© 2 0 2 0 S P L U N K I N C .
Largest Splunk Delivery Partner for UK
•Security Consultancy & Managed SOC Provider
•Splunk Revolution Award & Splunk Partner of the Year
© 2 0 2 0 S P L U N K I N C .
Agenda
Phantom
Workbook
Automation
Tom
Wise
Threat
Hunting with
ATT&CK
Cian
Heasley
& Fraser
Dumayne Meet the
Experts
Tom
Wise &
Harry
McLaren
© 2 0 2 0 S P L U N K I N C .
House Rules
Led by
Technology
Inclusive
Environment
Technical
Discussions
The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved
© 2 0 2 0 S P L U N K I N C .
New User Group Site!
© 2 0 2 0 S P L U N K I N C .
New Leader – Andrew McManus
© 2 0 2 0 S P L U N K I N C .
Splunk Phantom
Workbook Automation
Tom Wise
Phantom Security Solutions Engineer & Trainer @ Adarma
© 2 0 2 0 S P L U N K I N C .
$ whoami
Solutions Architect @ Adarma
Phantom SSE & Trainer
Splunk Consultant & Trainer
Previously worked on the Galileo Project for ESA & for the MoD before jumping into
Security with Big Data using Splunk and now Security Automation with Phantom.
A brief history of Tom….
© 2 0 2 0 S P L U N K I N C .
Playbooks vs Workbooks
Playbooks
“Playbooks are the codification of an
analyst’s actions”
They can be fully automated or request
human interaction at specific points to
control the automation decision making.
Similar but not the same….
Workbooks
Workbooks containing Phases and Tasks
provide a framework to security event
investigations. ( I.E. NIST 800-61 )
Workbooks can contain automation
capabilities and can also be updated/edited
by automation
Workbooks are a good starting point if not all
automation elements are understood or
available.
© 2 0 2 0 S P L U N K I N C .
Suspicious
Email
REVIEW BODY AND
HEADER INFO
QUERY
RECIPIENTS
HUNT FILE
HUNT URL
FILE / URL
REPUTATION
FILE ASSESSMENT
REMOVE EMAIL
REVIEW EMAIL
Today
Analyst Heavy
© 2 0 2 0 S P L U N K I N C .
Tomorrow
Analyst Centric
Email FILE / URL
REPUTATION
DETONATE
UNKNOWN URL / FILE
HUNT FILE
HUNT URL
TASK ANALYST
PHISH / HOST
ASSESSMENTREMOVE EMAIL
INGEST EMAIL
PARSE FILES, URLS,
EMAIL HEADERS
© 2 0 2 0 S P L U N K I N C .
Workbook Automation Flow
Be like water….
Master Playbook
IP Enrichment
URL Enrichment
File Enrichment
Domain Enrichment
Take Ownership Process IoC(s) Document Findings
© 2 0 2 0 S P L U N K I N C .
Workbook Automation Demo
See it all come to fruition…
© 2 0 2 0 S P L U N K I N C .
Threat Hunting, Or:
How I Learned to Stop
Worrying & Love
ATT&CK
Cian Heasley / Fraser Dumayne
Security Engineers @ Adarma
Fraser Dumayne
Security Engineer
Adarma
Who are we?
Cian Heasley
Security Engineer
Adarma
15
• Why the MITRE ATT&CK Framework has made our
lives easier and can do the same for you.
• Understand the relationship between ATT&CK data
sources, technique, tactics and Splunk.
• Quick case study, how ATT&CK can help us analyze
recent world events.
• Give a demo of how ATT&CK can help inform the
creation of detections and the process of threat hunting.
Objectives
16
• MITRE ATT&CK is a framework made up of attack techniques which have been
discovered in the real world.
• Each technique is mapped to 1 or more of 12 tactics.
• Each technique contains information including data sources, mitigations, detection
methods, etc.
• Ideal for mapping your defenses against real world attacks for increased resilience.
What is MITRE ATT&CK?
17
• Techniques are organized by adversary tactic, these tactics align with the last five
kill-chain phases.
What is MITRE ATT&CK?
18
Comparing ATT&CK
& the
Cyber Kill-Chain
• When we talk about tactics, techniques and procedures (TPS) we are talking about
the top of the “Pyramid of Pain”, a visualisation of attack indicators and the pain
caused to adversaries by their detection.
What is MITRE ATT&CK?
19
• ATT&CK Enterprise techniques are broken down by tactic and by Windows, Linux
or MacOS platforms.
• Each technique has associated data sources, platforms, and a wealth of other
information.
What is MITRE ATT&CK?
20
Spearphishing
Attachment
• Procedures are the specific implementation the adversary uses for techniques or
sub-techniques “in the wild”.
What is MITRE ATT&CK?
21
• MITRE ATT&CK is constantly being updated & refined.
• Large, active open source research and dev community.
• Common language to describe complex technical attacks.
• Gives granularity when examining adversary behavior.
• Can benefit Red and Blue teams.
Why MITRE ATT&CK?
22
Need we say more:
Why MITRE ATT&CK?
23
Cisco Onion ->
<- ?? Artichoke ??
• Each technique in MITRE ATT&CK is well
documented (data sources, APTs, detection,
etc)
• You should also research online outside of
ATT&CK as much as possible
• ATT&CK Navigator is an ideal tool for
recording & visualizing your analysis
Research, research, research!
24
• MITRE ATT&CK contains detailed information on 94 groups & APTs which is
perfect for identifying potential attackers. Examples include:
– Darkhotel
– APT39
– Deep Panda
– Lazarus Group
• Each group has a list of associated techniques which have been seen in the wild
as well as details of procedural usage of these techniques.
• These threat group descriptions can be an ideal starting place for your threat
detection.
Advanced Persistent Threats
25
Who are Darkhotel?
26
“WHO Targeted in Espionage Attempt, COVID-19
Cyberattacks Spike” - Threatpost, March 14th, 2020
• “The attack appeared to be aimed at achieving a
foothold at the agency rather than being an end
unto itself...”
• “... unnamed sources told Reuters that the
DarkHotel group, an APT associated with carrying
out cyberespionage efforts in China, North Korea,
Japan and the United States, could be the culprit
behind the attack”
The Magic Formula!
27
+
• ATT&CK assigns group ID numbers to prominent APTs tracked by the security
community
• These group IDs are linked to group aliases, software used, technique use by
software and a host of other information.
• DarkHotel is “G0012”:
What Can ATT&CK Tell Us About DarkHotel?
28
What Can ATT&CK Tell Us About DarkHotel?
29
What Can ATT&CK Tell Us About DarkHotel?
30= DarkHotel Techniques
Pinpointing Techniques used by DarkHotel
31
• Based on the ATT&CK Navigator we can see that Spearphishing Attachment is a
hot technique not just for DarkHotel but for all APTs.
• We can use MITRE ATT&CK to discover more details about this technique and plan
our defenses accordingly:
• MITRE contains a list of 58+ standardised data sources which are used to detect the
techniques documented by ATT&CK.
• Without access to the right data sources you have no chance of detecting attacks!
• For detecting ‘Spearphishing Attachment’ we should have some of the sources shown
here:
Data Sources are Crucial
32
All Data Sources Are Not Created Equally
33
Diagram by Roberto
Rodriguez
• Splunk correlates real-time data across various log sources. This makes it an ideal
platform for correlating with ATT&CK’s data source definitions.
• Using detections covered in MITRE under each technique, we can generate
Splunk searches & alerts to uncover these attacks and protect against them.
• Even without live data you can practice on static sample datasets such as BoTS
and Mordor.
Why Use ATT&CK with Splunk?
34
• Learn more about the Spearphishing Attachment technique used by Darkhotel.
• Analyse the BoTSv2 dataset for examples of Spearphishing Attachment.
• Using information discovered using MITRE ATT&CK and other online resources to
successfully identify the attack and any further damage caused
Demonstration Overview
35
Splunk Time!
*no splunk instances were harmed during the making of this demo
36
ATT&CK Navigator – Generate heatmaps/visualizations of techniques found in
MITRE ATT&CK
DeTT&CT – Useful for generating JSON files which can be imported into ATT&CK
Navigator as heatmaps.
Mordor – Pre-recorded security events generated using adversarial techniques in
JSON format.
Red Canary – Small and portable detection tests for MITRE ATT&CK
Caldera – An automated adversary emulation system, built on the MITRE ATT&CK
framework
Elemental - Centralized threat library of MITRE ATT&CK techniques, Atomic Red
Team tests, and over 280 Sigma rules.
Useful Resources
37
• MITRE ATT&CK is an excellent framework for discovering and mitigating attacks
with its wealth of information.
• Splunk is the ideal tool for you to set up your defences or even just practice your
detections as we have shown.
• Advanced Persistent Threats can offer a great starting place for you to begin your
analysis. Staying up to date on recent events in cybersecurity is a huge boost to
your threat hunting.
• You NEED to have the correct data sources before you can begin to identify
anything!
Conclusion
38
BOOM! Question Time!
39
40
Thank you for listening!
• If you want to learn a bit more about MITRE ATT&CK you can check out our blog
posts on the Adarma Tech Blog:
ohttps://medium.com/adarma-tech-blog/
• You can also find us on social media:
oTwitter - @frazsec1 (Fraser Dumayne)
oLinkedIn - Fraser Dumayne / Cian Heasley
• Or message us on Teams if you work with us!
© 2020 SPLUNK INC.
Splunk Remote
Work Insights
Support for Your Remote
Workforce
• For customers responding to
COVID-19 by moving employees to remote
work, Splunk has introduced Remote Work
Insights
• Empowers IT and Security teams
to manage applications and monitor critical
business performance from remote
locations
• Executive dashboard provides
views into business operations
and employee productivity
© 2 0 2 0 S P L U N K I N C .
Real-Time Visibility
Across disparate remote
systems including VPN,
Microsoft 365, and cloud-based
collaboration platforms
Available March 31
COVID-19 Response Page
on Splunk.com
Frequent Updates
Support for additional
remote work systems
coming soon
Splunk Remote
Work Insights
© 2020 SPLUNK INC.
© 2 0 2 0 S P L U N K I N C .
COVID-19 Response
on Splunk.com
• New RWI Autobahn lane
• Curated collection of apps
• TAs
• Blogs
• Sample Searches
• Best Practices
For Cloud
Customers
• Curated collection of apps
• TAs
• Blogs
• Sample Searches
• Best Practices
For
On-Premises
Customers
© 2 0 2 0 S P L U N K I N C .
Get Involved!
● Splunk 4 Rookies Security (End of May)
– Keep an eye on LinkedIn/Twitter for details or register your interest by emailing events@adarma.com.
● Splunk User Group Edinburgh
– https://usergroups.splunk.com/edinburgh-splunk-user-group/
– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group
– Register via https://splk.it/slack
– Channel: #edinburgh
● Present & Share at the User Group?
Connect:
‣ Harry McLaren | harry.mclaren@adarma.com | @cyberharibu
Thank You
© 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C .
Meet the Experts
Tom Wise & Harry McLaren
Members of SplunkTrust

More Related Content

What's hot (20)

PDF
Splunk workshop-Threat Hunting
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
PPTX
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
PDF
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
PPTX
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
PDF
Splunk Threat Hunting Workshop
Splunk
 
PPTX
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
PPTX
Operational Security Intelligence Breakout Session
Splunk
 
PPTX
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Getting Hands On with Splunk Enterprise
Splunk
 
PDF
Enterprise Security Guided Tour
Splunk
 
PPTX
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
PPTX
Splunk Enterprise Security
Splunk
 
Splunk workshop-Threat Hunting
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
Splunk Threat Hunting Workshop
Splunk
 
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Operational Security Intelligence Breakout Session
Splunk
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
SplunkLive! Frankfurt 2018 - Getting Hands On with Splunk Enterprise
Splunk
 
Enterprise Security Guided Tour
Splunk
 
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
Splunk Enterprise Security
Splunk
 

Similar to Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with ATT&CK (20)

PDF
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 
PPTX
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PDF
Cyber Threat hunting workshop
Arpan Raval
 
PPTX
Presentazione tesi magistrale procentese.pptx
AntonioProcentese1
 
PDF
State of ATT&CK
Adam Pennington
 
PDF
Introduction to MITRE’s ATT&CK Framework.pdf
seyohah504
 
PDF
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
PDF
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
AisyiFree
 
PDF
MITRE ATT&CK framework and Managed XDR Position Paper
Marc St-Pierre
 
PDF
MITRE-Module 2 Slides.pdf
ReZa AdineH
 
PDF
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
PDF
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
PDF
ISACA -Threat Hunting using Native Windows tools .pdf
Gurvinder Singh, CISSP, CISA, ITIL v3
 
PDF
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
Needlesand haystacks i360-dublin
Derek King
 
Cyber Threat hunting workshop
Arpan Raval
 
Presentazione tesi magistrale procentese.pptx
AntonioProcentese1
 
State of ATT&CK
Adam Pennington
 
Introduction to MITRE’s ATT&CK Framework.pdf
seyohah504
 
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
MITRE_ATTACK_Enterprise_11x17.pdf
AisyiFree
 
MITRE ATT&CK framework and Managed XDR Position Paper
Marc St-Pierre
 
MITRE-Module 2 Slides.pdf
ReZa AdineH
 
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
ISACA -Threat Hunting using Native Windows tools .pdf
Gurvinder Singh, CISSP, CISA, ITIL v3
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Ad

More from Harry McLaren (20)

PPTX
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
PPTX
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
PPTX
SOC Fundamental Roles & Skills
Harry McLaren
 
PPTX
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
PPTX
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
PPTX
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
PPTX
Big Data For Threat Detection & Response
Harry McLaren
 
PPTX
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
PPTX
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
PPTX
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
PPTX
Securing the Enterprise/Cloud with Splunk at the Centre
Harry McLaren
 
PPTX
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
PPTX
Deconstructing SIEM
Harry McLaren
 
PPTX
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
PPTX
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 
PPTX
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
PPTX
Splunk User Group Edinburgh - November Event
Harry McLaren
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
SOC Fundamental Roles & Skills
Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
Big Data For Threat Detection & Response
Harry McLaren
 
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
Securing the Enterprise/Cloud with Splunk at the Centre
Harry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
Deconstructing SIEM
Harry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
Splunk User Group Edinburgh - November Event
Harry McLaren
 
Ad

Recently uploaded (20)

PPTX
HSE WEEKLY REPORT for dummies and lazzzzy.pptx
ahmedibrahim691723
 
PDF
blockchain123456789012345678901234567890
tanvikhunt1003
 
PPTX
M1-T1.pptxM1-T1.pptxM1-T1.pptxM1-T1.pptx
teodoroferiarevanojr
 
PPT
introdution to python with a very little difficulty
HUZAIFABINABDULLAH
 
PPTX
The whitetiger novel review for collegeassignment.pptx
DhruvPatel754154
 
PPTX
IP_Journal_Articles_2025IP_Journal_Articles_2025
mishell212144
 
PDF
Key_Statistical_Techniques_in_Analytics_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
MR and reffffffvvvvvvvfversal_083605.pptx
manjeshjain
 
PPTX
7 Easy Ways to Improve Clarity in Your BI Reports
sophiegracewriter
 
PDF
apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...
apidays
 
PPTX
Insurance-Analytics-Branch-Dashboard (1).pptx
trivenisapate02
 
PDF
McKinsey - Global Energy Perspective 2023_11.pdf
niyudha
 
PPTX
short term internship project on Data visualization
JMJCollegeComputerde
 
PDF
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
PDF
An Uncut Conversation With Grok | PDF Document
Mike Hydes
 
PDF
SUMMER INTERNSHIP REPORT[1] (AutoRecovered) (6) (1).pdf
pandeydiksha814
 
PPTX
Nursing Shift Supervisor 24/7 in a week .pptx
amjadtanveer
 
PDF
WISE main accomplishments for ISQOLS award July 2025.pdf
StatsCommunications
 
PDF
Blue Futuristic Cyber Security Presentation.pdf
tanvikhunt1003
 
PPTX
Data-Users-in-Database-Management-Systems (1).pptx
dharmik832021
 
HSE WEEKLY REPORT for dummies and lazzzzy.pptx
ahmedibrahim691723
 
blockchain123456789012345678901234567890
tanvikhunt1003
 
M1-T1.pptxM1-T1.pptxM1-T1.pptxM1-T1.pptx
teodoroferiarevanojr
 
introdution to python with a very little difficulty
HUZAIFABINABDULLAH
 
The whitetiger novel review for collegeassignment.pptx
DhruvPatel754154
 
IP_Journal_Articles_2025IP_Journal_Articles_2025
mishell212144
 
Key_Statistical_Techniques_in_Analytics_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
MR and reffffffvvvvvvvfversal_083605.pptx
manjeshjain
 
7 Easy Ways to Improve Clarity in Your BI Reports
sophiegracewriter
 
apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...
apidays
 
Insurance-Analytics-Branch-Dashboard (1).pptx
trivenisapate02
 
McKinsey - Global Energy Perspective 2023_11.pdf
niyudha
 
short term internship project on Data visualization
JMJCollegeComputerde
 
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
An Uncut Conversation With Grok | PDF Document
Mike Hydes
 
SUMMER INTERNSHIP REPORT[1] (AutoRecovered) (6) (1).pdf
pandeydiksha814
 
Nursing Shift Supervisor 24/7 in a week .pptx
amjadtanveer
 
WISE main accomplishments for ISQOLS award July 2025.pdf
StatsCommunications
 
Blue Futuristic Cyber Security Presentation.pdf
tanvikhunt1003
 
Data-Users-in-Database-Management-Systems (1).pptx
dharmik832021
 

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with ATT&CK

  • 1. © 2 0 2 0 S P L U N K I N C . Virtual Splunk User Group Starting at 16:00PM BST April 2020 This will be recorded!
  • 2. © 2 0 2 0 S P L U N K I N C . Largest Splunk Delivery Partner for UK •Security Consultancy & Managed SOC Provider •Splunk Revolution Award & Splunk Partner of the Year
  • 3. © 2 0 2 0 S P L U N K I N C . Agenda Phantom Workbook Automation Tom Wise Threat Hunting with ATT&CK Cian Heasley & Fraser Dumayne Meet the Experts Tom Wise & Harry McLaren
  • 4. © 2 0 2 0 S P L U N K I N C . House Rules Led by Technology Inclusive Environment Technical Discussions The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved
  • 5. © 2 0 2 0 S P L U N K I N C . New User Group Site!
  • 6. © 2 0 2 0 S P L U N K I N C . New Leader – Andrew McManus
  • 7. © 2 0 2 0 S P L U N K I N C . Splunk Phantom Workbook Automation Tom Wise Phantom Security Solutions Engineer & Trainer @ Adarma
  • 8. © 2 0 2 0 S P L U N K I N C . $ whoami Solutions Architect @ Adarma Phantom SSE & Trainer Splunk Consultant & Trainer Previously worked on the Galileo Project for ESA & for the MoD before jumping into Security with Big Data using Splunk and now Security Automation with Phantom. A brief history of Tom….
  • 9. © 2 0 2 0 S P L U N K I N C . Playbooks vs Workbooks Playbooks “Playbooks are the codification of an analyst’s actions” They can be fully automated or request human interaction at specific points to control the automation decision making. Similar but not the same…. Workbooks Workbooks containing Phases and Tasks provide a framework to security event investigations. ( I.E. NIST 800-61 ) Workbooks can contain automation capabilities and can also be updated/edited by automation Workbooks are a good starting point if not all automation elements are understood or available.
  • 10. © 2 0 2 0 S P L U N K I N C . Suspicious Email REVIEW BODY AND HEADER INFO QUERY RECIPIENTS HUNT FILE HUNT URL FILE / URL REPUTATION FILE ASSESSMENT REMOVE EMAIL REVIEW EMAIL Today Analyst Heavy
  • 11. © 2 0 2 0 S P L U N K I N C . Tomorrow Analyst Centric Email FILE / URL REPUTATION DETONATE UNKNOWN URL / FILE HUNT FILE HUNT URL TASK ANALYST PHISH / HOST ASSESSMENTREMOVE EMAIL INGEST EMAIL PARSE FILES, URLS, EMAIL HEADERS
  • 12. © 2 0 2 0 S P L U N K I N C . Workbook Automation Flow Be like water…. Master Playbook IP Enrichment URL Enrichment File Enrichment Domain Enrichment Take Ownership Process IoC(s) Document Findings
  • 13. © 2 0 2 0 S P L U N K I N C . Workbook Automation Demo See it all come to fruition…
  • 14. © 2 0 2 0 S P L U N K I N C . Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK Cian Heasley / Fraser Dumayne Security Engineers @ Adarma
  • 15. Fraser Dumayne Security Engineer Adarma Who are we? Cian Heasley Security Engineer Adarma 15
  • 16. • Why the MITRE ATT&CK Framework has made our lives easier and can do the same for you. • Understand the relationship between ATT&CK data sources, technique, tactics and Splunk. • Quick case study, how ATT&CK can help us analyze recent world events. • Give a demo of how ATT&CK can help inform the creation of detections and the process of threat hunting. Objectives 16
  • 17. • MITRE ATT&CK is a framework made up of attack techniques which have been discovered in the real world. • Each technique is mapped to 1 or more of 12 tactics. • Each technique contains information including data sources, mitigations, detection methods, etc. • Ideal for mapping your defenses against real world attacks for increased resilience. What is MITRE ATT&CK? 17
  • 18. • Techniques are organized by adversary tactic, these tactics align with the last five kill-chain phases. What is MITRE ATT&CK? 18 Comparing ATT&CK & the Cyber Kill-Chain
  • 19. • When we talk about tactics, techniques and procedures (TPS) we are talking about the top of the “Pyramid of Pain”, a visualisation of attack indicators and the pain caused to adversaries by their detection. What is MITRE ATT&CK? 19
  • 20. • ATT&CK Enterprise techniques are broken down by tactic and by Windows, Linux or MacOS platforms. • Each technique has associated data sources, platforms, and a wealth of other information. What is MITRE ATT&CK? 20 Spearphishing Attachment
  • 21. • Procedures are the specific implementation the adversary uses for techniques or sub-techniques “in the wild”. What is MITRE ATT&CK? 21
  • 22. • MITRE ATT&CK is constantly being updated & refined. • Large, active open source research and dev community. • Common language to describe complex technical attacks. • Gives granularity when examining adversary behavior. • Can benefit Red and Blue teams. Why MITRE ATT&CK? 22
  • 23. Need we say more: Why MITRE ATT&CK? 23 Cisco Onion -> <- ?? Artichoke ??
  • 24. • Each technique in MITRE ATT&CK is well documented (data sources, APTs, detection, etc) • You should also research online outside of ATT&CK as much as possible • ATT&CK Navigator is an ideal tool for recording & visualizing your analysis Research, research, research! 24
  • 25. • MITRE ATT&CK contains detailed information on 94 groups & APTs which is perfect for identifying potential attackers. Examples include: – Darkhotel – APT39 – Deep Panda – Lazarus Group • Each group has a list of associated techniques which have been seen in the wild as well as details of procedural usage of these techniques. • These threat group descriptions can be an ideal starting place for your threat detection. Advanced Persistent Threats 25
  • 26. Who are Darkhotel? 26 “WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike” - Threatpost, March 14th, 2020 • “The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself...” • “... unnamed sources told Reuters that the DarkHotel group, an APT associated with carrying out cyberespionage efforts in China, North Korea, Japan and the United States, could be the culprit behind the attack”
  • 28. • ATT&CK assigns group ID numbers to prominent APTs tracked by the security community • These group IDs are linked to group aliases, software used, technique use by software and a host of other information. • DarkHotel is “G0012”: What Can ATT&CK Tell Us About DarkHotel? 28
  • 29. What Can ATT&CK Tell Us About DarkHotel? 29
  • 30. What Can ATT&CK Tell Us About DarkHotel? 30= DarkHotel Techniques
  • 31. Pinpointing Techniques used by DarkHotel 31 • Based on the ATT&CK Navigator we can see that Spearphishing Attachment is a hot technique not just for DarkHotel but for all APTs. • We can use MITRE ATT&CK to discover more details about this technique and plan our defenses accordingly:
  • 32. • MITRE contains a list of 58+ standardised data sources which are used to detect the techniques documented by ATT&CK. • Without access to the right data sources you have no chance of detecting attacks! • For detecting ‘Spearphishing Attachment’ we should have some of the sources shown here: Data Sources are Crucial 32
  • 33. All Data Sources Are Not Created Equally 33 Diagram by Roberto Rodriguez
  • 34. • Splunk correlates real-time data across various log sources. This makes it an ideal platform for correlating with ATT&CK’s data source definitions. • Using detections covered in MITRE under each technique, we can generate Splunk searches & alerts to uncover these attacks and protect against them. • Even without live data you can practice on static sample datasets such as BoTS and Mordor. Why Use ATT&CK with Splunk? 34
  • 35. • Learn more about the Spearphishing Attachment technique used by Darkhotel. • Analyse the BoTSv2 dataset for examples of Spearphishing Attachment. • Using information discovered using MITRE ATT&CK and other online resources to successfully identify the attack and any further damage caused Demonstration Overview 35
  • 36. Splunk Time! *no splunk instances were harmed during the making of this demo 36
  • 37. ATT&CK Navigator – Generate heatmaps/visualizations of techniques found in MITRE ATT&CK DeTT&CT – Useful for generating JSON files which can be imported into ATT&CK Navigator as heatmaps. Mordor – Pre-recorded security events generated using adversarial techniques in JSON format. Red Canary – Small and portable detection tests for MITRE ATT&CK Caldera – An automated adversary emulation system, built on the MITRE ATT&CK framework Elemental - Centralized threat library of MITRE ATT&CK techniques, Atomic Red Team tests, and over 280 Sigma rules. Useful Resources 37
  • 38. • MITRE ATT&CK is an excellent framework for discovering and mitigating attacks with its wealth of information. • Splunk is the ideal tool for you to set up your defences or even just practice your detections as we have shown. • Advanced Persistent Threats can offer a great starting place for you to begin your analysis. Staying up to date on recent events in cybersecurity is a huge boost to your threat hunting. • You NEED to have the correct data sources before you can begin to identify anything! Conclusion 38
  • 40. 40 Thank you for listening! • If you want to learn a bit more about MITRE ATT&CK you can check out our blog posts on the Adarma Tech Blog: ohttps://medium.com/adarma-tech-blog/ • You can also find us on social media: oTwitter - @frazsec1 (Fraser Dumayne) oLinkedIn - Fraser Dumayne / Cian Heasley • Or message us on Teams if you work with us!
  • 41. © 2020 SPLUNK INC. Splunk Remote Work Insights Support for Your Remote Workforce • For customers responding to COVID-19 by moving employees to remote work, Splunk has introduced Remote Work Insights • Empowers IT and Security teams to manage applications and monitor critical business performance from remote locations • Executive dashboard provides views into business operations and employee productivity
  • 42. © 2 0 2 0 S P L U N K I N C . Real-Time Visibility Across disparate remote systems including VPN, Microsoft 365, and cloud-based collaboration platforms Available March 31 COVID-19 Response Page on Splunk.com Frequent Updates Support for additional remote work systems coming soon Splunk Remote Work Insights © 2020 SPLUNK INC.
  • 43. © 2 0 2 0 S P L U N K I N C . COVID-19 Response on Splunk.com • New RWI Autobahn lane • Curated collection of apps • TAs • Blogs • Sample Searches • Best Practices For Cloud Customers • Curated collection of apps • TAs • Blogs • Sample Searches • Best Practices For On-Premises Customers
  • 44. © 2 0 2 0 S P L U N K I N C . Get Involved! ● Splunk 4 Rookies Security (End of May) – Keep an eye on LinkedIn/Twitter for details or register your interest by emailing [email protected]. ● Splunk User Group Edinburgh – https://usergroups.splunk.com/edinburgh-splunk-user-group/ – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via https://splk.it/slack – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | [email protected] | @cyberharibu
  • 45. Thank You © 2 0 2 0 S P L U N K I N C .
  • 46. © 2 0 2 0 S P L U N K I N C . Meet the Experts Tom Wise & Harry McLaren Members of SplunkTrust