Demonstrate my ability to design a powerful Splunk Enterprise Security SIEM monitoring solution to protect a customer from security attacks.
- Introduction
- Attack Scenario
- List of Project Deliverables
- Tasks and Results Documentation
My Skills and Knowledge Applied
- Finding Splunk apps
- Installing a Splunk app
- Uploading log files
- Splunk searching of log data
- Using Splunk Processing Language (SPL)
- Using fields
- Creating custom reports
- Creating custom alerts
What is Splunk ES?
Splunk Enterprise Security (ES) is a Security Information and Event Management (SIEM) tool based on the Splunk data platform, a big data software solution that also provides many solutions outside cybersecurity. Splunk ES specializes in assisting with the key defensive concepts of continuous monitoring, log collection, aggregation, parsing, normalization, searching and correlation.
Splunk solutions can be enhanced by Splunk Apps, which users can add to their Splunk base product. Apps have custom searches and features with their own interface. These differ from Splunk Add-ons, which are smaller components that provide additional functionality without their own interface.
Splunk Processing Language (SPL) is similar to SQL except that Splunk SPL is designed to search events rather than database table columns. SPL is used to aggregate, parse, normalize and search through log data. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk)
What is Nessus?
"Nessus is one of the many vulnerability scanners used during vulnerability assessments and penetration testing engagements, including malicious attacks." (Lester Obbayi, Infosec Institute, 7/26/19) https://resources.infosecinstitute.com/topic/a-brief-introduction-to-the-nessus-vulnerability-scanner/
Assumption: I am new SOC Analyst for Vandalay Co., which has Splunk ES as their SIEM.
The following attacks and challenges are in play:
- Web server outage due to a DDOS attack
- Upload/Download speed have been significantly impacted
- Brute force attacks against administrator accounts
- Management suspects the database servers might be vulnerable and are in need of an assessment.
- Install SIEM Monitoring Features
- Monitor Web Servers (ping, packet loss, speed)
- Analyze/Conclude On "Speed Test" Log Data From DDOS Attack
- Create DDOS Attack Alert Notification
- Analyze/Conclude On Vulnerability of Data Server
- Create Vulnerability Alert Notification
- Analyze/Conclude On "Admin" Log Data From Brute Force Attack
- Create Brute Force Attack Alert Notification
- Install the Splunk App, Network Toolkit, on Splunk ES.
- Continue analysis as sysadmin
- Configure search index storage locations
////////// Install "Network Toolkit" app //////////
////////// Login as Admin to continue analysis //////////
////////// Configure where the index for searches will be stored //////////
- Confirm server availability through a ping
- Run a packet loss check
- Run a current speed test
////////// Confirm web servers availability by pinging 198.153.194.1 and 198.153.194.2 //////////
////////// Run a packet loss check on the web servers //////////
////////// Run a current speed test on server 2 //////////
- Add Speed Test Log Data to SIEM Use Splunk Processing Language (SPL) to:
- Create a virtual field showing ratio of upload:download speed.
- Create a Splunk report showing statistics for: time, ip_address, downloaded megabits, uploaded megabits, upload/download ratio.
- Conclude: 1) approximate date/time of attack, 2) How long did it take systems to recover?
////////// Upload Log Data //////////
////////// Use Splunk SPL to create a virtual field of ratio between upload/download speeds //////////
////////// Create a report using the TABLE SPL command to display: time, ip_address, downloaded megabits, uploaded megabits, upload/download ratio //////////
////////// Log Conclusions //////////
- The DDoS attack started at: 14:30 on 23-Feb-2020
- The DDoS attack ended at: 23:30 on 23-Feb-2020
- The attack lasted approximately 9 hours by which time speeds had recovered.
- A symptom of a DDoS attack is decrease in internet speed due to over-usage of bandwidth to complete the attack.
- Upload Nessus Scan Results
- Create a Splunk report to determine how many critical vulnerabilities exist on the customer data server
////////// Upload Nessus Vulnerability Scan results //////////
////////// Create a report counting data server vulnerabilities //////////
- Create an email alert that monitors every day to see if this server has any critical vulnerabilities. If a vulnerability exists, have an alert emailed to soc@vandalay.com
////////// Create a daily email alert for the data server //////////
Complete the following fields in the resulting SAVE AS ALERT window and press SAVE. Set:
- Title: Critical Vulnerability Detected - 10.11.36.23
- Description: Customer Database Server
- Alert Type: Run Every Day
- Trigger Alert When: IS GREATER THAN 0 SELECT Trigger Action/Add
- Actions: Send EMAIL To: soc@vandalay.com, Priority: Highest, Include Link, Trigger Time, PDF
- Analyze administrator logs that document a brute force attack. Then, create a baseline of the ordinary amount of administrator bad logins and determine a threshold to indicate if a brute force attack is occurring.
////////// Upload admin logs //////////
////////// Identify Time of Brute Force //////////
////////// Determine a baseline of normal activity //////////
The baseline of normal activity is between 0 and 23 events per hour based on the timeframe history of the logged events, which is approximately 35 hours.
Brute-force activity for this incident is considered 34 events or MORE per hour.
This leaves a middle range of 23-33 events that could be either normal activity or malicious in future activity. A hacker could potentially use “rates of events” within the gap window to mask themselves from detection.
Recommendation: Given that both future normal and malicious activity could have an unknown statistical deviation +/-, the alert threshold should be set initially to 28 events per hour, the midpoint of the mid-range window. If we could obtain more historical files to determine what is “normal”, the threshold could be revised.
////////// Create Brute Force Attack Alert Notification //////////
Within SPL, there is an “EARLIEST” command that filters based on the default _time field to retrieve a specific range of records based on parameter set.
The ALERT will be based on an hourly check.
Therefore, I want to search for records whose timestamp is within the last 60 minutes and status = “An account failed to login".
Based on the following print screens, enter search SPL as follows with earliest=-60m which commands to only search for records generated in the last hour:
- source="administrator_logs.csv" host="gamarra" sourcetype="csv" name="An account failed to log on" earliest=-60m | table name _time src_ip
As a preliminary test, I ran the report with the earliest command set to detect records in the uploaded logs. The test setting would be “earliest= - 213120”. Results were returned thus confirming validity of the “EARLIEST” command.
- For the alert to go into production, set earliest=-60m
////////// Productionalize an Hourly Alert in Splunk //////////
In the search window, click SAVE AS and select ALERT. Complete as follows:
- Title: Hourly Attack Check
- Description: Check for DDOS attach by failed login attempts”
- Alert Type: Scheduled EVERY HOUR
- Trigger alert when: Number of results is Greater than 24
- Add Action : select SEND EMAIL
- To: soc@vandalay.com
- Priority: highest
- Click SAVE
- Screenshots as follows:
