SplunkとThreat Hunting

Transcript

1. © 2019 SPLUNK INC. © 2019 SPLUNK INC. I I

   C 2019.03.08 Security Days Spring 2019 Tokyo

2. © 2019 SPLUNK INC. • H E • • •

   •
   

3. © 2019 SPLUNK INC. E I h © c n

   c h S I © © © I g s p © C i ML c oe d oe © a oe T P t oe hu © S f l © 9 r Y a a 9 9 >29 > . > 2 9 92 0 92 > 9 1 9 > D D 9 90 k k 9 90 
   

4. © 2019 SPLUNK INC.   
    

5. © 2019 SPLUNK INC. 
        S

   .2 o W o Sa O s T w d t hTs O S 375 P S P h b ) o T Sa I l p xi 31 j s t t e / 7 S 31 31 j s f l n j .0 g P :BB A 4 7A ((( 6

6. © 2019 SPLUNK INC.
      Because Ninjas Are

   Too Busy : : ## -  // //y ae _ T T B . * _ L A t i _ TA | c r Un oe_ I _ PB ▶ acpl h X _ ▶ h gs T ▶ L R x F_ : ▶ I UA y 
   

7. © 2019 SPLUNK INC. 
    • z[3,;=5*Vx(IDS, SIEM)mr()+641A.#
   WeOHF tkn yHIwS!%hX

   % YPmr072({T#JK%S\bD • uqd/A4>)-32_~?.(125:sRG $g"%#]B Uf ##
   gT&?.S\`|  • @-8?Np&LjQc %
   3,;=5*Vx)<6^YiO €Z v l( }o ' $ EMS\=)-5*9 Ca

8. © 2019 SPLUNK INC. Threat Hunting
   

9. © 2019 SPLUNK INC. We define hunting as the process

   of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. S B

10. © 2019 SPLUNK INC. l 6dQ:;[ H NTCc"HBb_P? • qmti

    &HWd^W75NTCQVNT`9H"UBcVOcLVHUIcG? • '#/YFKc'VCD<(H8dTFb>YFCT[ V[EXJXRQ? l .+[#/ab`tnwl‚U[10NTFb>qmtir…o€„f=N>4 f,NTCc? 3PcY[ H UP? l s…‚Z*HXCeKU[XCH>~j„v[.+H f)NQ U[XJ> TPcLVUP? LZ|ƒqpf>@ AV-]_P? l @9!Md_NQAf%SZU[XJ>kzu„pf2 Yx„vPc f$N_P?

11. © 2019 SPLUNK INC.

12. © 2019 SPLUNK INC. ▶ ny yt I or ▶

    I H ? • , , ▶ T ▶ R w any yt I ▶ g a i g ae Wh NIST SP800-61

13. © 2019 SPLUNK INC. • *IDS
    SIEM 72
    ! •

    8&9 18& 
      • " <=.+ /'  • , $    • " <=.+/ '  • -!(% 5) 
     
     $#   • < =.+6: /'  • -!(% 5)  35 >;   • #"40< =.+      • -!(% 5)  35 >;  

14. © 2019 SPLUNK INC. CH A D W h F

    I C I , / PI H / צͱܦݧ 
     -, & I

15. © 2019 SPLUNK INC. RU g P a H h

    i e  1 M H   : L F צͱܦݧ 
     / -       HLI hiTP

16. © 2019 SPLUNK INC. 1 2 2 ? : /

    H    M W M T צͱܦݧ 
           2 H F 2

17. © 2019 SPLUNK INC. • *IDS
    SIEM 72
    ! •

    8&9 18& 
      • " <=.+ /'  • , $    • " <=.+/ '  • -!(% 5) 
     
     $#   
      • < =.+6: /'  • -!(% 5)  35 >;   • #"40< =.+      • -!(% 5)  35 >;  

18. © 2019 SPLUNK INC. How to Threat Hunting ▶ lnrmw

    ▶ d R i h ▶ , bp cT Sa i g W c T B HJ a IeW • , , , , , , , , ,d b m tu n i h     
    

19. © 2019 SPLUNK INC. -+   $ !# "

     -+*  • • + • ,).  •  ).  • . ,   • (%'&  •

20. © 2019 SPLUNK INC. Hunting
     Let’s Hunt!

21. © 2019 SPLUNK INC.     
     #$"$!

     !"  (IOC)     
    ATT&CK     SIEM  -

22. © 2019 SPLUNK INC. C I ▶ i p em

    ra sc ) ( • d nkf O d OH Oo OedhO d LMO ▶ df s ra sc ) ( • c w Or l O td O o O lO TO S P ▶ s em N O F oeopms nrf lp edk I A Oo A ) ( 
    Crowd Strike blog (https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/)

23. © 2019 SPLUNK INC. I ) ( C 0 -

    - - 2 / 3 0- : 31 . 1 0 32

24. © 2019 SPLUNK INC. ▶ E 1 A P ▶

    && E C T ▶ K E T MITRE ATT&CK https://attack.mitre.org/

25. © 2019 SPLUNK INC.
       1B 8 A

    0BA DB D a l 1 o t tc 40 10 a l y M 48EE 8E 1B 8 A . A o t dcM 702i t 1B 8 A . A mc k 8E 1B 8 A . A mc k 48EE 8E 1B 8 A . A o t dcM , lh k pt n - lh k pt z xec s lh k PWec s 4E2 9 9BC p kS n ( 3 8 o t ) 4E2 9i t 3 8 s x 05612i t 1B 8 Ar 056 Mimikatz 
    35 ( , mh V

26. © 2019 SPLUNK INC. MITER ATT&CK
     ▶

27. © 2019 SPLUNK INC.

28. © 2019 SPLUNK INC.      
    

29. © 2019 SPLUNK INC. mnK P E i fhm .4

    DD 7 A 4 7D9 st bde lS u i DD 7 AaMc stnrS T -- Il C P H pNNU R P o T 9 7 7 2D 9 A A7 9 14 / E 3 D 9 A 07 9 E 2 H D4 0 A D D 6A7 D 4 H7D 2D 8 5D7 9 H D 2D 9 0 E 7 9 37AE H7D 4 EC 9 E 14 5D7 9 6A E 7 2D 9 EE E ce 9, 9 - 9 ce E T W d MIM E SA hlC &,Ka

30. © 2019 SPLUNK INC. c a P H 0 1

    2 1 1 & . • • /

31. © 2019 SPLUNK INC.  
      l ,

    55 60 0 50 36 H 6 2 54 ASa N D a N EA I N N D

32. © 2019 SPLUNK INC.
        
    

33. © 2019 SPLUNK INC. ES    
    ATT&CK

       6 54 7 23+ 1 8

34. © 2019 SPLUNK INC.

35. © 2019 SPLUNK INC. © 2019 SPLUNK INC. S 7

    /7 . - - 7 /