Skip to main content

 

Splunk Lantern

Assessing your organization's current state of insider threat awareness

 

The primary goal of this part of the Insider Threat Workshop is to assess where you are now in relation to what was gathered in the portion of this workshop where you selected insider threat use cases.

This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.

In reviewing your current state, consider how close you are to achieving the following goals and objectives of operationalizing an insider threat program:

  • Run data-driven investigations
    • Build out knowledge objects around known indicators and activity
  • Reduce time frames of investigative process
    • Alert to need for investigation
    • Begin investigation
    • Complete investigation
  • Reduce start time of investigations
    • Move from after data exfiltration occurs to before when possible (MITRE ATT&CK)
  • Gather data for calls to action
    • Track more events, track them better
    • Use data to push for policy changes

For more information on goals and objectives, see The house always wins: A case study for using Splunk Enterprise to fight data exfiltration from insider threats.

Review your data sources

User definition data

This comes from the identities framework in Splunk Enterprise Security (ES). The default fields of the lookup provide basic enrichment for user data. In particular, the category, location, and watchlist fields will be most helpful for insider threat use cases. Additional lookup fields can be created to hold enrichment data for user-related data based on risk potential. Some attributes you should include about users are:

  • Employment state: two-week notice, temporary employee, contractor. These could possibly be used as categories instead of separate field.
  • High-risk locations: projects, government, locations with a problematic history.

Activity data

This is the traditional event data associated with the Splunk platform. Due to these data sources driving the largest volume of MITRE tactics, the primary data sources to focus on should be:

  • Endpoint data: Carbon Black, Cloudstrike, Sysmon(open source), auditd(open source), Windows Event IDs
  • Network data : Proxy, firewall, Suricata(IDS, http/dns)

All data should be normalized with Splunk Common Information Model (CIM). You can use Splunk supported add-ons to onboard data and normalize it. You must be able to track user or host within the data for the ES risk data model to work. IP addresses are not very reliable for this. Given the choice, use hostnames instead. The ES asset and identity framework can help with IP/host name normalization.

Interesting Sysmon event ID and fields

  • Event ID 1 - Process Creation: process, path, parent patch, command line etc.
  • Event ID 3 - Network Connection: src, dest, communicating process.
  • Event ID 7 - Image Loaded (DLLs): These can be chatty but useful if there is room for the extra data.
  • Event ID 8 - CreateRemote Thread (Process Injection): Malware commonly uses this, as well as anti-malware tools.
  • Event ID 10 - ProcessAccess (Credential Dumping): Mimikatz uses this for credential dump from LASS.
  • Event ID 11 - FileCreate: Super noisy data source. If you use this, you will need to make file exceptions.
  • Event IDs 12/13/14 - RegistryCreateOrDelete / RegistryValueSet / RegistryKeyValueRename: Malware activities.
  • Event ID 17/18 - Pipe Created / Pipe Connected: This catches obscured communications. Cobalt Strike Beacon Activity is the only real way to catch this.

Minimum Windows events for collection

  • Authentication and Permissions on DCs

If utilizing Sysmon, disable - 4688 (ProcessCreate), 4657 (RegistryChange), 4663 (FileCreate), and 5156 (FirewallConnection), as these would all be duplicate events.

For more information on Windows Eventlog ID collection best practices, see Malware Archaeology Cheat Sheets.

Powershell logging

Powershell logging can also be a valuable endpoint data source. However, the volume can be excessive because normal administrative activity in most Windows environments uses Powershell scripting. Specify exceptions for that known good administrative activity in the logging policy.

Two other good resources for “living off the land” type of attacks, which are something typical to look for in endpoint logs are Living off the land binaries, scripts and libraries and GTFOBins. These sites are curated lists of Windows and Unix binaries that can be used to bypass local security restrictions and are normal files that are part of the operating system.

Data sources common to insider threat use cases

The more challenging and time consuming data sources to onboard are indicated with an asterisk *.

Data Source (Category) Indicator Component of Threats Supported Add-ons Threat Types
Windows Authentication data
  • Multiple login
  • Multiple errors
  • New machine usage
  • Unusual activity
  • Unusually fast activity
  • Unusual activity sequence
  • Unusual activity time
  • Unusual machine access
  • Lateral movement
  • Insider threat
  • Data Exfiltration by Suspicious User or Device
  • Remote Account Takeover
  • Data Exfiltration by Compromised Account
  • Generic Data Exfiltration
Outbound web logs (proxy data)
  • Excessive data transmission
  • Unusual web browser (user agent) flight risk (job sites)
Unusual data/share access user rules based on user
  • Data Exfiltration by Malware
  • Generic Data Exfiltration
  • Insider Threat
Firewall data
  • Multiple connections
  • Multiple sessions blocked
  • Excessive data
  • Transmission blacklisted IP
  • External alarms
  • Unusual activity
  • Machine generated beacon
  • File sharing sites (non-business)
  • Flight risk (job sites)
  • Botnet command and control
  • Malware activity
  • Unusual domain access for file sharing peer group analysis
  • Data Exfiltration by Malware
  • Generic Data Exfiltration
  • Insider Threat
DLP data
  • External alarms for high severity Analytics + KPI rules
  • Special cases (self- email, non-business domain, file sharing domain, email to competitors, ...)
  • Includes email and USB in some cases
  • Unusual data/share access
  • Unusual email patterns
  • Unusual data transfer
Insider Threat
Endpoint data
  • External alarms for AV Rare activities or processes
  • Customer policies
Unusual alarms Insider Threat
Badge data (physical access logs) Access outside regular assigned business hours Unusual building or door access attempts, frequency, outside regular assigned business hours, etc. Typically custom add-ons/input configs* Insider Threat
Expense reporting system logs  Unusual expense patterns Unusual expense patterns Custom inputs, proprietary data connectors* Insider Threat
Change control system logs Missing change control approvals for configuration changes Review change approvals against configuration changes Insider Threat
Printer log data Higher than usual page counts and data volumes Unusual printer volumes per user Insider Threat
RDP log data Remote access traffic outside of assigned business hours Unusual remote access times or patterns Insider Threat
VPN data
  • Remote access traffic outside of assigned business hours
  • Remote access from unusual geolocations
  • Larger than usual data transfer rates over VPN
Unusual remote access times or patterns Insider Threat
Mobile device logs  Unusual call and texting activity Unusual call and texting activity Insider Threat
Cloud IDM, policy logs IDM policy violation alerts Unusual access activity Insider Threat
Backup logs
  • Unusual backup job sizes
  • Large number of job failure rates
  • Backups scheduled outside maintenance window for resource
Unusual scheduled backup jobs, anomalous backup job sizes or failure rates Insider Threat
Storage logs
  • Unexpected large data transfers.
  • Data transfers from encrypted file shares
  • Creation of new file shares
  • Unusual data transfers
  • Data transfers from sensitive shares
Insider Threat
Components of employee termination process   Monitor employee terminations as possible driver for insider activity Custom, could be AD logs, or some other system (RED) Insider Threat
Email communications
  • Watch list phrases in subject lines
  • Competitor domains in to/from headers
  • Large byte counts for emails
  • Known bad domains in to/from headers
Sentiment, activity and presence monitoring Insider Threat
Zoom/Webex
  • Watch list phrases in subject lines
  • Competitor domains and other identifies in content transcripts
  • Large byte counts for Webex/Zoom data transfers
  • Known bad domains in content transcripts
Sentiment, activity and presence monitoring Insider Threat

Evaluate existing security detections, data sources, and coverage in Splunk Security Essentials

The Splunk Security Essentials app has a number of useful utilities in it, in addition to being a security use case library. One of those utilities is called “Map Saved Searches to Splunk's Out-Of-The-Box Content” This can be used to systematically map saved searches to out-of-the-box content.

Content development can also be managed within the SSE app. Chosen content within the repository can be bookmarked and its status maintained and annotated through the deployment process. Even custom content can be added to the repository and tracked. This part of the app should be used to record and track your current state of insider threat detection content.

MITRE coverage

In the context of MITRE ATT&CK, tactics give use categories of activity, and techniques offer specifics of activity. Single techniques from one tactic can be normal activity, but sudden use of multiple tactics may equal badness. This is where RBA is helpful. It can collect alerts in the risk index, then, when these multiple alerts together reach a risk threshold, alert to the behavior. When evaluating MITRE coverage, coverage percentage is not as important as coverage depth. The Security Essentials app can also be used to track current MITRE coverage of security content.