Boss of the SOC (BOTS) Advanced APT Hunting Companion App: Now Available on Splunkbase

On April 18th, we announced the release of the Boss of the SOC 2.0 dataset. To keep everyone on their toes, we're announcing the availability of the Boss of the SOC (BOTS) Advanced APT Hunting Companion App for Splunk companion app for BOTSv2, based around the APT scenario.

Companion app? Based around the APT scenario? Hang on a second... What does that even mean?

In the BOTSv2 dataset, there are multiple scenarios occurring that include various entities up to no good. One of those scenarios is built around a “fictional” nation-state adversary having their way with Frothly. After we developed the scenario, I started thinking, wouldn’t it be fun if we could use the BOTS data to help teach threat hunting?

Long story shortened ever so slightly, I built a workshop around threat hunting based on this APT scenario and the companion app is the viewfinder, if you will, around that scenario. It's used in our Advanced APT Hunting workshop, which we deliver to Splunk users at their locales while others have gone through portions of the workshop at events like BSides LV, DefCon Packet Hacking Village and WiCys 2019.

Because the workshop is pretty extensive and there are numerous hunts involved, users often want to continue working on it beyond the time allotted for the workshop. With that in mind, the companion app is really designed to provided that guided education beyond the workshop; it provides much of the content that is presented in the workshop, but in a way that gives the user an opportunity to learn at their own pace and on their own time!

The app is designed to help analysts use Splunk to hunt for threats using the MITRE ATT&CK framework to develop a hypothesis, perform a hunt, visualize it and then identify findings that could be operationalized by the security operations team for continuous monitoring in the future. Let's take a look:

When we hunt, we need to develop hypotheses to focus our activity. By using MITRE ATT&CK, we can focus our hunts on specific adversary techniques and then we can further refine our hypotheses to look for specific tools that use a technique, specific systems or time window, to name a few examples. Each hunt is laid out similarly and includes links to the technique detail, a starter set of questions that might assist in confirming or refuting the hunting hypothesis, as well as other external references. In our example below, how can we hunt for PowerShell Empire if we don’t know what it might look like or its capabilities?

The app provides a step-by-step series of searches that allow you to see how we performed the hunt on each hypothesis while providing commentary and Splunk SPL for each of the searches, as well as a raw, tabular or graphical output. Hopefully, some of these searches or visualizations provide some brain candy for your future hunts!

Sourcetypes in the BOTS dataset that are utilized for specific hunts are identified as well. I understand that not all of these sourcetypes are the same as what you might have in your environment, but it provides you an opportunity to investigate new sourcetypes, and these could serve as a way to increase visibility in your own environment. If you enjoy exploring the data, clicking the green button next to the SPL will open a new tab where the search is run, and you can then pivot on interesting fields and manipulate the search and visualization to your liking.

There are times when we need to pivot beyond Splunk, so I call out and link in the app to OSINT to help provide additional context to the hunt. Finally, additional resources like the Diamond Model for our adversary, as well as a search reference, blog posts, and diagrams are provided to help the user gain further insight that they would gather and develop during their hunt.

I hope this brief introduction gives you an understanding of the threat hunting companion app and how you can use it to raise your game when it comes to using Splunk to threat hunt. As an added bonus, use the app and dataset and apply that learning to future BOTS competitions—you may find golden lights displaying your name!

With that, don’t wait. Check out the Boss of the SOC (BOTS) Advanced APT Hunting App for Splunk along with the BOTSv2 dataset now.

Happy Hunting!

----------------------------------------------------
Thanks!
John Stoner