Recap: Splunk @ Blackhat Europe 2016

Hello Splunk Ninjas!
Early November the Splunk Team attended Blackhat Europe at the Business Design Centre in London. The European hacking and penetration testing community came together to meet, exchange, collaborate and share details on what the latest hacks and vulnerabilities are. It was also an opportunity to showcase potential risks and to discuss how to improve security for organizations and consumers.

Splunk’s schedule was full during the briefing days. In our booth we shared the latest technology about big data analytics in security, machine learning, threat intelligence gathering and how security team’s should prepare for the future with automation.

THREAT HUNTING PRESENTATION, BUSINESS HALL

James Hanlon, Security Markets Specialist, presented in the Business Hall about how organizations should carry out threat hunting activity, including detail on what people, technology and processes are required. This also included discussion of how threat-hunting maturity develops from an initial ad hoc basis towards utilising advance machine learning capabilities.

HANDS ON THREAT-HUNTING WORKSHOP

In the evening we made the talk real and hands on by doing a threat-hunting workshop. Many Blackhat attendees joined us for this as well as individuals from the London area who wanted to learn more about Splunk and its role in threat-hunting. We hunted through a real data set for threats and attackers – and what can I say – the attendees identified, through the techniques we showed them, several attackers. The audience started to come up with their own threat hunting ideas and a common comment during the Pizza and Beer afterwards was: “I know what the first thing I’ll do when I get into work tomorrow is!“.

SPLUNK DATA SCIENTISTS: AKTAION, ARSENAL

AKTAION PPT

On Friday we also had two Data Scientists from Splunk presenting in the Arsenal. Rod Soto and Joseph Zadeh presented on Crypto Ransomware, which has become a popular attack vector used by malicious actors to quickly turn infections into profits. From a defensive perspective, the detection of new Ransomware variants relies heavily on signatures, point solution posture and binary level indicators of compromise (IOC). This approach is inefficient at protecting targets against the rapid changes in tactics and delivery mechanisms typical of modern ransomware campaigns. They proposed a novel approach for blending multiple signals (called micro behaviors) to detect Ransomware with more flexibility than using IOC matching alone.

The goal of this approach is to provide expressive mechanisms for detection via contextual indicators and micro behaviors that correlate to attacker tactics, even if they evolve with time. They provided open source code that allows users and fellow researchers to replicate the use of these techniques. They concluded with a focus on how to tie this approach to active defence measures and existing infrastructure.

You can find their Presentation and Whitepapers on GitHub here. They have also published the Aktaion Tool for learning/teaching use here on GitHub.

Stay Safe and Happy Splunking,

Matthias