Copyright © 2014 Splunk Inc.
Detect Fraud and Suspicious Events Using Risk Scoring Rob Perdue VP Prof Services, 8020 Labs
[email protected]
IntroducKon !
Rob Perdue, VP Professional Services at 8020 Labs
– – – –
Cyber security professional for 12 years Specialize in Security OperaKons, DFIR in financial sector Previously held posiKons at IBM, ADP, Viacom and ThreatGRID Splunking since 2008
2
Agenda ! ! ! ! ! ! ! ! !
What I hope you will learn Why am I talking about fraud? Case Study: W-‐2 fraud Fraud DetecKon Framework (FDF) CreaKng Baselines Risk Scoring Cyber use cases for FDF Key takeaways Q & A 3
What I Hope You Will Learn ! ! !
New and exciKng ways to mine your data The power of the eval command to score risk The usefulness of lookup tables for baselining
– Inputlookup – outputlookup !
Different ways to detect suspicious acKviKes
4
Why Am I Talking About Fraud? ! ! !
Contacted to assist in an IR invesKgaKon Turned out not to be a typical IR engagement Ever hear of W-‐2 fraud? I hadn’t.
– Steal a W-‐2 and file taxes before the real person does
5
Case Study: W-‐2 Fraud !
Tasked with finding unauthorized access to W-‐2’s
– During tax season !
Huge amount of data
– Millions of rows of logs ! !
Relevant logs spread across several database tables and files Not really sure what W-‐2 fraud looked like
6
Case Study: W-‐2 Fraud !
How the data was distributed: Stand-‐alone Splunk
Summary Tables
Main DB Several CSV Files 7
Case Study Con’t ! ! !
An idea…consolidate data into a single Splunk instance No signature for fraud, no problem Score a risk value for each W-‐2 transacKon
– – – – !
Country of origin Uniqueness of Source IP Day of Week History of IP
All of that resulted in one ugly search… 8
Case Study Con’t !
One ugly search… index=w2 source="summarytable.csv" webpage="*administrator*" |eval daymonth=date_month+date_mday |eval full_user=username+"@"+group|eval full_user=lower(full_user) |iplocaKon src |stats values(Country) AS Country values(Region) AS State values(City) AS City values(date_wday) AS Day dc(daymonth) AS Unique_Days count as user_ip_count by src, full_user|join full_user [search index=w2 source=" summarytableall.csv" webpage="*administrator*" | eval full_user=username+"@"+group | eval full_user=lower(full_user) |stats count as total_W2_events by full_user] |eval traffic_per_IP=round((user_ip_count/total_W2_events)*100)|join full_user src[search index=w2_history |stats values(days_seen) AS days_seen values(total_count) AS hist_total_count by src, full_user|fields src,full_user,days_seen, hist_total_count] |eval Risk_Score=0|eval Risk_Score=if(traffic_per_ip