Copyright  ©  2014  Splunk  Inc.  

Detect  Fraud  and   Suspicious  Events     Using  Risk  Scoring   Rob  Perdue   VP  Prof  Services,  8020  Labs   [email protected]  

IntroducKon   ! 

Rob  Perdue,  VP  Professional  Services  at  8020  Labs  

–  –  –  – 

Cyber  security  professional  for  12  years   Specialize  in  Security  OperaKons,  DFIR  in  financial  sector   Previously  held  posiKons  at  IBM,  ADP,  Viacom  and  ThreatGRID   Splunking  since  2008  

 

2  

Agenda   !  !  !  !  !  !  !  !  ! 

 

What  I  hope  you  will  learn   Why  am  I  talking  about  fraud?   Case  Study:  W-­‐2  fraud   Fraud  DetecKon  Framework  (FDF)   CreaKng  Baselines   Risk  Scoring   Cyber  use  cases  for  FDF   Key  takeaways   Q  &  A   3  

What  I  Hope  You  Will  Learn   !  !  ! 

New  and  exciKng  ways  to  mine  your  data   The  power  of  the  eval  command  to  score  risk   The  usefulness  of  lookup  tables  for  baselining    

–  Inputlookup   –  outputlookup   ! 

Different  ways  to  detect  suspicious  acKviKes  

    4  

Why  Am  I  Talking  About  Fraud?   !  !  ! 

Contacted  to  assist  in  an  IR  invesKgaKon   Turned  out  not  to  be  a  typical  IR  engagement   Ever  hear  of  W-­‐2  fraud?  I  hadn’t.  

–  Steal  a  W-­‐2  and  file  taxes  before  the  real  person  does    

5  

Case  Study:  W-­‐2  Fraud     ! 

Tasked  with  finding  unauthorized  access  to  W-­‐2’s  

–  During  tax  season   ! 

Huge  amount  of  data  

–  Millions  of  rows  of  logs   !  ! 

Relevant  logs  spread  across  several  database  tables  and  files   Not  really  sure  what  W-­‐2  fraud  looked  like  

6  

Case  Study:  W-­‐2  Fraud     ! 

 

How  the  data  was  distributed:   Stand-­‐alone   Splunk  

Summary   Tables  

Main  DB   Several  CSV   Files   7  

Case  Study  Con’t   !  !  ! 

An  idea…consolidate  data  into  a  single  Splunk  instance   No  signature  for  fraud,  no  problem   Score  a  risk  value  for  each  W-­‐2  transacKon  

–  –  –  –  ! 

Country  of  origin   Uniqueness  of  Source  IP   Day  of  Week   History  of  IP  

All  of  that  resulted  in  one  ugly  search…     8  

Case  Study  Con’t   ! 

One  ugly  search…   index=w2  source="summarytable.csv"  webpage="*administrator*"  |eval  daymonth=date_month+date_mday   |eval  full_user=username+"@"+group|eval  full_user=lower(full_user)  |iplocaKon  src   |stats  values(Country)  AS  Country  values(Region)  AS  State  values(City)  AS  City  values(date_wday)  AS  Day  dc(daymonth)  AS  Unique_Days  count  as   user_ip_count  by  src,  full_user|join  full_user  [search  index=w2  source="  summarytableall.csv"  webpage="*administrator*"       |  eval  full_user=username+"@"+group    |  eval  full_user=lower(full_user)  |stats  count  as  total_W2_events  by  full_user]   |eval  traffic_per_IP=round((user_ip_count/total_W2_events)*100)|join  full_user  src[search  index=w2_history  |stats  values(days_seen)  AS   days_seen  values(total_count)  AS  hist_total_count  by  src,  full_user|fields  src,full_user,days_seen,  hist_total_count]     |eval  Risk_Score=0|eval  Risk_Score=if(traffic_per_ip