Boss of the SOC (BOTS) Investigation Workshop for Splunk

If you're reading this, it's likely you may have heard of Boss of the SOC (aka BOTS). For those who haven't or those who enjoy a good inception story, here is the short version. BOTS was created in 2016 as a way to have a capture-the-flag-like activity for blue teamers (because we can't let the red teams have all the fun!); there are very few ways to demonstrate and practice identifying and investigating for the computer network defenders. 

As I write this in May 2018, we've had over 4,000 security professionals participate in BOTS, which is tremendous! However, some of you have not, and perhaps some of you reading this are thinking, "It would be nice to participate in BOTS, but I don't think I know enough to be successful at it." Well, I think we may have a way to help!

The Boss of the SOC Investigation Workshop for Splunk app was built to help security professionals learn more about how to use Splunk to investigate, map their findings to the Lockheed Martin Kill Chain and create a threat picture to better answer questions that your leadership inevitably will ask of their analysts. The app leverages the BOTS dataset and focuses on two scenarios, APT and Ransomware. Let's take a look:

Investigating is at the heart of both threat hunting and incident response. If we don’t have a good grasp of the questions we want to ask of the data, how can we hunt for threats in our environment and how can we perform identification that leads to containment, eradication, and remediation?

The app provides a way to discover the data of BOTS while also mapping our findings to the Lockheed Martin Kill Chain as part of the investigation during the APT scenario. In the ransomware scenario, a chronology of events is developed while we observe the ransomware infecting a system, attempting to spread and then performing its actions that result in a workstation with encrypted files and a request for payment.

Because we don't want to give away the answers, we won't show the results of the search, but each concept is highlighted and a question is provided that is likely a piece of information an analyst would want to uncover. You may also notice a few questions that will leave you scratching your head and thinking, “I don’t care about that question.” That may be true, but those questions will demonstrate some cool Splunk SPL techniques that you can apply to other searches you build, so check them out!

The APT scenario maps each concept to a part of the Lockheed Martin Kill Chain as well as sourcetypes that are useful for answering the question based on the data set provided. Sample searches are provided, and if new transformational search commands are introduced, explanations for those commands are provided. Since some users like to see the output of the searches immediately, results are shown in the app. However, if you are someone who loves to explore the data, clicking the green button will open a new tab where the search is run, and you can then pivot on interesting fields and further manipulate the search to your liking.

As much as we would like all security investigations to be a Splunk-only activity, we realize that frequently, threat intelligence—specifically OSINT—is utilized to build a threat picture and round out the kill chain. These steps are integrated into the app. Finally, additional resources like blog posts, diagrams, and other supporting information are provided to help the user gain further insight and better understand specific aspects of a threat to mirror the research that an analyst might do on their own.

Now that I have told you all about this app, you might be thinking, "That's great, John, where can I get it?" Well, we're pleased to announce that you have some options! My colleague, Ryan Kovar, created the Splunk Security Dataset Project which you can read about here. This experience allows you to gain access to various security datasets including BOTS version 1 and the app within a sandbox instance. Alternatively, you can now download the Boss of the SOC (BOTS) Investigation Workshop for Splunk app to run on your own local instance. Additional information regarding the open sourcing of the BOTS data can be found here.

We hope you check out the Boss of the SOC (BOTS) Investigation Workshop for Splunk app and use it to build a greater understanding of how Splunk can be used to threat hunt, support the identification phase of the incident response lifecycle and perform general investigatory support. Who knows? After working with the dataset and the tutorial app, you may be ready to crush the competition at the next BOTS!

John Stoner

Posted by