BOTS! That’s what!
As part of the newest version of Boss of the SOC (version 5!) launching at Splunk .conf20, we’re super excited to be introducing Google Cloud Platform (GCP) and Google Workspace (formerly G Suite) into two of the game scenarios. We have heard from customers all over the world that they are integrating these Google datasets into their security visibility platforms, powered by Splunk, and wanted to showcase some of these capabilities. If you are using GCP, and have not yet pulled that data into Splunk, come and play our scenario for a taste of just what is possible.
In the first scenario, Frothly — our fictitious but totally realistic brewing company — has established a partnership with Toads Pest Control, a small Australian-based organisation. The business specialises in the genetic modification of Cane Toads to treat insect outbreaks all over the world. Toads Pest Control runs their entire operation via the Google platform and have become a target of our adversary, Violent Memmes.
In the second scenario, which is within the Security for Remote Work scenario, Frothly’s trusty marketing expert Mallory Kraeusen is launching a new hard seltzer subsidiary and stands up Google Suite with a separate domain. While this is happening, Frothy shifts all employees to work-from-home due to a global pandemic, opening up an entirely new attack surface.
With these two scenarios, we have incorporated data from Google Compute, Google Cloud Functions, Google Storage, Google Sheets, Google Mail, Google Slides, and Google Drive, amongst others.
As a Splunk admin, you have multiple options to get this data into Splunk, including these Splunk apps:
These three apps pull different datasets from the various Google services. They were also used in the making of BOTSv5 – with a shout out to our friend Nick von Korff for his awesome Gmail Audit app, which he modified on our request to pull in full message trace functionality for our scenarios. Once you pull these datasets, you will see different email threads between various internal and external Frothly folks that may have also been intercepted by Violent Memmes.
Splunk admins have multiple other options to ingest GCP and G Suite data into Splunk. This is outlined in the diagram below. All data within the BOTSv5 dataset were pulled via the apps and add-ons available on Splunkbase.
Once all of this data is in Splunk, it’s time to get hunting! Let’s take a quick look at some data from the dataset.
Datasets for BOTSv5
First, Google offers logging via a pubsub mechanism, which we used to ingest data from the custom Google Cloud Function we built to run Toads Pest Control. Here you’ll see the nicely formatted JSON output of this process. This data would be valuable in tracing down any interactions with the Google Cloud Function, including legitimate and illegitimate use.
Second, the Gmail Audit add-on by Nick von Korff (updated with help from our own superstar Shannon Davis) allows us to deep dive into Gmail events, including mail headers and body:
Within each mail event we can see all the juicy fields a defender might use in a hunt, including sender, receiver, body, attachments, DKIM results, DMARC, attachment hash values, and SPF.
All of this data will be used in our scenarios to allow Alice Bluebird (you!) to hunt Violent Memmes (and possibly other adversaries) as they attempt to infiltrate Frothly’s systems and exfiltrate critical data. Follow Memmes through the Toads Pest Control environment as they compromise custom API’s, steal data and leave behind calling cards to antagonise our Aussie mates. Experience the trials and tribulations of Mallory and friends as they work to bring deliciously flavored and premium hard seltzer to market, while trying to come up with clever names for hamsters.
A big thank you to all our friends at Google for helping with the generation of this scenario, particularly our good mate, Cuyler Dingwell. A shout out also to all the Splunkers who made this happen — Shannon Davis, David Gamer, Christian Frain, James Brodsky, Michael Natkin, Nic Stone, Elena Kennedy, and countless others too many to name.
Get in on the fun and register to attend BOTSv5. We look forward to seeing you (virtually) at .conf20!
PS – While I have you here, check out our BOTS playlist and stay tuned as we prepare and release a series of hands-on workshops over the coming months. These workshops will leverage the BOTS scenario and take participants through the possibilities of threat hunting in Splunk using GCP and Google Workspace datasets.
Follow all the conversations coming out of #splunkconf20!