"What Are Zero-Day Attacks?"
Zero-day attacks are attacks against software flaws that are unknown and do not have a published patch or fix. Sophisticated attacks that exploit zero-day vulnerabilities often begin with a spear phishing email containing malware. When the unsuspecting target opens the email, the malware compromises the endpoint and will attempt to commence command and control and then move laterally across the network to access sensitive data and exfiltrate it.
Detect Zero-Day Attacks
Signs of zero-day attacks involve command and control beaconing, lateral movement, and data exfiltration. To solve this problem, the Splunk Enterprise Security Risk Analysis Framework assesses the relative changes in risk and examines the events that contribute to risk. Existing Incident Review and Security Domains dashboards are used for detailed investigations to detect the attacks, and the Splunk App for Stream helps identify data exfiltration.
Data sources to detect zero-day attacks include: threat intelligence feeds, DNS data, web surfing or proxy logs, Active Directory (AD) or other authentication logs and audit and system logs.
Start with Splunk Enterprise (version 6.3 or later) and add Splunk Enterprise Security (ES) (version 4.0 or later). Install the Splunk App for Stream and then install and configure the Stream add-on on the sources of wire data. Configure the data sources (endpoints, web proxy, DNS, proxy, Active Directory and database servers) and ingest data into Splunk Enterprise in compliance with the relevant Splunk Common Information Model (CIM).
The ES Risk Analysis dashboard is the starting point for the hunter to start identifying zero-day attacks.
Review Risk Modifiers
The panels Recent Risk Modifiers, Risk Modifiers Over Time and Risk Score by Object indicate changes in risk modifiers from the targets hosts over a period of time. By reviewing the Most Active Sources, the recurring malware infections, old malware infections and threat activity detections contributing to the overall risk score of this host is determined.
Reviewing past notable events associated with the high-risk host provides further insight of the risk to your environment. The Incident Review dashboard tracks the history of notable events associated with this high-risk host, which helps confirm that the host was infected with malware and remedial activity. Within this dashboard, the hunter can update the action history using the Investigator Journal or start a new investigation. Any abnormal communication from the endpoint to external destination indicates command and control activity.
Determine Malicious Authentication Attempts
The hunter can investigate whether the attacker has control of additional endpoints by identifying the set of users that were logged into the initial endpoint at the time the compromise started. The Access Center dashboard monitors authentication attempts to network devices, endpoints and applications, and detects malicious authentication attempts, such as lateral movements.
Identify Compromised Account Activities
Searching and cross referencing the Active Directory authentication logs specific to this endpoint from the initial compromise time to the current time, identifies the total users that have logged in to this host, as well as other hosts these users subsequently logged into after the initial compromise. From the list of compromised endpoints and searching database audit logs, the compromised existing user account and activities initiated is identified.
The hunter can determine if the attacker stored the downloaded database query results to the machine's disk as a series of password-protected binary files and masked those files with filenames that follow common patterns.
Determine Data Exfiltration and Methods
The Web Search dashboard uses web proxy logs to help determine whether data exfiltration has occurred. Any outbound HTTP activity that matches the filename patterns used by the attacker to disguise the database files indicates data exfiltration.
Discover the Compromised Endpoint
The Malware Search dashboard helps discover that the same endpoint with HTTP activity matches the pattern used by the attacker to disguise the database files. It is then clear that the attacker succeeded in stealing database files.
ES detected zero-day attacks by identifying the indicators of compromise—malware infection, lateral movement and data exfiltration—and correlating across multiple domains with full context. By using Splunk Enterprise Security’s built-in risk analysis, access and authentication framework, an analyst can easily detect compromised endpoints, lateral movement, account compromise and downloads. Data exfiltration is detected by contextual analysis of the infected endpoints, compromised account and downloads.
For additional details, please refer to the Splunk Enterprise Security Use Case Documentation.