Analysing threat data involves examining patterns, anomalies, and indicators to identify potential security risks. It includes correlating data from various sources, assessing the severity of threats, and prioritising responses. This topic will provide you with hands-on skills for conducting searches using the Splunk analytical platform.
In this topic, you will learn about:
- using Splunk for threat data analysis
- analyse results
- detect discrepancies and inconsistencies.
Let us begin.
Splunk platform demo
Splunk is a leading analytical platform widely employed in cybersecurity. Renowned for its powerful log management and analysis capabilities, Splunk enables organisations to collect, index, and correlate vast amounts of machine-generated data from diverse sources.
The following video will provide an overview of the Splunk platform interface and further demonstrate how to search and filter using various data categories and drill down into granular details of events.
Explore Splunk workshop
The Splunk Boss of the SOC (BOTS) workshop is a hands-on, interactive cybersecurity training event organised by Splunk. This workshop is designed to enhance the skills of security professionals and a simulated environment where participants can engage in realistic scenarios to sharpen their incident response and threat detection abilities using Splunk's platform.
Practice Activity 1
Task 1: Go to Splunk Boss of the SOC and sign-in with your Splunk user account.
Task 2: Once logged in, select the ‘Learn’ tab and scroll down to find the option Investigating Ransomware with Splunk
Note: This is a hands-on workshop designed to help familiarise you with how to conduct threat data investigations and searches using Splunk. Accept the terms and conditions of the course and select the option to ‘Enroll Now’.
Task 3: Go to the ‘Resources’ tab of the workshop to find a link to a cloud-hosted version of ‘Splunk Enterprise’ and credentials for access.
Task 4: Go through the ‘Introduction’ section that provides an overview of the workshop and what it means to ‘investigate’.
Analysing IDS and IPS data
Analysing IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) data involves assessing network security by scrutinising alerts and logs generated during potential cyber threats. This process aids in identifying malicious activities, understanding attack patterns, and implementing proactive measures to enhance the overall security posture of an IT environment.
The following video discusses how IDS and IPS data can be interpreted.
Using Splunk for analysis
The following video demonstrates how to perform searches and queries in the Splunk platform for an ingested dataset. Pay close attention to how various searches are performed and how detailed information on logged events (e.g. source type, host, etc.) can be obtained.
Check reliability and consistency of results
Analysts can check for and confirm the reliability and consistency of results by using systematic approaches. Some of these approaches may include but are not limited to:
- verifying that the same results are obtained when using different methods and search criteria
- confirming details of identified threat data by:
- performing ‘Google’ searches
- referring to technical articles from industry websites
- searching through vulnerability databases (e.g. CVE).
Practice activity 2
Do the following tasks according to the Investigating Ransomware with Splunk workshop scenario.
Task 1: Find the details of the removable media inserted into the victim’s workstation.
Task 2: Practice conducting index searches within the Splunk platform using various search criteria and filters to find the necessary information.
Task 3: Check for reliability and consistency of the results. Make a note of the methods/techniques used to confirm the results.
Alert classifications
Inaccurate or inconsistent data can lead to false positives or negatives, compromising the effectiveness of security measures. Verifying data consistency helps identify anomalies, discrepancies, or potential errors in threat intelligence, ensuring that the analytical platform produces reliable results. It enhances the overall trustworthiness of the security infrastructure, enabling timely and informed responses to genuine threats. Regular validation of threat data consistency is essential for maintaining a robust and effective cybersecurity posture in the face of evolving threats.
It is wise to use multiple vulnerability scanners to rule out false positives, which may occur frequently during automatic vulnerability scanning.
The following video discusses different alert classifications that analysts should be aware of when verifying the consistency of threat data.
False positives and false negatives
In threat data analysis, false positives occur when benign activities are incorrectly flagged as threats, leading to unnecessary alerts. Conversely, false negatives occur when actual threats go undetected, posing a significant risk. Achieving an optimal balance is crucial; minimising false positives enhances efficiency by reducing alert fatigue while minimising false negatives ensures comprehensive threat detection. Continuous refinement of detection algorithms, threat intelligence integration, and contextual analysis contribute to mitigating these errors, fostering a more accurate and reliable cybersecurity posture. Striking this balance is essential for effective and efficient threat data interpretation in cybersecurity operations.
The following video discusses determining false positives and false negative results.
Checking for false positives
- To identify false positives, the following techniques can be used.
- Examine flagged incidents meticulously.
- Validate alerts by cross-referencing with trusted threat intelligence sources.
- Analyse context, scrutinise patterns and consider historical data.
- Adjust detection thresholds and refine rules to reduce false positives, ensuring a more accurate and streamlined threat detection process.
Checking for false negatives
To identify false negatives, the following techniques can be used.
- Conduct a thorough retrospective analysis.
- Review undetected incidents, reassess alert thresholds and refine detection rules.
- Incorporate additional data sources and advanced analytics techniques.
- Regularly update and enhance the system to minimise blind spots, ensuring a more comprehensive and effective threat detection capability.
Reading
Practice activity 3
Do the following tasks according to the Investigating Ransomware with Splunk workshop scenario.
Task 1: Determine which Suricata signatures are specific to the ransomware alerted in the scenario.
Task 2: Examine the Suricata signatures to find any false positive results. Note the method/technique used to confirm the results as false positive.
Task 3: Examine the Suricata signatures to find any false negative results. Note the method/technique used to confirm the results as false negative.
Correlate threat data results
The following video discusses what it means to correlate and validate the threat analysis results with other sources of information. These sources may include:
- Industry standards, best practices and compliance requirements
- Technical information sources (e.g. configuration management systems, log repositories, etc.)
How did you go?
Congratulations on completing the topic Analyse threat data . You should now understand what is involved in threat data analysis and how to verify the accuracy of obtained results.
In this topic, you learnt about:
- using Splunk for threat data analysis
- analyse results
- detect discrepancies and inconsistencies.