Analytics Story: Data Protection

Date: 2017-09-14 ID: 91c676cf-0b23-438d-abee-f6335e1fce33 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

Why it matters

Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Process Executed From Removable Media Hardware Additions, Data from Removable Media, Replication Through Removable Media Anomaly
Windows USBSTOR Registry Key Modification Hardware Additions, Data from Removable Media, Replication Through Removable Media Anomaly
Windows WPDBusEnum Registry Key Modification Hardware Additions, Data from Removable Media, Replication Through Removable Media Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1