O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Strata 2015 Presentation -- Detecting Lateral Movement

Presentation given at Strata 2015 at San Jose

  • Entre para ver os comentários

Strata 2015 Presentation -- Detecting Lateral Movement

  1. 1.  Problems  sensors/detections  Ranking
  2. 2. What is Lateral Movement? Source: Pass-the-Hash Mitigation
  3. 3. Why is this Important?    
  4. 4. Why is this difficult?
  5. 5. Problem # 1 - Independent Alert Streams
  6. 6. Problem #2: Burden of triage Attacks are complex. Need more detections! So, Now I have to triage all of them?
  7. 7. Problem #3: Feedback not captured
  8. 8. Problem 4: Interpretability of alerts
  9. 9. Windows Security Events Data On average, an online service in O365 produces 30 billion sessions/day; 82 TB/day Data: Sequences of Windows security event IDs from user sessions • Examples: User logs into machine, process start, credential switch, etc. • 367 unique security event IDs
  10. 10. - We built separate models to detect our goal of compromised account/machines - The models, independently assess if the account is acting suspiciously
  11. 11.  probability of logging  sequences of events  credential elevation  auto-generated
  12. 12. . 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑥) … 𝑃2(𝑥) 𝑃𝑑(𝑥) . . 𝑥Session 𝑤1 𝑤2 𝑤 𝑑 Combined Score
  13. 13.       Burges, Chris, et al. "Learning to rank using gradient descent.” 2005.
  14. 14. 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑚) …𝑃2(𝑚) 𝑃𝑑(𝑚) m 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑏) …𝑃2(𝑏) 𝑃𝑑(𝑏) bPm>b … 𝑤1 𝑤2 𝑤 𝑑
  15. 15. Putting it together . 𝑃1 𝑃2 𝑃𝑑 −𝑙𝑜𝑔𝑃1(𝑥) … −𝑙𝑜𝑔𝑃2(𝑥) −𝑙𝑜𝑔𝑃𝑑(𝑥) . . 𝑥Session 𝑤1 𝑤2 𝑤 𝑑 Rank Score = 𝑤 𝑇 𝑃
  16. 16. Testing the system • Wargame with the red team • Blind experiment • 8 out of 12 top-ranked sessions on day 1 among ~28 billion sessions are pen testers, precision at 12 is 96%
  17. 17. …𝑤′1 𝑤′2 𝑤′ 𝑑
  18. 18. Alert Score  Weights Higher Weight, more contributing factor to alert Tells the user, what is probable cause of the alert
  19. 19.  extensible  
  20. 20. Reality  Constantly changing environment… ….but you can account for it during training and adding metadata  In the beginning, there will be false positives… ….but you will reduce your attack surface  No labelled data… ….but you can get away with a good red team
  21. 21. Takeaways  Combine alert streams  Make your alerts interpretable  Capture feedback and close the last mile  Check out ranking algorithms – they are powerful!

×