Mais conteúdo relacionado Semelhante a Threat Hunting (20) Threat Hunting4. Agenda
• Threat Hun+ng Basics
• Threat Hun+ng Data Sources
• Sysmon Endpoint Data
• Cyber Kill Chain
• Walkthrough of ACack Scenario Using Core Splunk (hands on)
• Advanced Threat Hun+ng Techniques & Security Essen+als
• Enterprise Security Walkthrough
• Applying Machine Learning and Data Science to Security
8. What is threat hun+ng, why do you need it?
The What?
• Threat hun+ng - the
act of aggressively
intercep+ng,
tracking and
elimina+ng cyber
adversaries as early
as possible in the
Cyber Kill Chain 2
8
The Why?
• Threats are human.
Focused and funded
adversaries will not be
countered by security
boxes on the network
alone. Threat hunters are
ac+vely searching for
threats to prevent or
minimize damage [before
it happens] 1
2 Cyber Threat Hun+ng - Samuel Alonso blog, Jan 2016
1 The Who, What, Where, When, Why and How of Effec+ve Threat Hun+ng, SANS Feb 2016
“Threat Hun,ng is not new, it’s
just evolving!”
15. Hun+ng Tools: Internal Data
15
• IP Addresses: threat intelligence, blacklist, whitelist, reputa+on monitoring
Tools: Firewalls, proxies, Splunk Stream, Bro, IDS
• Network Ar+facts and PaCerns: network flow, packet capture, ac+ve network connec+ons, historic network connec+ons, ports
and services
Tools: Splunk Stream, Bro IDS, FPC, Neplow
• DNS: ac+vity, queries and responses, zone transfer ac+vity
Tools: Splunk Stream, Bro IDS, OpenDNS
• Endpoint – Host Ar+facts and PaCerns: users, processes, services, drivers, files, registry, hardware, memory, disk ac+vity, file
monitoring: hash values, integrity checking and alerts, crea+on or dele+on
Tools: Windows/Linux, Carbon Black, Tanium, Tripwire, Ac+ve Directory
• Vulnerability Management Data
Tools: Tripwire IP360, Qualys, Nessus
• User Behavior Analy+cs: TTPs, user monitoring, +me of day loca+on, HR watchlist
Splunk UBA, (All of the above)
16. Persist, Repeat
Threat Intelligence
Access/Iden+ty
Endpoint
Network
AEacker, know relay/C2 sites, infected sites, IOC,
aEack/campaign intent and aEribu+on
Where they went to, who talked to whom, aEack
transmiEed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, aEack/malware
ar+facts, patching level, aEack suscep+bility
Access level, privileged users, likelihood of infec+on,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detec+on
• PCLM
• DHCP
• OS logs
• Patching
• Ac+ve Directory
• LDAP
• CMDB
• Opera+ng system
• Database
• VPN, AAA, SSO
Typical Data Sources
• Web proxy
• NetFlow
• Network
77. ● How does the app work?
– Leverages primarily | stats for UEBA
– Also implements several advanced Splunk searches (URL Toolbox, etc.)
● Why call it UEBA?
– These use cases are oven in UEBA tools
– 2/3 of use case build on a baseline, which is a hallmark of UEBA
– 1/3 are advanced analy+cs that other vendors showcase in their UEBA
● How does it scale?
– App automates the u+liza+on of high scale techniques
– Summary indexing for Time Series, caching in lookup for First Time
95. Supervised Machine Learning
95
Domain Name TotalCnt RiskFactor AGD SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious
jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious
cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign
log.tagcade.com 111 2 0 1 0 0 Benign
go.vidprocess.com 170 2 0 0 0 0 Benign
statse.webtrendslive.com 310 2 0 1 0 0 Benign
cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign
log.tagcade.com 111 1 0 1 0 0 Benign
99. ML Toolkit & Showcase
• Splunk Supported framework for building ML Apps
– Get it for free: hEp://+ny.cc/splunkmlapp
• Leverages Python for Scien+fic Compu+ng (PSC) add-on:
– Open-source Python data science ecosystem
– NumPy, SciPy, scitkit-learn, pandas, statsmodels
• Showcase use cases: Predict Hard Drive Failure, Server Power
Consump+on, Applica+on Usage, Customer Churn & more
• Standard algorithms out of the box:
– Supervised: Logis+c Regression, SVM, Linear Regression, Random Forest, etc.
– Unsupervised: KMeans, DBSCAN, Spectral Clustering, PCA, KernelPCA, etc.
• Implement one of 300+ algorithms by edi+ng Python scripts
107. RAW SECURITY
EVENTS
ANOMALIES ANOMALY CHAINS
(THREATS)
MACHINE
LEARNING
GRAPH
MINING
THREAT
MODELS
Lateral Movement
Beaconing
Land-Speed Violation
HCI
Anomalies graph
Entity relationship graph
Kill chain sequence
Forensic artifacts
Threat/Risk scoring
FEEDBACK