IT S HUNTING SEASON! Tips for getting started with proactive detection

Similar documents
After the Attack. The Transformation of EMC Security Operations

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Seven Things To Consider When Evaluating Privileged Account Security Solutions

DYNAMIC DNS: DATA EXFILTRATION

BAE SYSTEMS CYBERREVEAL G-CLOUD SERVICE DEFINITION

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Advanced Threat Protection with Dell SecureWorks Security Services

Evolution Of Cyber Threats & Defense Approaches

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

SIEM FOR BEGINNERS. Or: Everything You Wanted to Know About Log Management But were Afraid to Ask

A New Perspective on Protecting Critical Networks from Attack:

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

SIEM is only as good as the data it consumes

Performing Advanced Incident Response Interactive Exercise

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

Detect & Investigate Threats. OVERVIEW

IBM Smarter Cities Cybersecurity Update

idata Improving Defences Against Targeted Attack

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Emerging Technologies & the State of the SOC. John Kindervag, Vice President and Principal Analyst

Discover & Investigate Advanced Threats. OVERVIEW

integrating cutting-edge security technologies the case for SIEM & PAM

Unstructured Threat Intelligence Processing using NLP

Cyber Security Metrics Dashboards & Analytics

AMPLIFYING SECURITY INTELLIGENCE

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Redefining SIEM to Real Time Security Intelligence

Endpoint Threat Detection without the Pain

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Combating the Insider Threat at the FBI: Real World Lessons Learned

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Big Data Challenges and Opportunities

Cyber Watch. Written by Peter Buxbaum

Why Big Data Analytics?

THE EVOLUTION OF SIEM

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Attack Intelligence: Why It Matters

SQRRL ENTERPRISE Building the Modern Security Operations Center (SOC)

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Security Trends. The Case for Intelligence-Driven Security. Copyright 2013 EMC Corporation. All rights reserved.

Cyber Situational Awareness for Enterprise Security

RSA Security Analytics

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Vulnerability Management

Comprehensive Advanced Threat Defense

Extending security intelligence with big data solutions

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Cybersecurity Delivering Confidence in the Cyber Domain

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

Integrating MSS, SEP and NGFW to catch targeted APTs

Data Science Transforming Security Operations

DATA. Big Data Operational Excellence Ahead in the Cloud. Detect Patterns with Mass Correlation. Limit Surprise with Smart Data

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

The Next Generation Security Operations Center

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Teradata and Protegrity High-Value Protection for High-Value Data

Defense Security Service

Threat Intelligence is Dead. Long Live Threat Intelligence!

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Threat Intelligence Platforms: The New Essential Enterprise Software

Defending Against Data Beaches: Internal Controls for Cybersecurity

Whitepaper. Advanced Threat Hunting with Carbon Black

After the Attack: RSA's Security Operations Transformed

Getting Ahead of Advanced Threats

Strengthen security with intelligent identity and access management

All about Threat Central

Network Payload Analysis for Advanced Persistent Threats Charles Smutz, Lockheed Martin CIRT

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Introducing the Reimagined Power BI Platform. Jen Underwood, Microsoft

How To Manage Log Management

Apache Hadoop in the Enterprise. Dr. Amr Awadallah,

Increase insight. Reduce risk. Feel confident.

What s New in Security Analytics Be the Hunter.. Not the Hunted

Network Security Monitoring

1. Understanding Big Data

The Evolving Threat Landscape

Predictive Cyber Defense A Strategic Thought Paper

Solution White Paper Connect Hadoop to the Enterprise

ThreatSpike Dome: A New Approach To Security Monitoring

The PCI Dilemma. COPYRIGHT TecForte

Centre for the Protection of National Infrastructure Effective Log Management

locuz.com Big Data Services

WhatWorks in Detecting and Blocking Advanced Threats:

KASPERSKY PRIVATE SECURITY NETWORK: REAL-TIME THREAT INTELLIGENCE INSIDE THE CORPORATE INFRASTRUCTURE

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

SIEM 2.0: AN IANS INTERACTIVE PHONE CONFERENCE INTEGRATING FIVE KEY REQUIREMENTS MISSING IN 1ST GEN SOLUTIONS SUMMARY OF FINDINGS

The Future of the Advanced SOC

Transcription:

Securely explore your data IT S HUNTING SEASON! Tips for getting started with proactive detection

ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5 s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).

WHAT IS HUNTING? The collective name for any manual or machine-assisted techniques used to detect security incidents.

HOW TO BUILD A HUNT CAPABILITY Embrace Big Data Get Your Data Science On Always Have a Good Strategy Ask Lots of Questions Pivot Then Pivot Again Automation is the Key to Continuous Improvement

TIP #1: EMBRACE BIG DATA Securely explore your data

THE THREE DATA DOMAINS Keep as much as you can comfortably store Network Authentication Session data Proxy Logs File transfers DNS resolution Host Authentication Audit logs Process creation Application Authentication DB queries Audit & transaction logs Security alerts

THE HUNTING PROCESS Successful hunting requires many iterations through this cycle. The faster your analysts get through this loop, the better. Hypothesize Revise Query Analyze Apache s Hadoop platform offers fast search and processing of huge amounts of data. You will still need tooling on top of whatever platform you choose.

THE HUNTING PROCESS Hypothesize Revise Query Analyze Keep as much data as you can comfortably store and work with!

TIP #2: GET YOUR DATA SCIENCE ON Securely explore your data

WHEN S THE LAST TIME YOU HEARD? It is a Best Practice to review all your logs each day.

WHEN S THE LAST TIME YOU HEARD? It is a Best Practice to review all your logs each day.

BEST-ER PRACTICE Parsing & Normalization Data Deduplication & Reduction Machine-Assisted Analysis

MACHINE-ASSISTED ANALYSIS Computers Bad at context and understanding Good at repetition and drudgery Algorithms work cheap! People Contextual analysis experts who love patterns Posses curiosity & intuition Business knowledge Empowered Analysts Process massive amounts of data Agile investigations Quickly turn questions into insight

TIP #3: ALWAYS HAVE A GOOD STRATEGY Securely explore your data

STRATEGY ENABLES RESULTS Where do I start? Your strategy determines the quality of your results. What should I look for? Choose a strategy that supports your detection goals. What s my path to improve? Don t underestimate the importance of good planning!

STRATEGY #1 Make the most of what you already collect Advantages You probably already collect at least some data. Someone is already familiar with its contents. You may already have some idea of the key questions you want answered. Disadvantages Your ability to ask questions is limited by the available data. External forces have more influence over your results. May confuse easy with effective.

STRATEGY #2 Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/lm-white-paper-intel-driven-defense.pdf (Last checked April 29th,2015)

STRATEGY #2 Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Find attacks already happening Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/lm-white-paper-intel-driven-defense.pdf (Last checked April 29th,2015)

STRATEGY #2 Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Expand the stories you are able to tell Find attacks already happening Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/lm-white-paper-intel-driven-defense.pdf (Last checked April 29th,2015)

STRATEGY #2 Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Predict attacks before they happen Expand the stories you are able to tell Find attacks already happening Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/lm-white-paper-intel-driven-defense.pdf (Last checked April 29th,2015)

TIP #4: ASK LOTS OF QUESTIONS Securely explore your data

ALL HUNTS START WITH QUESTIONS What data do I have and what does it look like?

ALL HUNTS START WITH QUESTIONS Is there any data exfiltration going on in my network? What data do I have and what does it look like?

ALL HUNTS START WITH QUESTIONS Is there any data exfiltration going on in my network? What data do I have and what does it look like? Are there any unauthorized users on my VPN?

ALL HUNTS START WITH QUESTIONS Is there any data exfiltration going on in my network? Have my users been spearphished? What data do I have and what does it look like? Are there any unauthorized users on my VPN?

ALL HUNTS START WITH QUESTIONS Is there any data exfiltration going on in my network? Is anyone misusing their database credentials? What data do I have and what does it look like? Have my users been spearphished? Are there any unauthorized users on my VPN?

ALL HUNTS START WITH QUESTIONS Is there any data exfiltration going on in my network? Is anyone misusing their database credentials? What data do I have and what does it look like? Have my users been spearphished? Are there any unauthorized users on my VPN? Is there any lateral movement going on?

QUESTIONS BECOME HYPOTHESES Hypothesize If this activity is going on, it might look like Revise Query That s your hypothesis! Analyze If at first you don t succeed, reimagine it.

TIP #5: PIVOT THEN PIVOT AGAIN Securely explore your data

ATTACKERS LEAVE TRAILS EVERYWHERE Endpoint process accounting Email logs HTTP proxy logs Authentication records Database query logs Filesystem metadata Network session data

DATA DIVERSITY Leverage different types of data to Reveal relationships Clarify the situation Highlight inconsistencies Tell a complete story

TOOLSET DIVERSITY Different techniques, different perspectives

BONUS TIP: AUTOMATION IS THE KEY TO IMPROVEMENT Securely explore your data

CONCLUSION Securely explore your data

LET S REVIEW Embrace Big Data Get Your Data Science On Always Have a Good Strategy Ask Lots of Questions Pivot Then Pivot Again Automation is the Key to Continuous Improvement

QUESTIONS? David J. Bianco dbianco@sqrrl.com @DavidJBianco

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information