Post on 13-Apr-2017
Raffael Marty, CEO
Creating Your Own Threat Intel Through Hunting & Visualization
Tenerife, Spain February, 2016
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty, CEO
Secur i ty. Analyt ics . Ins ight .3
Contents
HUNTING AKA INTERNAL THREAT INTELLIGENCE
THREAT INTELLIGENCE A PROCESS AND INFRASTRUCTURE VIEW
1
2 VISUALIZATION A THREAT INTELLIGENCE GOLD MINE
3
Threat Intelligence
Secur i ty. Analyt ics . Ins ight .5
• Products / Tools • Firewall - Blocks traffic based on pre-defined rules • Web Application Firewall - Monitors for signs of known malicious activity in Web traffic • Intrusion Prevention System - Looks for ‘signs’ of known attacks in traffic and protocol violations • Anti Virus - Looks for ‘signs’ of known attacks on the end system • Malware Sandbox - Runs new binaries and monitors their behavior for malicious signs • Security Information Management - Uses pre-defined rules to correlate signs from different data
streams to augment intelligence • Vulnerability Scanning - Searches for known vulnerabilities and vulnerable software
• Rely on pattern matching and signatures based knowledge from the past • Reactive -> always behind • Unknown and new threats -> won’t be detected • ‘Imperfect’ patterns and rules -> cause a lot of false positives
We Are Monitoring - What is Going Wrong?
Defense Has Been Relying On Past Knowledge
Secur i ty. Analyt ics . Ins ight .6
Event Funnel - How We Used To Do It
datarule-basedcorrelation
prioritization
simplestatistics
attack candidates
• What rules do you write? • Do the vendor provided rules work for you? • How do you define a priority 10 event?
• High false positive rate! • Unless alerts are VERY focussed
• High false negative rate! • Do you know what you don’t know?
Secur i ty. Analyt ics . Ins ight .7
Then Came Threat Intelligence
• How many hits do you really get? • You are missing most attacks
IOCs
• How do you match these efficiently against a real-time stream?
• How do you de-duplicate and normalize these feeds?
attack candidates
70–90% OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.
Secur i ty. Analyt ics . Ins ight .8
Removing the Event Funnel - Hello Data Lake
any data Big Data Lake
Rules
• Storing more, and more diverse data • Kafka and “dynamic parsing”
• Enabling large-scale processing • Spark, SparkStreaming, Storm, Parquet
• Using “standard” data access (SQL, REST) • Plug in any other tool!
context
IOCs
This per-se is not new …
Secur i ty. Analyt ics . Ins ight .9
Adding Interactive - Analyst Driven Exploration
any data Big Data Lake
Rules
context
IOCs
… but first we get the human in the loop …
Hunting • interactive visualization • analyst driven • machine assisted
Secur i ty. Analyt ics . Ins ight .10
Hunting Creates Internal Threat Intelligence
any data Big Data Lake
Rules
context
IOCs
… then, let’s rethink our rules … Novel, Advanced Attacks
internal TI
Secur i ty. Analyt ics . Ins ight .11
Hunting Creates Internal Threat Intelligence
any data Big Data Lake
Rules
context
IOCs
… then, let’s rethink our rules … patterns anyone?
internal TI
Novel, Advanced Attacks
Low False Positive AlertsPatterns
Secur i ty. Analyt ics . Ins ight .12
Buzzword Bingo
any data Big Data Lake
Rules
context
IOCs
… and finally, we are buzzword compliant …
behavioral monitoringscoring
anomaly detection machine learning
artificial intelligence
“models”
data science
internal TI
Patterns
Secur i ty. Analyt ics . Ins ight .13
How Does All That Architecture Stuff Matter?
In the following we’ll explore how this all matters …
… but first, let’s see how visualization plays a key role here.
14Visualization
Secur i ty. Analyt ics . Ins ight .15
“How Can We See, Not To Confirm -
But To Learn”- Edward Tufte
Secur i ty. Analyt ics . Ins ight .16
Why Visualization?dp
ort
time
Secur i ty. Analyt ics . Ins ight .17
SELECT count(distinct protocol) FROM flows;
SELECT count(distinct port) FROM flows;
SELECT count(distinct src_network) FROM flows;
SELECT count(distinct dest_network) FROM flows;
SELECT port, count(*) FROM flows GROUP BY port;
SELECT protocol,
count(CASE WHEN flows < 200 THEN 1 END) AS [<200],
count(CASE WHEN flows>= 201 AND flows < 300 THEN 1 END)
AS [201 - 300],
count(CASE WHEN flows>= 301 AND flows < 350 THEN 1 END)
AS [301 - 350],
count(CASE WHEN flows>= 351 THEN 1 END) AS [>351]
FROM flows GROUP BY protocol;
SELECT port, count(distinct src_network) FROM flows GROUP BY port;
SELECT src_network, count(distinct dest_network) FROM flows GROUP
BY port;
SELECT src_network, count(distinct dest_network) AS dn, sum(flows)
FROM flows GROUP BY port, dn;
SELECT port, protocol, count(*) FROM flows GROUP BY port, protocol;
SELECT sum(flows), dest_network FROM flows GROUP BY dest_network;
…
One Graph Summarizes Dozens of Queries
port dest_network
protocol src_network flows
Secur i ty. Analyt ics . Ins ight .18
Visualization To …
Present / Communicate Discover / Explore
Secur i ty. Analyt ics . Ins ight .19
We will have a look at a couple components from earlier:
• Context
• Data Science
• Clustering
• Seriation - Data Science Gone Wrong
• Time-series Analysis
Analytics Components
Secur i ty. Analyt ics . Ins ight .20
Did You Know?
Users accessing Sharepoint servers
UserSharepoint Server
data processing visualization
This graph of users accessing sharepoint servers, does not immediately reveal any interesting patterns.
Secur i ty. Analyt ics . Ins ight .21
Did You Know - How Context Tells a Story
Using HR data as context
Remote UserSan Francisco Office UserSharepoint Server
data processing visualization
HR data
Using color to add context to the graph helps immediately identify outliers and potential problems.
Secur i ty. Analyt ics . Ins ight .22
• Simple stuff works!
• dc(dest), dc(d_port)
• What is normal?
• Use data science / data mining to prepare
data. Then visualize the output for human
analyst.
Data Science in Security - Words of Caution
Secur i ty. Analyt ics . Ins ight .23
Challenges With Clustering Network Traffic
The graph shows an abstract space with colors being machine identified clusters.
Hard Questions: • What are these clusters? • Do Web servers cluster? • What are good clusters? • What’s anomalous?
Secur i ty. Analyt ics . Ins ight .24
Data Science That Works
threshold
outliers have different magnitudes
Secur i ty. Analyt ics . Ins ight .25
Approximate Curve
fitting a curve distance to curve
Secur i ty. Analyt ics . Ins ight .26
Data Mining Applied
better threshold
27Hunting
Secur i ty. Analyt ics . Ins ight .28
Hunting - Ready, Fire, Aim
• Analysts are your best and most expensive resource • They need the right tools and data
• Speed (see earlier architecture) • Interaction (visual!) • Machine-assisted insight
Examples • Exploring DNS traffic • High business impact machine analysis • Lateral movement
Secur i ty. Analyt ics . Ins ight .29
HBI Metric Analysis
Visually learn, Test, Automate
Secur i ty. Analyt ics . Ins ight .30
HBI Metric Analysis - If you like Black Backgrounds
Secur i ty. Analyt ics . Ins ight .31
We have tried many thing:
• Social Network Analysis
• Seasonality detection
• Entropy over time
• Frequent pattern mining
• Clustering
All kinds of challenges.
Simple works!
Let’s Get Mathematical
U−matrix
4.28e−05
0.0461
0.0921
Secur i ty. Analyt ics . Ins ight .32
Simple - Data Abstraction
Secur i ty. Analyt ics . Ins ight .33
Lateral Movement - Cross Network Communications
Challenges • Scale • You will find one of everything • Defining white-lists and
keeping them up to date (i.e., network and asset hygiene)
VPN
DMZOffice
GIA
UnknownInternet
AWS
Secur i ty. Analyt ics . Ins ight .34
http://secviz.org
List: secviz.org/mailinglist
Twitter: @secviz
Share, discuss, challenge, and learn about security visualization.
Security Visualization Community
Secur i ty. Analyt ics . Ins ight .35
BlackHat Workshop
Visual Analytics Delivering Actionable Security
Intelligence
July 30,31 & August 1,2 - Las Vegas, USA
big data | analytics | visualization
http://secviz.org
Secur i ty. Analyt ics . Ins ight .36
After some exploration …
raffael.marty@pixlcloud.com
http://slideshare.net/zrlram
http://secviz.org and @secviz
Further resources: