April 2015 Webinar: Cyber Hunting with Sqrrl

Securely explore your data

IT’S HUNTING SEASON!

Tips for getting started with proactive detection

© 2015 Sqrrl | All Rights Reserved

ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).


WHAT IS “HUNTING”?

The collective name for any manual or machine-assisted techniques used to

detect security incidents.

HOW TO BUILD A HUNT CAPABILITY


Embrace Big Data

Get Your Data Science On

Always Have a Good Strategy

Ask Lots of Questions

Pivot… Then Pivot Again

Automation is the Key to Continuous Improvement


TIP #1: EMBRACE BIG DATA

THE THREE DATA DOMAINS


Keep as much as you can comfortably store

Network

•  Authentication •  Session data •  Proxy Logs •  File transfers •  DNS

resolution

Host

•  Authentication •  Audit logs •  Process

creation

Application

•  Authentication •  DB queries •  Audit &

transaction logs

•  Security alerts

THE HUNTING PROCESS


Hypothesize

Query

Analyze

Revise

Successful hunting requires many iterations through this cycle. The faster your analysts get through this loop, the better.

Apache’s Hadoop platform offers fast search and processing of huge amounts of data. You will still need tooling on top of whatever platform you choose.

THE HUNTING PROCESS


Hypothesize

Query

Analyze

Revise

Keep as much data as you can comfortably

store…

…and work with!


TIP #2: GET YOUR DATA SCIENCE ON

WHEN’S THE LAST TIME YOU HEARD…?


“It is a Best Practice to review all your logs each day.”

BEST-ER PRACTICE


Data Deduplication & Reduction

Machine-Assisted Analysis

Parsing & Normalization

MACHINE-ASSISTED ANALYSIS


Computers Bad at context and understanding Good at repetition and drudgery Algorithms work cheap!

People Contextual analysis experts who love patterns Posses curiosity & intuition Business knowledge

Empowered Analysts

Process massive amounts of data Agile investigations Quickly turn questions into insight


TIP #3: ALWAYS HAVE A GOOD STRATEGY

STRATEGY ENABLES RESULTS


Where do I

start?

What should I look for?

What’s my path

to improve?

Your strategy determines the quality of your results. Choose a strategy that supports your detection goals. Don’t underestimate the importance of good planning!

STRATEGY #1


Make the most of what you already collect

Advantages Disadvantages

You probably already collect at least some data. Someone is already familiar with its contents. You may already have some idea of the key questions you want answered.

Your ability to ask questions is limited by the available data. External forces have more influence over your results. May confuse “easy” with “effective”.

STRATEGY #2


Follow the Kill Chain

Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)

Actions on Objectives

Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)

STRATEGY #2






Find attacks already

happening

STRATEGY #2







happening

Expand the stories you are

able to tell

STRATEGY #2







happening

Expand the stories you are

able to tell Predict

attacks before they happen


TIP #4: ASK LOTS OF QUESTIONS


ALL HUNTS START WITH QUESTIONS

What data do I have and what

does it “look like”?





Is there any data exfiltration going on

in my network?






in my network?

Are there any unauthorized users

on my VPN?






in my network?


on my VPN?

Have my users been

spearphished?






in my network?


on my VPN? Is anyone misusing

their database credentials?

Have my users been

spearphished?





Is there any lateral movement going

on?


in my network?


on my VPN? Is anyone misusing

their database credentials?

Have my users been

spearphished?

QUESTIONS BECOME HYPOTHESES


Hypothesize

Query

Analyze

Revise

“If this activity is going on, it might look like…”

That’s your hypothesis!

If at first you don’t

succeed, reimagine it.


TIP #5: PIVOT… THEN PIVOT AGAIN


ATTACKERS LEAVE TRAILS EVERYWHERE

Email logs

Endpoint process accounting

HTTP proxy logs

Authentication records

Filesystem metadata

Network session data

Database query logs


DATA DIVERSITY Leverage different types of data to…

Reveal relationships

Clarify the situation

Highlight inconsistencies

Tell a complete story


TOOLSET DIVERSITY Different techniques, different perspectives


BONUS TIP: AUTOMATION IS THE KEY TO IMPROVEMENT


CONCLUSION

LET’S REVIEW


Embrace Big Data

Get Your Data Science On

Always Have a Good Strategy

Ask Lots of Questions

Pivot… Then Pivot Again

Automation is the Key to Continuous Improvement

QUESTIONS?


David J. Bianco

[email protected]

@DavidJBianco

April 2015 Webinar: Cyber Hunting with Sqrrl

Data & Analytics

Transcript of April 2015 Webinar: Cyber Hunting with Sqrrl