Creating Your Own Threat Intel Through Hunting & Visualization

Raffael Marty, CEO

Creating Your Own Threat Intel Through Hunting & Visualization

Tenerife, Spain February, 2016

Creating Your Own Threat Intel Through Hunting & Visualization

Raffael Marty, CEO

Secur i ty. Analyt ics . Ins ight .3

Contents

HUNTING AKA INTERNAL THREAT INTELLIGENCE

THREAT INTELLIGENCE A PROCESS AND INFRASTRUCTURE VIEW

1

2 VISUALIZATION A THREAT INTELLIGENCE GOLD MINE

3

Threat Intelligence


• Products / Tools • Firewall - Blocks traffic based on pre-defined rules • Web Application Firewall - Monitors for signs of known malicious activity in Web traffic • Intrusion Prevention System - Looks for ‘signs’ of known attacks in traffic and protocol violations • Anti Virus - Looks for ‘signs’ of known attacks on the end system • Malware Sandbox - Runs new binaries and monitors their behavior for malicious signs • Security Information Management - Uses pre-defined rules to correlate signs from different data

streams to augment intelligence • Vulnerability Scanning - Searches for known vulnerabilities and vulnerable software

• Rely on pattern matching and signatures based knowledge from the past • Reactive -> always behind • Unknown and new threats -> won’t be detected • ‘Imperfect’ patterns and rules -> cause a lot of false positives

We Are Monitoring - What is Going Wrong?

Defense Has Been Relying On Past Knowledge


Event Funnel - How We Used To Do It

datarule-basedcorrelation

prioritization

simplestatistics

attack candidates

• What rules do you write? • Do the vendor provided rules work for you? • How do you define a priority 10 event?

• High false positive rate! • Unless alerts are VERY focussed

• High false negative rate! • Do you know what you don’t know?


Then Came Threat Intelligence

• How many hits do you really get? • You are missing most attacks

IOCs

• How do you match these efficiently against a real-time stream?

• How do you de-duplicate and normalize these feeds?

attack candidates

70–90% OF MALWARE SAMPLES ARE UNIQUE TO AN ORGANIZATION.


Removing the Event Funnel - Hello Data Lake

any data Big Data Lake

Rules

• Storing more, and more diverse data • Kafka and “dynamic parsing”

• Enabling large-scale processing • Spark, SparkStreaming, Storm, Parquet

• Using “standard” data access (SQL, REST) • Plug in any other tool!

context

IOCs

This per-se is not new …


Adding Interactive - Analyst Driven Exploration


Rules

context

IOCs

… but first we get the human in the loop …

Hunting • interactive visualization • analyst driven • machine assisted


Hunting Creates Internal Threat Intelligence


Rules

context

IOCs

… then, let’s rethink our rules … Novel, Advanced Attacks

internal TI


Hunting Creates Internal Threat Intelligence


Rules

context

IOCs

… then, let’s rethink our rules … patterns anyone?

internal TI

Novel, Advanced Attacks

Low False Positive AlertsPatterns


Buzzword Bingo


Rules

context

IOCs

… and finally, we are buzzword compliant …

behavioral monitoringscoring

anomaly detection machine learning

artificial intelligence

“models”

data science

internal TI

Patterns


How Does All That Architecture Stuff Matter?

In the following we’ll explore how this all matters …

… but first, let’s see how visualization plays a key role here.

14Visualization


“How Can We See, Not To Confirm -

But To Learn”- Edward Tufte


Why Visualization?dp

ort

time


SELECT count(distinct protocol) FROM flows;

SELECT count(distinct port) FROM flows;

SELECT count(distinct src_network) FROM flows;

SELECT count(distinct dest_network) FROM flows;

SELECT port, count(*) FROM flows GROUP BY port;

SELECT protocol,

count(CASE WHEN flows < 200 THEN 1 END) AS [<200],

count(CASE WHEN flows>= 201 AND flows < 300 THEN 1 END)

AS [201 - 300],

count(CASE WHEN flows>= 301 AND flows < 350 THEN 1 END)

AS [301 - 350],

count(CASE WHEN flows>= 351 THEN 1 END) AS [>351]

FROM flows GROUP BY protocol;

SELECT port, count(distinct src_network) FROM flows GROUP BY port;

SELECT src_network, count(distinct dest_network) FROM flows GROUP

BY port;

SELECT src_network, count(distinct dest_network) AS dn, sum(flows)

FROM flows GROUP BY port, dn;

SELECT port, protocol, count(*) FROM flows GROUP BY port, protocol;

SELECT sum(flows), dest_network FROM flows GROUP BY dest_network;

…

One Graph Summarizes Dozens of Queries

port dest_network

protocol src_network flows


Visualization To …

Present / Communicate Discover / Explore


We will have a look at a couple components from earlier:

• Context

• Data Science

• Clustering

• Seriation - Data Science Gone Wrong

• Time-series Analysis

Analytics Components


Did You Know?

Users accessing Sharepoint servers

UserSharepoint Server

data processing visualization

This graph of users accessing sharepoint servers, does not immediately reveal any interesting patterns.


Did You Know - How Context Tells a Story

Using HR data as context

Remote UserSan Francisco Office UserSharepoint Server

data processing visualization

HR data

Using color to add context to the graph helps immediately identify outliers and potential problems.


• Simple stuff works!

• dc(dest), dc(d_port)

• What is normal?

• Use data science / data mining to prepare

data. Then visualize the output for human

analyst.

Data Science in Security - Words of Caution


Challenges With Clustering Network Traffic

The graph shows an abstract space with colors being machine identified clusters.

Hard Questions: • What are these clusters? • Do Web servers cluster? • What are good clusters? • What’s anomalous?


Data Science That Works

threshold

outliers have different magnitudes


Approximate Curve

fitting a curve distance to curve


Data Mining Applied

better threshold

27Hunting


Hunting - Ready, Fire, Aim

• Analysts are your best and most expensive resource • They need the right tools and data

• Speed (see earlier architecture) • Interaction (visual!) • Machine-assisted insight

Examples • Exploring DNS traffic • High business impact machine analysis • Lateral movement


HBI Metric Analysis

Visually learn, Test, Automate


HBI Metric Analysis - If you like Black Backgrounds


We have tried many thing:

• Social Network Analysis

• Seasonality detection

• Entropy over time

• Frequent pattern mining

• Clustering

All kinds of challenges.

Simple works!

Let’s Get Mathematical

U−matrix

4.28e−05

0.0461

0.0921


Simple - Data Abstraction


Lateral Movement - Cross Network Communications

Challenges • Scale • You will find one of everything • Defining white-lists and

keeping them up to date (i.e., network and asset hygiene)

VPN

DMZOffice

GIA

UnknownInternet

AWS


http://secviz.org

List: secviz.org/mailinglist

Twitter: @secviz

Share, discuss, challenge, and learn about security visualization.

Security Visualization Community


BlackHat Workshop

Visual Analytics Delivering Actionable Security

Intelligence

July 30,31 & August 1,2 - Las Vegas, USA

big data | analytics | visualization

http://secviz.org

http://secviz.org


After some exploration …

[email protected]

http://slideshare.net/zrlram

http://secviz.org and @secviz

Further resources:

mailto:[email protected]?subject=IBM%20Visualization

http://slideshare.net/zrlram

http://secviz.org

http://twitter.com/secviz

Creating Your Own Threat Intel Through Hunting & Visualization

Internet

Transcript of Creating Your Own Threat Intel Through Hunting & Visualization