Practical Threat Hunting With Machine Learning

preview_player
Показать описание
Machine learning technologies often have a high barrier to entry and require expertise from different disciplines - data science, data engineering, software engineering, security research, and security operations - that are not always readily available. One person, from any of these individual disciplines, may not possess the requisite knowledge to operationalize machine learning models for threat hunting. We developed our 64 machine learning jobs (unsupervised models) for threat hunting by pairing a security researcher with data scientists and data engineers and we found this combination yielded the best results. I will describe our development methodology. The resulting 64 jobs have a sufficiently simple operational model that security analysts can deploy and tune them without requiring a data scientist. With tuning requirements similar to conventional rules, a security or SOC team can consume the output of the models as alerts in order to hunt interesting threats that search-based rules will often not find.

As threat actors continue to innovate in order to evade detection, ML techniques can be very useful in finding the few malicious events that may be hidden among billions of similar events with only a difference in nuance. While not a replacement for human analysis, the size, and gravity of modern logging and event data sets make ML a valuable addition to conventional search rules and hunting techniques.

Case studies will include high-value detections including C2 detection using frequency and shape analysis of network events; DGA detection using frequency and shape analysis of DNS events; privilege elevation and exfiltration in cloud environments using frequency analysis of both single fields and pairs of field values; credentialed access relevant to ransomware scenarios using frequency analysis; and LPE exploit activity using frequency analysis and computation of relative rarity. Finally, work on risk-based detection clustering will be demonstrated. Clustering often produces high-confidence correlations, making actionable detections easier to see.

#ThreatHuntingSummit #MachineLearning
  1. SANS Digital Forensics and Incident Response
  2. craig chamberlain
  3. craig chamberlain threat hunting
  4. sans threat hunting summit
  5. threat hunting summit
  6. sans threat hunting and incident response summit
Рекомендации по теме
Practical Threat Hunting 0:30:21

Practical Threat Hunting With Machine Learning

BSidesSF 2022 - 0:37:08

BSidesSF 2022 - Practical Threat Hunting With Machine Learning (Omid Mirzaei)

Cybersecurity Threat Hunting 0:06:51

Cybersecurity Threat Hunting Explained

Black Hat Webcast 1:01:19

Black Hat Webcast Series | Practical Threat Hunting: Straight Facts and Substantial Impacts

A Tale of 0:33:44

A Tale of Two Hunters: Practical Approaches for Building a Threat Hunting Program

SOAR Use Case 0:05:47

SOAR Use Case | Automated Threat Hunting with Security Automation

Neil “Grifter” Wyler 0:55:13

Neil “Grifter” Wyler - Practical Threat Hunting Straight Facts and Substantial Impacts

Threat Hunting using 0:13:04

Threat Hunting using SIEM

Microsoft defense against 0:16:42

Microsoft defense against the emergence of infostealer malware | ODFP986

Proactive Threat Hunting 0:01:45

Proactive Threat Hunting

Threat Hunting in 0:04:52

Threat Hunting in CyberWorld - Introduction to the course

Threat Hunting In 1:00:10

Threat Hunting In Practice - Michael-Angelo Zummo

Practical Learnings for 0:48:24

Practical Learnings for Threat Hunting and Improving Your Security Posture

Using Suricata to 0:27:52

Using Suricata to Perform Practical Industrial Control System (ICS) Threat Hunting

Microsoft 365 Defender: 0:06:02

Microsoft 365 Defender: Guided hunting

Threat Hunting Tutorial- 0:27:55

Threat Hunting Tutorial- Day 5, Hunting in Memory and @Scale

Cyber Threat Hunt 0:18:53

Cyber Threat Hunt 101: Part 7 - Practical Data Analysis and Threat Detection Techniques!

Microsoft Sentinel-Threat Hunting 0:05:44

Microsoft Sentinel-Threat Hunting

Intelligent Hunting: Using 0:22:22

Intelligent Hunting: Using Threat Intelligence to Guide Your Hunts - SANS CTI Summit 2018

STRIDE Threat Modeling 0:21:49

STRIDE Threat Modeling for Beginners - In 20 Minutes

Practical Threat Hunting: 0:49:19

Practical Threat Hunting: Straight Facts and Substantial Impacts - Grifter 🇬🇧

Tackling the Top 0:04:44

Tackling the Top Threat Hunting Challenges Head-On

Hunting for IOCs 0:22:47

Hunting for IOCs with Gusto and Style!: Threat Hunting Summit 2016

SOC 101: Real-time 0:12:30

SOC 101: Real-time Incident Response Walkthrough

Комментарии
Автор

This channel is the universe's greatest gift to this profession since caffeine.

jtoddcyber
Автор

The problem is that "rare" is most of the time not a threat. The alert fatigue is still there in this presentation when you talk about a big company's data logs. For example, all the Company's IT usage policy of their assets might be violated from time to time (and always if you have dozens of thousands of assets), for example with porn, games, file sharing websites, etc... Most of the time these IT policy violations are not threats. So, in order to identify these you need to do more and using geolocation, rare executables, rare IPs, or even command activity and time is not enough. This mathematically means that if you measure the "outlyiness" of each event in a company as a number, say 0% to 100%, you will have a probability distribution with very thick tails, therefore you will need ultra high and dynamic thresholds, or otherwise the alert fatigue will be imminent. The solution is to measure maliciousness as well, which is something I am currently experimenting. If you have something for me on this I would appreciate your expertise.

eduardoduarte
Автор

Love the content. Hard to listen to an "um" in every sentence, though.

LtGrandpoobah
Автор


Next up. Fuzzy hash scripts and script blocks and if rare. Alert.

jakesj