April 2015 Webinar: Cyber Hunting with Sqrrl
-
Upload
sqrrl -
Category
Data & Analytics
-
view
45 -
download
0
Transcript of April 2015 Webinar: Cyber Hunting with Sqrrl
© 2015 Sqrrl | All Rights Reserved
ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).
© 2015 Sqrrl | All Rights Reserved
WHAT IS “HUNTING”?
The collective name for any manual or machine-assisted techniques used to
detect security incidents.
HOW TO BUILD A HUNT CAPABILITY
© 2015 Sqrrl | All Rights Reserved
Embrace Big Data
Get Your Data Science On
Always Have a Good Strategy
Ask Lots of Questions
Pivot… Then Pivot Again
Automation is the Key to Continuous Improvement
THE THREE DATA DOMAINS
© 2015 Sqrrl | All Rights Reserved
Keep as much as you can comfortably store
Network
• Authentication • Session data • Proxy Logs • File transfers • DNS
resolution
Host
• Authentication • Audit logs • Process
creation
Application
• Authentication • DB queries • Audit &
transaction logs
• Security alerts
THE HUNTING PROCESS
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
Successful hunting requires many iterations through this cycle. The faster your analysts get through this loop, the better.
Apache’s Hadoop platform offers fast search and processing of huge amounts of data. You will still need tooling on top of whatever platform you choose.
THE HUNTING PROCESS
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
Keep as much data as you can comfortably
store…
…and work with!
WHEN’S THE LAST TIME YOU HEARD…?
© 2015 Sqrrl | All Rights Reserved
“It is a Best Practice to review all your logs each day.”
WHEN’S THE LAST TIME YOU HEARD…?
© 2015 Sqrrl | All Rights Reserved
“It is a Best Practice to review all your logs each day.”
BEST-ER PRACTICE
© 2015 Sqrrl | All Rights Reserved
Data Deduplication & Reduction
Machine-Assisted Analysis
Parsing & Normalization
MACHINE-ASSISTED ANALYSIS
© 2015 Sqrrl | All Rights Reserved
Computers Bad at context and understanding Good at repetition and drudgery Algorithms work cheap!
People Contextual analysis experts who love patterns Posses curiosity & intuition Business knowledge
Empowered Analysts
Process massive amounts of data Agile investigations Quickly turn questions into insight
STRATEGY ENABLES RESULTS
© 2015 Sqrrl | All Rights Reserved
Where do I
start?
What should I look for?
What’s my path
to improve?
Your strategy determines the quality of your results. Choose a strategy that supports your detection goals. Don’t underestimate the importance of good planning!
STRATEGY #1
© 2015 Sqrrl | All Rights Reserved
Make the most of what you already collect
Advantages Disadvantages
You probably already collect at least some data. Someone is already familiar with its contents. You may already have some idea of the key questions you want answered.
Your ability to ask questions is limited by the available data. External forces have more influence over your results. May confuse “easy” with “effective”.
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)
Actions on Objectives
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)
Actions on Objectives
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)
Find attacks already
happening
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)
Actions on Objectives
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)
Find attacks already
happening
Expand the stories you are
able to tell
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2)
Actions on Objectives
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)
Find attacks already
happening
Expand the stories you are
able to tell Predict
attacks before they happen
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
Is there any data exfiltration going on
in my network?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
Is there any data exfiltration going on
in my network?
Are there any unauthorized users
on my VPN?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
Is there any data exfiltration going on
in my network?
Are there any unauthorized users
on my VPN?
Have my users been
spearphished?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
Is there any data exfiltration going on
in my network?
Are there any unauthorized users
on my VPN? Is anyone misusing
their database credentials?
Have my users been
spearphished?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I have and what
does it “look like”?
Is there any lateral movement going
on?
Is there any data exfiltration going on
in my network?
Are there any unauthorized users
on my VPN? Is anyone misusing
their database credentials?
Have my users been
spearphished?
QUESTIONS BECOME HYPOTHESES
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
“If this activity is going on, it might look like…”
That’s your hypothesis!
If at first you don’t
succeed, reimagine it.
© 2015 Sqrrl | All Rights Reserved
ATTACKERS LEAVE TRAILS EVERYWHERE
Email logs
Endpoint process accounting
HTTP proxy logs
Authentication records
Filesystem metadata
Network session data
Database query logs
© 2015 Sqrrl | All Rights Reserved
DATA DIVERSITY Leverage different types of data to…
Reveal relationships
Clarify the situation
Highlight inconsistencies
Tell a complete story
LET’S REVIEW
© 2015 Sqrrl | All Rights Reserved
Embrace Big Data
Get Your Data Science On
Always Have a Good Strategy
Ask Lots of Questions
Pivot… Then Pivot Again
Automation is the Key to Continuous Improvement