Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Neil Desai - Data Driven Analytics

17 views

Published on

February 2020 Chicago CSNP

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Neil Desai - Data Driven Analytics

  1. 1. Neil Desai Solver of Problems, Causer of Mahem Data Driven Analytics
  2. 2. Working towards success https://medium.com/@sqrrldata/the-cyber-hunting-maturity-model-6d506faa8ad5
  3. 3. Working towards success https://github.com/swannman/ircapabilities
  4. 4. Working towards success https://github.com/swannman/ircapabilities
  5. 5. SOC Alert MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply MALWARE-BACKDOOR Matrix 2.0 Client connect MALWARE-BACKDOOR Matrix 2.0 Server access MALWARE-BACKDOOR WinCrash 1.0 Server Active MALWARE-BACKDOOR CDK MALWARE-BACKDOOR DeepThroat 3.1 Server Response MALWARE-BACKDOOR PhaseZero Server Active on Network MALWARE-BACKDOOR w00w00 attempt MALWARE-BACKDOOR attempt MALWARE-BACKDOOR MISC r00t attempt MALWARE-BACKDOOR MISC rewt attempt MALWARE-BACKDOOR MISC Linux rootkit attempt MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x MALWARE-BACKDOOR MISC Linux rootkit attempt MALWARE-BACKDOOR MISC Linux rootkit satori attempt MALWARE-BACKDOOR MISC sm4ck attempt MALWARE-BACKDOOR MISC Solaris 2.5 attempt MALWARE-BACKDOOR HidePak backdoor attempt MALWARE-BACKDOOR HideSource backdoor attempt PROTOCOL-ICMP TFN Probe PROTOCOL-ICMP tfn2k icmp possible communication MALWARE-OTHER Trin00 Daemon to Master PONG message detected PROTOCOL-ICMP Stacheldraht server spoof PROTOCOL-ICMP Stacheldraht gag server response PROTOCOL-ICMP Stacheldraht server response
  6. 6. SOC Alerts
  7. 7. SOC Alert
  8. 8. SOC Alert
  9. 9. SOC Alert
  10. 10. Incomplete Data https://www.patheos.com/blogs/driventoabstraction/2018/07/blind-men-elephant-folklore-knowledge/
  11. 11. Alerts vs Raw Data • Alerts give very specific information, but they don’t tell the whole story. Context is key, but isn’t in the alert. • Alert logic may not be visible to the analyst or hard to interpret. • Alert may not give enough details. • Raw data is high volume and hard to sift through. • Either create alerts from the raw data or get both.
  12. 12. Trust, But Verify • Log settings can change during an upgrade of a product, by mistake, or maliciously. • “Turn on Logs” is not really a setting. Check to see exactly what’s enabled and where. • Regularly test to ensure logs (volume and variety) are as expected. • Operationalize log collection. • Understand what you have today, and determine what you need
  13. 13. MITRE ATT&CK • Use the framework to determine your visibility gap (https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html) • Use testing frameworks to check detections (https://github.com/redcanaryco/atomic-red-team)
  14. 14. Winlogbeat + Sysmon + https://github.com/olafhartong/sysmon-modular
  15. 15. Auditbeat + https://github.com/bfuzzy/auditd-attack

×