Graph-based Threat Modeling, Security Analytics, and Threat Hunting
1. APM: Graph-based threat modelling
and hunting
Ashkan Rahimian â Cyber AI Sr. Manager, Cyber Emerging Technologies
Egor Burnashev â Security Expert, Data Scientist, and Developer
March 2022
2. Š Deloitte LLP and affiliated entities.
Outline:
1. Cyber AI APM â Data Layer
2. Exploratory Threat Hunting, Attack path
modelling, and Cluster analysis
3. Data Source Mapping
4. Enhancements
5. Dashboard
APM: Graph-based threat modelling and hunting
3. Cyber AI APM is an AI-enabled solution for predictive, pre-emptive
& proactive threat identification and cyber risk management
3
Cyber AI APM (Attack Path Modelling) is an AI-led graph-based solution that
provides unified visualization of enterprise attack surface and ongoing
cyber risk assessment on organizationâs critical assets/crown jewels.
Cyber AI APM uses advanced machine learning algorithms to predict potential
exposures and generates intelligent, prioritized recommendations to
mitigate these cyber risks. It can also augment existing vulnerability
management and breach assessment/simulation platforms. Cyber AI APM is a
critical capability in your cybersecurity toolkit to move from security of today to
tomorrowâallowing you to protect the organization from cyber threats before
they occur.
Superior IT/OT Visibility
Correlation of multiple IT/OT
data sources with threat
intelligence to provide unified
view of the enterprise IT/OT
cyber risk
Predict Vulnerable
Entry Points, Compute
Attack Paths, and
Calculate Risk Scores
Enhanced Risk Assessment
by aggregating safety and
operational risk into risk score
models
Optimized Remediation
Strategy
Actionable intelligence by
providing the most impactful
recommendations
Integration with ticketing and
orchestration platforms for
threat prevention
Differentiated offering addressing a market gap https://www2.deloitte.com/ca/en/pages/deloitte-analytics/articles/ai-factory-the-cyfi-suite.html
4. 4
4
APM Graph-based threat modelling, security analytics,
and threat hunting
Ingest your asset network and vulnerability data
Visualize your network of assets
Quantify cyber risk to assets, including crown
jewels (critical systems)
Identify vulnerable entry points to the network
How APM Works
Predict attack paths and scenarios that could be
used to compromise your environment
Define and prioritize actionable mitigation through
risk scoring and scenario analysis
Generate and track prioritized actions for
remediation with ability to integrate with most
ticketing and SOAR systems
Challenges:
⢠Tracking and monitoring exposure vectors across hybrid networks and multi-cloud
environments
⢠Identification of the path of least resistance using proactive threat hunting
⢠Prioritization of risk remediation activities for critical systems
⢠Correlation and visualization of vulnerability data with observed security events
Sample Nodes: Machine/Computer/Asset, User, Router/Switch/Firewall, Vulnerability, Detection, Network, etc.
Sample Relationships: CAN_CONNECT, CAN_ATTACK, ROUTES_TO, IS_VULNERABLE_TO, THREAT_DETECTED, LOGS_IN_TO, etc.
5. 5
5
Threat intel and
attack patterns
Risk mitigation
activities
ACL Rule and
config models
Vulnerability data
EDR detection
categories
NDR detection
categories
Exploratory analysis of threat data and
security control configurations
APM Simulation scenarios
6. 6
6
APM Threat hunting scenarios â Attack Path Modelling
Demo Scenario 1:
Attack path modelling
enhancement -
Vulnerability chain and
attack path analysis
⢠Based on vulnerability
and network data
⢠Network/Asset
reachability analysis
⢠Vulnerability exploitation
path analysis
⢠Validate Condition
requirements based on
ports and vulnerability
⢠Attack path progression
7. 7
7
APM Threat hunting scenarios â Cluster Analysis
Demo Scenario 2:
Cluster analysis of
infected systems based
on EDR data
⢠Investigate a few
systems per cluster to
determine the final
case outcome
⢠Accelerate the triage
process
⢠Detect abnormal
patterns
⢠End point detection
data contextualization
⢠Shared patterns of
detection across
multiple assets
8. 8
8
APM Threat hunting scenarios â Exploratory Analysis
Demo Scenario 3:
Exploratory threat
hunting based on
network and EDR data
⢠Analysis of infected
hosts across multiple
networks
⢠Similar end point
detections
⢠Identify the extent of
impacted networks
⢠Batch analysis during
triage
10. 10
10
Enhancements and Integrations
Insights generated from attack path modelling can be fed into UEBA/SIEM systems for further analysis. It can also be
used for SOAR automation.
1. APM as a data source for UEBA (Using Attack Path as a contextual source)
The attack paths discovered in APM are to be used as a risk booster for SIEM/UEBA detections. In other words, if a
threat model triggers against a hostname, and that host happens to be part of a high-risk attack path, the overall
risk score will increase and the alert will be prioritized.
2. UEBA as a data source for APM (Visualizing UEBA patterns on the attack graph)
Within security analytics threat models, there may be multiple flags for baselining and anomaly detection. When
such flags trigger, it could indicate abnormal patterns of user access or system behavior. As such, SIEM/UEBA can
highlight which hosts/users are currently flagged as abnormal and APM visualizes the abnormality patterns in the
context of zones/subnets to show potential emerging patterns of infection on the attack graph.
12. www.deloitte.ca
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte
serves four out of five Fortune Global 500ÂŽ companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class
capabilities, insights and service to address clientsâ most complex business challenges. To learn more about how Deloitteâs approximately 264,000 professionalsâ9,400 of
whom are based in Canadaâmake an impact that matters, please connect with us on LinkedIn, Twitter or Facebook.
Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche
Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Š Deloitte LLP and affiliated entities.