SlideShare a Scribd company logo

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Learning

Will Schroeder
Will Schroeder

Slides for the March 20, 2024 "The Data Dilemma: Bridging Offensive Operations and Machine Learning" talk given at Apres-Cyber 2024.

Technology
1 of 43
Download to read offline
Bridging Offensive Operations and Machine Learning The Data Dilemma
Introduction Agenda Red Team Challenges Offensive Data Landscape Offensive ML Challenges Nemesis Seeing the Forest for the Trees
#whoami Will Schroeder @harmj0y @SpecterOps
Background 1
Red Team Operations https://redteam.guide/docs/Concepts/red-vs-pen-vs-vuln
Offensive Machine Learning “Application of machine learning to offensive problems.” - Will Pearce (@moo_hax / @dreadnode) Automating Phishing Sandbox Detection RAG On Stolen Docs File Share Mining Better Password Guessing EDR Evasion Tradecraft Suggestions Evading WAFs Password Detection
Adversarial Machine Learning “Subdiscipline that specifically attacks ML algorithms.” - Will Pearce (@moo_hax / @dreadnode) Extraction Evasion Inversion Inference Poisoning
Red Team Challenges 2
Red Team Challenges Tradecraft is difficult to scale Offensive data and tooling is not unified File and tool output triage is tedious and inconsistent
• File/data triage is one of the most common tasks in offensive operations, but it’s (usually) been heavily manual • Automated workflows for this type of task just haven’t existed (until recently) 1 Red Team Challenges Manual Triage
Red Team Story Time
Repeat x 100,000
2 Red Team Challenges Tooling Issues • Offensive tools weren’t built to interop • Tooling to get the data we want might not even exist on the offensive side! • We (now) often have to fight defensive products to get the data we want…
Red Team Challenges Data Issues • Offensive data (like tools) is mostly unstructured • Offensive data (like tools) often also doesn’t interop well • We also often have heavy data sensitivity/retention issues 3
4 Red Team Challenges Scaling Tradecraft • All operators are not equivalently skilled! • “Scaling tradecraft” today == writing articles in Confluence/Notion/etc. • We don’t even have a way to effectively scale tradecraft across teams, much less the industry as a whole
The Offensive Data Landscape 3
• It is significantly easier to gather large data sets on the defensive side than the offensive side • Outside of sharing malware, most organizations keep this data to themselves - this produces a lot of asymmetry • Sidenote: metadata vs full data… A Defensive View on Data
Differences in Scale • Defense deals with data scales several orders of magnitude larger than offense • Because of the scale difference + the base rate issue, defense has to be right nearly 100% of the time! • Offense only has to be mostly right most/some of the time, and is significantly more tolerant of false positives and negatives
The Base Rate Fallacy https://en.wikipedia.org/wiki/Base_rate_fallacy
Human Focused Tooling
Offensive Data Collection Challenges Batch vs Incremental Ingestion Information Compression • We want to collect data from multiple sources like C2 + raw data + etc. • This presents a significant modeling challenge as you can't know when data is “complete” • Abstractions built from multiple sources • Historically, offensive tools have done a lot of processing on the host itself and returned relevant “interesting” information • Since all data is not returned, the information is essentially “compressed” and data is lost • Collecting/analyzing the raw data instead supports automation and researching new attack paths Example: Windows services are derived from registry keys
• Offensive-focused data models exist solely in isolation (BloodHound, etc.) • A unified offensive data model is very, very hard, partially due to tool diversity and lack of interop • We’re (slowly) trying to work towards a unified model with Nemesis Offensive Data Modelling Challenges
Offensive Machine Learning Challenges 4
Lack of Dual-Domain Experts • There are very few true experts versed in both information security and machine learning • Except these two (and maybe a few others): @dreadnode
Lack of Relevant Data Sets Existing public security data sets have traditionally been… largely terrible. We have the class imbalance problem, the privacy problem, and the defensive close-hold problem for why good data hasn’t been released No one releases high-quality, timely, realistic, security data! …but why would they?
The Privacy Problem
The Privacy Problem Would you trust OpenAI or another provider with a client’s domain admin password? Based on client contracts/compliance, are you even allowed to if you wanted to?
Revelation: Synthetic Data Good quality, labeled data has almost always been the most common factor holding us back offensively. Large state-of-the-art models can be used to generate high quality synthetic data that we can use to fine tune smaller models (one reason local models have become so good!) However, the distribution for generated synthetic data can, at least in some cases, differ from the distribute of the real-world data it’s mimicking, so this isn’t a silver bullet
Why We Can’t Release Models This all comes down to the inversion adversarial ML attack
Lack of Security-Focused Models • There are only a handful of cybersecurity-focused models (e.g., cyBERT) • This is starting to change with local model fine-tunes on Huggingface…
5
A centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data. VISION
Example Enrichment Flow
Example Enriched File
Offensive Analysis We want to automate away level 1 analysis (the boring/tedious tasks) and perform as much “offline” analysis on raw data as possible This approach permits analyzing relationships between (previously) disparate data sources to accomplish things that used to require manual analysis A goal is to provide operator feedback and suggestions based on collected/analyzed data (this is where LLM integration can come in!)
Demo
Seeing the Forest For the Trees 6
But why does this matter…?
It's not just what Nemesis does, it’s what it will allow us to do! This is a (possible) paradigm shift for red teams towards offensive data unification and off-host data processing that offers numerous advantages.
Advantages Centrally update operator analysis workflows Enrichments/analytics added exists in perpetuity for ALL operators on ALL operations Offline processing allows for retroactive analysis of data Minimizes footprint of offensive tooling on endpoints Collected structured/unstructured data can guide future research and automation
Thank you! Questions? https://specterops.io/ http://www.github.com/SpecterOps/Nemesis

Recommended

Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Divyanshu
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 

Recommended

Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023
Serverless Siege: AWS Lambda Pentesting - OWASP Top 10 Serverless C0c0n 2023Divyanshu
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant AnalysisHamid Rezaei Rahvard
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Semmle Codeql
Semmle Codeql Semmle Codeql
Semmle Codeql M. S.
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
2. access control
2. access control2. access control
2. access control7wounders
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 

More Related Content

What's hot

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Semmle Codeql
Semmle Codeql Semmle Codeql
Semmle Codeql M. S.
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
2. access control
2. access control2. access control
2. access control7wounders
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 

What's hot (20)

Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant Analysis
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Semmle Codeql
Semmle Codeql Semmle Codeql
Semmle Codeql
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
2. access control
2. access control2. access control
2. access control
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 

Similar to Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Learning

BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Family tree of data – provenance and neo4j
Family tree of data – provenance and neo4jFamily tree of data – provenance and neo4j
Family tree of data – provenance and neo4jM. David Allen
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerJerome J. Penna
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...DataScienceConferenc1
 
Feature store: Solving anti-patterns in ML-systems
Feature store: Solving anti-patterns in ML-systemsFeature store: Solving anti-patterns in ML-systems
Feature store: Solving anti-patterns in ML-systemsAndrzej Michałowski
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stackMinhaz A V
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Storage Challenges for Production Machine Learning
Storage Challenges for Production Machine LearningStorage Challenges for Production Machine Learning
Storage Challenges for Production Machine LearningNisha Talagala
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBobby Filar
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?Gabe Akisanmi
 
No more Three Tier - A path to a better code for Cloud and Azure
No more Three Tier - A path to a better code for Cloud and AzureNo more Three Tier - A path to a better code for Cloud and Azure
No more Three Tier - A path to a better code for Cloud and AzureMarco Parenzan
 

Similar to Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Learning (20)

BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision Security
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Family tree of data – provenance and neo4j
Family tree of data – provenance and neo4jFamily tree of data – provenance and neo4j
Family tree of data – provenance and neo4j
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...
[DSC Europe 23][AI:CSI] Goran Gvozden Improving Cybersecurity Posture with an...
 
Feature store: Solving anti-patterns in ML-systems
Feature store: Solving anti-patterns in ML-systemsFeature store: Solving anti-patterns in ML-systems
Feature store: Solving anti-patterns in ML-systems
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Storage Challenges for Production Machine Learning
Storage Challenges for Production Machine LearningStorage Challenges for Production Machine Learning
Storage Challenges for Production Machine Learning
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine Learning
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?
 
No more Three Tier - A path to a better code for Cloud and Azure
No more Three Tier - A path to a better code for Cloud and AzureNo more Three Tier - A path to a better code for Cloud and Azure
No more Three Tier - A path to a better code for Cloud and Azure
 

More from Will Schroeder

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 

More from Will Schroeder (20)

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 

Recently uploaded

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Learning

  • 1. Bridging Offensive Operations and Machine Learning The Data Dilemma
  • 6. Offensive Machine Learning “Application of machine learning to offensive problems.” - Will Pearce (@moo_hax / @dreadnode) Automating Phishing Sandbox Detection RAG On Stolen Docs File Share Mining Better Password Guessing EDR Evasion Tradecraft Suggestions Evading WAFs Password Detection
  • 7. Adversarial Machine Learning “Subdiscipline that specifically attacks ML algorithms.” - Will Pearce (@moo_hax / @dreadnode) Extraction Evasion Inversion Inference Poisoning
  • 9. Red Team Challenges Tradecraft is difficult to scale Offensive data and tooling is not unified File and tool output triage is tedious and inconsistent
  • 10. • File/data triage is one of the most common tasks in offensive operations, but it’s (usually) been heavily manual • Automated workflows for this type of task just haven’t existed (until recently) 1 Red Team Challenges Manual Triage
  • 13. 2 Red Team Challenges Tooling Issues • Offensive tools weren’t built to interop • Tooling to get the data we want might not even exist on the offensive side! • We (now) often have to fight defensive products to get the data we want…
  • 14. Red Team Challenges Data Issues • Offensive data (like tools) is mostly unstructured • Offensive data (like tools) often also doesn’t interop well • We also often have heavy data sensitivity/retention issues 3
  • 15. 4 Red Team Challenges Scaling Tradecraft • All operators are not equivalently skilled! • “Scaling tradecraft” today == writing articles in Confluence/Notion/etc. • We don’t even have a way to effectively scale tradecraft across teams, much less the industry as a whole
  • 16.
  • 18. • It is significantly easier to gather large data sets on the defensive side than the offensive side • Outside of sharing malware, most organizations keep this data to themselves - this produces a lot of asymmetry • Sidenote: metadata vs full data… A Defensive View on Data
  • 19. Differences in Scale • Defense deals with data scales several orders of magnitude larger than offense • Because of the scale difference + the base rate issue, defense has to be right nearly 100% of the time! • Offense only has to be mostly right most/some of the time, and is significantly more tolerant of false positives and negatives
  • 20. The Base Rate Fallacy https://en.wikipedia.org/wiki/Base_rate_fallacy
  • 22. Offensive Data Collection Challenges Batch vs Incremental Ingestion Information Compression • We want to collect data from multiple sources like C2 + raw data + etc. • This presents a significant modeling challenge as you can't know when data is “complete” • Abstractions built from multiple sources • Historically, offensive tools have done a lot of processing on the host itself and returned relevant “interesting” information • Since all data is not returned, the information is essentially “compressed” and data is lost • Collecting/analyzing the raw data instead supports automation and researching new attack paths Example: Windows services are derived from registry keys
  • 23. • Offensive-focused data models exist solely in isolation (BloodHound, etc.) • A unified offensive data model is very, very hard, partially due to tool diversity and lack of interop • We’re (slowly) trying to work towards a unified model with Nemesis Offensive Data Modelling Challenges
  • 25. Lack of Dual-Domain Experts • There are very few true experts versed in both information security and machine learning • Except these two (and maybe a few others): @dreadnode
  • 26. Lack of Relevant Data Sets Existing public security data sets have traditionally been… largely terrible. We have the class imbalance problem, the privacy problem, and the defensive close-hold problem for why good data hasn’t been released No one releases high-quality, timely, realistic, security data! …but why would they?
  • 28. The Privacy Problem Would you trust OpenAI or another provider with a client’s domain admin password? Based on client contracts/compliance, are you even allowed to if you wanted to?
  • 29. Revelation: Synthetic Data Good quality, labeled data has almost always been the most common factor holding us back offensively. Large state-of-the-art models can be used to generate high quality synthetic data that we can use to fine tune smaller models (one reason local models have become so good!) However, the distribution for generated synthetic data can, at least in some cases, differ from the distribute of the real-world data it’s mimicking, so this isn’t a silver bullet
  • 30. Why We Can’t Release Models This all comes down to the inversion adversarial ML attack
  • 31. Lack of Security-Focused Models • There are only a handful of cybersecurity-focused models (e.g., cyBERT) • This is starting to change with local model fine-tunes on Huggingface…
  • 32. 5
  • 33. A centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data. VISION
  • 34.
  • 37. Offensive Analysis We want to automate away level 1 analysis (the boring/tedious tasks) and perform as much “offline” analysis on raw data as possible This approach permits analyzing relationships between (previously) disparate data sources to accomplish things that used to require manual analysis A goal is to provide operator feedback and suggestions based on collected/analyzed data (this is where LLM integration can come in!)
  • 38. Demo
  • 40. But why does this matter…?
  • 41. It's not just what Nemesis does, it’s what it will allow us to do! This is a (possible) paradigm shift for red teams towards offensive data unification and off-host data processing that offers numerous advantages.
  • 42. Advantages Centrally update operator analysis workflows Enrichments/analytics added exists in perpetuity for ALL operators on ALL operations Offline processing allows for retroactive analysis of data Minimizes footprint of offensive tooling on endpoints Collected structured/unstructured data can guide future research and automation