Download to read offline
![EX: Coordinated attack ticket
"AttackType": "Advanced Persistent Threat (APT)",
"Severity": "Critical",
"Description": "A sophisticated and prolonged APT attack targeting the company’s financial systems, involving
multiple tactics and spanning over a month.",
"IndicatorsOfCompromise": {
"IPAddresses": ["192.168.100.100", "192.168.200.200"],
"Domains": ["badactor.com", "malicious.net"],
"FileNames": ["trojan1.exe", "ransomware_v2.dll"],
"Hashes": {
"MD5": "e99a18c428cb38d5f260853678922e03",
"SHA-256": "5d41402abc4b2a76b9719d911017c592"](https://image.slidesharecdn.com/connectingthedots-masteringalertcorrelationforproactivedefenseinthecloud-250108090427-0bbe4ea5/75/Connecting-the-Dots-Mastering-Alert-Correlation-for-Proactive-Defense-in-the-Cloud-53-2048.jpg)
![EX: Coordinated attack ticket - cont’d
"AffectedSystemsUsers": [
"Financial systems servers", "150+ user workstations", "Executive email accounts"],
"TimelineOfEvents": [ {
"DateTime": "2023-07-01 09:00 AM",
"Event": "Initial breach via spear-phishing email to CFO.",
"Source": "Email gateway logs",
"Tactic": "Social engineering"}, {
"DateTime": "2023-07-03 10:15 AM",
"Event": "Installation of a remote access trojan (RAT).",
"Source": "Endpoint detection and response (EDR) system",
"Tactic": "Malware deployment"
},](https://image.slidesharecdn.com/connectingthedots-masteringalertcorrelationforproactivedefenseinthecloud-250108090427-0bbe4ea5/75/Connecting-the-Dots-Mastering-Alert-Correlation-for-Proactive-Defense-in-the-Cloud-54-2048.jpg)
![EX: Coordinated attack ticket -cont’d-cont’d-cont’d-cont’d-cont’d
"MitigationActions": [ "Isolated compromised systems and removed malware.", "Reset passwords for all
affected accounts.", "Implemented multi-factor authentication (MFA) for critical systems.", "Applied security
patches and updated firewall rules.", "Conducted a company-wide security awareness training.",
"LessonsLearned": [
"Importance of regular phishing awareness training.",
"Need for robust endpoint protection and monitoring.",
"Criticality of having a comprehensive incident response plan."
],
"Comments": "Incident report and recommendations shared with executive management and board of
directors. Ongoing monitoring to ensure no further malicious activity.",
"Status": "Closed"
}](https://image.slidesharecdn.com/connectingthedots-masteringalertcorrelationforproactivedefenseinthecloud-250108090427-0bbe4ea5/75/Connecting-the-Dots-Mastering-Alert-Correlation-for-Proactive-Defense-in-the-Cloud-58-2048.jpg)
Uploaded byCloud Village
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in the Cloud
The document discusses the complexities of cybersecurity incidents, emphasizing the need for effective attack detection amidst a high volume of daily alerts and a myriad of tools used by security teams. It introduces a structured approach to correlating logs and events using MITRE ATT&CK frameworks, facilitating the identification of attack chains and improving incident response. Case studies illustrate various attack types, including phishing, ransomware, and coordinated threats, detailing their progression and the lessons learned from these incidents.
More Related Content
Similar to Connecting the Dots - Mastering Alert Correlation for Proactive Defense in the Cloud
![[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...](https://cdn.slidesharecdn.com/ss_thumbnails/russrogerscb20-210112130458-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in the Cloud
- 1. Context is allyou need What alerts, events & logs are relevant to each other?
- 2. Agenda 1. Whoami 2. MacroChallenges a. Attack Complexity b. Data Volume 3. Analysis Challenges a. False Positives b. Coordinated Attacks 4. ATT&CK 5. Automate the What - When - Who investigations with models a. Models in NLP, Clustering , Chaining 6. Examples 7. QA
- 3. Ezz Tahoun Cyber DataScientist Cofounder @ Cypienta.com UW CS PhD Dropout, MMATH, BENG, Adj Professor GIAC Advisory Board (GIACx3), CISM, aCCISO, CRISC, PMP GCIH, CEH, GSEC, GFACT, GCP Cloud Professional Architect, X-RBC, X-OrangeCyberDefense, X-Huawei, X-Forescout Yale, Princeton, Northwestern, Microsoft, PIA, Trustwave, CCCS
- 4.
- 5. ONLY 9% OF ATTACKSGENERATE ALERTS (MANDIANT) ATTACKS ARE SO STEALTHY
- 6. +11,000 Alerts/Day RECEIVED BYSECURITY TEAMS (FORRESTER) YET, ON AVERAGE
- 7. 130 Tools IN USEBY SECURITY TEAMS (PALO ALTO NETWORKS) AND WITH UP TO
- 8. bloated & ineffective INFACE OF RAPIDLY EVOLVING ADVERSARIES THERE IS NO DOUBT, ATTACK DETECTION IS
- 9. Our systems todayare less secure than those of the
- 10.
- 13.
- 14.
- 15.
- 16. Lack of Correlation ofseemingly disparate events. Hidden within, are attack kill chains. Surveyed in 2017-2023 (by SANS), security experts blame
- 17.
- 24.
- 27. Spot the killchainprogression! - Step 1: Get relevant MITRE ATT&CK Techniques & Tactics for all events - Step 2: Find events that are highly related to each other and form MITRE ATT&CK FLOWS - Consider all events attributes similarity and time - Consider all entities attributes similarity - PS: Similarity is not shared characteristics but SIMILAR ones Recipe to correlate data and find attacks
- 28. Step 1: Getrelevant MITRE ATT&CK Techniques & Tactics for ALL events
- 29. Step 1: ATT&CKTechnique Detector Model Classify Events with their relevant ATT&CK Techniques
- 33. Step 2: Findevents that are highly related to each other and form MITRE ATT&CK FLOWS
- 34. Step 2: MITREATT&CK FLOW Detector Model Cluster events that are related. Find event clusters that are causal and sequential.
- 41. Tons of disjointedalerts A few actionable attack flows
- 42. Uncover Techniques Correlate Incidents Analyze Relations All IncidentsTargeted Attacks events, alerts, logs MITRE ATT&CK FLOWS Uncover Techniques Correlate Incidents Cluster Events Models
- 47. Efficient scalable flexible COmputing Easy toadapt and maintain CORRelate WELL KNOWN COORDINATED ATTACKS CORRelate NEW ATTACKS w nuances Standalone interoperabl e Analytica l Stories Threat Chaining Rules Clusterin g
- 49. EX: FP Ticket TicketID: FP-20230807-001 Date/Time: 2023-08-07 10:15 AM Reporter: John Doe Source/System: Intrusion Detection System (IDS) Alert ID: IDS-12345 Description: The alert was triggered due to a legitimate internal vulnerability scan. Resolution: Added the internal scan server's IP address to the whitelist. Comments: Confirmed with the network team about the scheduled scan. Status: Closed
- 50. EX: Lone IncidentTicket Ticket ID: INC-20230807-002 Incident Type: Phishing Severity: High Description: Multiple employees reported receiving a suspicious email with a malicious link. Affected Systems/Users: 15 employees in the Sales department. Investigation Details: Analyzed the email headers and confirmed it was a phishing attempt. Identified the IP address of the sender. Mitigation Actions: Blocked the sender's IP address, removed the email from all mailboxes, and informed affected employees to avoid clicking on the link. Comments: No users reported clicking the link. Status: Resolved
- 51. EX: Attack StoryTicket Attack Type: Ransomware Description: A ransomware attack was detected on the company's main file server, encrypting sensitive data and demanding a ransom in Bitcoin. Indicators of Compromise (IOCs): - MD5 Hash: d41d8cd98f00b204e9800998ecf8427e - IP Address: 192.168.1.100 - File Name: ransomware.exe Affected Systems/Users: Main file server and 100+ users. Timeline of Events: - 2023-08-07 01:00 PM: Unusual file activity detected on the main file server. - 2023-08-07 01:15 PM: Ransom note discovered. - 2023-08-07 02:00 PM: Incident reported to the security team.
- 52. EX: Attack StoryTicket - cont’d Investigation Details: Conducted forensic analysis on the affected server, identified the entry point as a phishing email opened by an employee. Mitigation Actions: Isolated the affected server, restored data from backups, applied patches, and conducted a security awareness training for employees. Lessons Learned: Importance of regular backups and employee training on phishing. Comments: Coordinated with law enforcement for further investigation. Status: Closed
- 53. EX: Coordinated attackticket "AttackType": "Advanced Persistent Threat (APT)", "Severity": "Critical", "Description": "A sophisticated and prolonged APT attack targeting the company’s financial systems, involving multiple tactics and spanning over a month.", "IndicatorsOfCompromise": { "IPAddresses": ["192.168.100.100", "192.168.200.200"], "Domains": ["badactor.com", "malicious.net"], "FileNames": ["trojan1.exe", "ransomware_v2.dll"], "Hashes": { "MD5": "e99a18c428cb38d5f260853678922e03", "SHA-256": "5d41402abc4b2a76b9719d911017c592"
- 54. EX: Coordinated attackticket - cont’d "AffectedSystemsUsers": [ "Financial systems servers", "150+ user workstations", "Executive email accounts"], "TimelineOfEvents": [ { "DateTime": "2023-07-01 09:00 AM", "Event": "Initial breach via spear-phishing email to CFO.", "Source": "Email gateway logs", "Tactic": "Social engineering"}, { "DateTime": "2023-07-03 10:15 AM", "Event": "Installation of a remote access trojan (RAT).", "Source": "Endpoint detection and response (EDR) system", "Tactic": "Malware deployment" },
- 55. EX: Coordinated attackticket - cont’d - cont’d "DateTime": "2023-07-05 11:30 AM", "Event": "Unauthorized access to financial database.", "Source": "Database access logs", "Tactic": "Credential theft" "DateTime": "2023-07-10 02:45 PM", "Event": "Data exfiltration detected.", "Source": "Network traffic analysis", "Tactic": "Data exfiltration" "DateTime": "2023-07-12 04:00 PM", "Event": "Lateral movement within the network.", "Source": "Internal network monitoring", "Tactic": "Lateral movement"
- 56. EX: Coordinated attackticket - cont’d - cont’d - cont’d "DateTime": "2023-07-15 09:30 AM", "Event": "Use of legitimate tools for persistence.", "Source": "System process logs", "Tactic": "Living off the land" "DateTime": "2023-07-18 01:00 PM", "Event": "Credential dumping from a compromised admin account.", "Source": "Security information and event management (SIEM) system", "Tactic": "Credential access" "DateTime": "2023-07-20 11:15 AM", "Event": "Privilege escalation on multiple servers.", "Source": "Server audit logs", "Tactic": "Privilege escalation"
- 57. EX: Coordinated attackticket - cont’d - cont’d - cont’d - cont’d "DateTime": "2023-07-25 03:00 PM", "Event": "Ransomware deployed on user workstations.", "Source": "Endpoint antivirus alerts", "Tactic": "Ransomware" "DateTime": "2023-07-27 05:30 PM", "Event": "Communication with C2 server.", "Source": "Firewall logs", "Tactic": "Command and control" "DateTime": "2023-07-30 08:45 AM", "Event": "Secondary data exfiltration attempt.", "Source": "Data Loss Prevention system", "Tactic": "Data exfiltration" "DateTime": "2023-08-05 10:00 AM", "Event": "Discovery of additional backdoors.", "Source": "Comprehensive system scan", "Tactic": "Persistence" "InvestigationDetails": "Conducted thorough forensic analysis on affected systems. Collaborated with third- party cybersecurity experts to analyze malware samples. Monitored network traffic for unusual patterns and identified exfiltration channels. Performed a detailed review of all logs from multiple sources, including SIEM, EDR, firewall, and DLP systems.",
- 58. EX: Coordinated attackticket -cont’d-cont’d-cont’d-cont’d-cont’d "MitigationActions": [ "Isolated compromised systems and removed malware.", "Reset passwords for all affected accounts.", "Implemented multi-factor authentication (MFA) for critical systems.", "Applied security patches and updated firewall rules.", "Conducted a company-wide security awareness training.", "LessonsLearned": [ "Importance of regular phishing awareness training.", "Need for robust endpoint protection and monitoring.", "Criticality of having a comprehensive incident response plan." ], "Comments": "Incident report and recommendations shared with executive management and board of directors. Ongoing monitoring to ensure no further malicious activity.", "Status": "Closed" }
- 59.
Editor's Notes
- #3 My name is Ezz am the cofounder of Cypienta its an ornl backed startup and its the only AI vendor in cyber security, making models for security teams to extract insights and correlations from their data. Bfr that i was part of Royal Bank of Canada, Orange, Forescout, and Huawei threat research and cyber data science efforts. I wrote 19 papers on the topic, and was a phd student in uwaterloo a few years back and also I have too many certificates i dont know why. But yeah essentially dont get fooled by the picture, am a nerd.
- #4 We always think every breach is yhe worst until the next one comes up Lets get a quick poll in. By show of hands who here was ever a victim of a cyber attack. ——?—— alright a few here and there and a couple in the back ——?—— Although we dont like to admit it, most of us have been victims to cyber attacks, I rmmbr i got hacked when I was 13. And since then attackers have really evolved beyond measure.
- #5 Attacks now are actually so stealthy only 9% generate security Alerts
- #6 Yet security teams still do receive more than 11 thousand alerts a day
- #7 And with over a hundred tools in use today by an avg security team
- #8 we are pretty sure attack detection is bloated and ineffective in face of todays adversaries and the main reason is
- #9 Our systems today are actually less secure than those of 50 years ago
- #10 I mean our homes went from simple networks
- #11 to a hyperconnected madness with cloud, work from home, iot, crypto, 5g and more
- #12 our critical infrastructure went from mainly air gapped systems with a few attack surfaces
- #13 to a complicated grid with
- #14 numerous attack paths for the adversary
- #15 And as we increase our technical complexity, attacks will find it easier to hide in the noise and your SOC analysts will be more stressed.
- #16 Every year your analysts agree that lack of correlation of seemingly disparate events is their biggest challenge. Make sense Finding attack chains in 11 thousand alerts a day, is like finding few needles in a haystack.
- #17 So lets try to help them Currently security teams aggregate a bunch of sensors’ alerts and events from all over the organization were talking EDR, NDR, IAM, APPMON, CCTV, Door systems, DNS, Web gateways, proxies, vpns, firewalls, email security and more
- #18 And they query that data for well known sequences of events that indicate a serious attack
- #19 these queries look sth like this which is a sigma rule and they are highly deterministic looking for specific fields and values in this case theyre looking for specific commands in a web request
- #20 for those who dont know sigma rules are rules written in generic format that can easily translate into any query language to run against any database to commoditize threat detection and spur community collaboration, as they’re highly reliant on community based threat intelligence
- #21 Investigation - Splunk Security Content
- #22 notice a small fraction of rules are tagged with mitre attack techniques
- #23 for those that dont know mitre attack is a community driven knowledge base organized in the form of an attack matrix of tactics and techniques techniques are abstractions of attacks such as phishing, and tactics are goals like exfiltration or lateral movement and an attack kill chain involves most tactics to be successful
- #24 if u havent check it out its a treasure trove of knowledge on every attack technique and is very helpful for analysts to work with as it allows them to remain consistent
- #25 it also allows them to map attacks into tactics and stages of a kill chain and see the attack progress through its lifecycle
- #26 attack killchains are mapped to mitre attack flow. If urnt familiar an attack flow is a sequence of attack techniques that follow a certain causality chain and we now have a treasure trove of a bunch of seqeucnes that are well documented and u can search for them in your data using queries and rules
- #27 So we know to detect attacks we need to find their progression through the kill chain and we kinda have the recipie steps to do so seems like we need to get attack techniques for everything as our step 1 then for step2 we find sequences that fit what could be a mitre attack flow probabilistically (essentially causal sequences of incidents)
- #28 align individual alerts and events to cyber-adversary intent Lets dig into step 1 Now we know that a few sensors or some sigma rules will generate a minority of alerts that are tagged with the relevant mitre attack techniques & tactics. We want to tag the majority that aren’t mapped and we also probably want to overwrite those that are already tagged as they are coming from different authors so theyll have a quality and a consistency problem.
- #29 woth our data scientists hats on We start building a classification model for events. It takes alerts and finds relevant attack techniques.
- #30 We gather a humongous corpus of security books, lecture notes and reports feed it to a large language model so that it understands cyber security words and their embeddings compared to each other (like for instance malware and virus are closer than malware and tcp). Then we hire a security analyst for a year to sit down and consistently label a dataset of alerts with their relevant mitre attack techniques and check for quality and consistency in their taggings. Then we take that labelled dataset and we fine tune that model on it. And we end up with a model capable of finding relevant attack techniques for any event.
- #31 we package and test our model As a sagemaker endpoint this way our data is never sent outside our network, and never shared with anyone
- #32 and we see the model nails a few examples tagging the first with system binary execution and the second with phishing it also gets harder ones like drive by compromise and account manipulation
- #33 Second step now is to find events that are highly related and form attack flows
- #34 We keep our data science hats on and we decide This model will cluster related events, and then connect them into chains.
- #35 Automating enrichment tasks like resolving IP addresses to users, identifying vulnerabilities, and determining network context to free up analysts for higher-level investigations and threat containment we put all events now tagged with techniques into a big knowledge graph so that every possible shared attribute is highlighted (such as shared users, ips, countries, vulnerabilities, credentials, user groups, os, etc.) All of the fields a threat hunter would usually write queries for
- #36 Correlating event data from multiple sources, such as network flows, endpoint logs, and application logs, to piece together the root cause, progression, and scope of a cyber-attack. we get an embedding for each of the alerts to figure which are kind closer to each other based on all the attributes, a clustering model gives us alerts that are highly related to each other and share many common attributes, and are also temporally proximate meaning they happened kinda lose enough in yhe time di.ension to each other
- #37 we then find clusters that satisfy the causality and seqeuntiality logic needed for an attack kill chain using a stochastic markov model
- #38 we pkg and test our model with some datasets like the one from communications security establishment canada and canada institue of cyber security
- #39 we get a few attack flows out 2 of them are more than 80% match with ground truth already
- #40 The model turned 24 hundred alerts into 8 chains of less than 20% the magnitude only 5 of which are big enough to be mature kill chains that call for immediate action 2 of which are really big they get inspected first and they happen to match the actual attacks we were looking for in that dataset with more than 80% NMI the rest are actually pretty interesting attack killchains that were missed by the humans that made the dataset but are pretty valid as the network was attacked by bots on the internet during data collection
- #41 And this is the end result architecture with 2 AI models that are able to probabilistically find attack flows in our data we are releasing these models to the public on amazon marketplace to share it with the community and contribute to the detection as code movement
- #42 To recap when u combine both models u get this api that takes ur alerts and events and give u the few flows that are worth looking at probabilistically, so u check those out after u check ur deterministic attack flows as well that have triggered on queries like sigma rules
- #43 input
- #44 agg
- #45 cluster
- #46 flow
- #47 Today, correlation is based on rules so inefficient and very very expensive to run & maintain, that cyber teams don’t use them much. Rules r also not effective if u dont know exctly what ur looking for .. which is where our models SHINE Even better, our models add-on to these existing platforms increasing their efficacy and efficiency, literally allowing us to sell to our “competition”. rules are effective only when u want to piece together a coordinated attack u know exactly how it will look like, which is like 2% of the time. 98% of the time, you dont know how the attack would look like, and thats really where our patented models SHINE. Today, correlation is based on rules so inefficient and expensive to run and maintain, that most cyber teams, including Next Era, try not to use them. To make matters worse, they are effective only when you want to piece together a well-known coordinated attack that was seen before, which is like 2% of the time. 98% of the time, you dont know what are u exactly looking for, and thats where our models, with our strategic ip, SHINE. Our models add-on to the existing platforms increasing their efficacy and efficiency, literally allowing us to sell to our competitors.