SlideShare a Scribd company logo

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

Download as PPTX, PDF
F
FaithWestdorp

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

Technology
1 of 17
Integrating Attack Behavior Intelligence into Logstash Plugins
• A day in a life of a Security Analyst • Writing attack behavior security plugins - Why MITRE ? - Integrating MITRE intelligence into a plugin - Other classification techniques • Pipeline to Pipeline and debug tools • Demo • About empow & our contributions 2 Agenda
A Day in the Life of a Security Analyst 3 • Onboarding of new data sources is too slow • The average security team sees hundreds of alerts per day • Over 95% are false alerts • Analysts need to write a correlation rule for each attack - takes 7-10 minutes each • Security analysts often triage only less than 10% of incoming alerts* * DarkReading
The Motivation Behind MITRE • Provide analysts a common and popular security language they can use • Tactics represent the “why” of an ATT&CK technique, the reason for performing an action Examples: Credential Access, Discovery • Techniques represent the “how” an adversary achieves a tactical objective by performing an action Example: Dump credentials to gain access to useful credentials • Techniques may also represent the “what” - what type of information an adversary is after Examples: Security Software Discovery, System Network Configuration Discovery 4
ATT&CK Object Model Relationships 5 How? Why? Who? “The Tools”
Companies Using MITRE ATT&CKTM 6
7 • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: Input capture • Tactic: Credential access • Detection: Found locally Security Alert What’s the value for the Analyst ? What next ? PAST • Spear phishing • Drive by • … Search for Cause & Identify Effect Root cause ? FUTURE • Brute force • Valid accounts • … Who next ? • Technique: Input capture • Tactic: Credential access • Detection: Found locally Performer Victim Know What to Look For
<33>1 2019-12-11T17:13:07Z - ProofpointTAP - CLKPER [tapclk@21139 clickTime="2019-12-11T17:13:07Z" threatTime="2019-12-16T11:35:18Z" class="phish" recipient="ljlamkin@ou.edu" sender="magnus@thorstenn.com" senderIP="40.107.220.74" GUID="zSlyF5mZAoH9cAdocUE701V8cxXWzIyR" url="https://thorstenn.box.com/s/2yjenq1szqjt5tkowa8bxegesiyqc263" threatURL="https://threatinsight.proofpoint.com/ad9c1e33-d473-d6e4-190a-63e898072eea/threat/email/... Integrating MITRE intel into The Plugin 8 • Different values within the log provide clues that help determine the technique and tactic; • Event category and url specifies it is a Spearfishing Link, rather then Spearphishing Attachment or Spearphishing via Service
Integrating MITRE intel into The Plugin 9 Apr 8 17:40:56 shany-ubuntu ossec: Alert Level: 5; Rule: 594 - Registry Integrity Checksum Changed; Location: (Win7) 192.168.22.137->syscheck-registry; classification: ossec,syscheck,; Previous MD5: 'ebf429b416ecc9bf7f891eeff875f9a5'; Current MD5: '64733e46f6a89f934d048af17cac9cf5’; …..; Integrity checksum changed for: ' HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun • A rule name is generally a good indicator to decipher the technique and tactic • This specific event is NOT a simple “Modify Registry” technique (Defense Evasion tactic), because the registry key itself guides us towards a more specific technique: Registry Run Keys / Startup Folder (Persistence tactic).
10 • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Description: Malware/Trojan ! Malware Alert Log (Trend Micro) • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: Input capture • Tactic: Credential access • Detection: Found locally Advanced Enrichment ECS NLP Classification What if there is NO Data For MITRE Classification ? Microsoft threat description: This threat can steal your user-names and passwords. It can arrive on your PC as a malicious spam email attachment. Checkpoint threat description: Trojan which gathers passwords and system information or settings… Some versions of this malware collect keystrokes…and spreads via spam mail attachments or malicious websites. Input capture • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: ??? • Tactic: ??? • Detection: Found locally Threat Intelligence Feeds [Name: TROJ_BAYROB.SM1 ; Hash: 9c18ce5aa22a4c95…] Future effects Past cause
Security Logs Logstash Plugins Open source Repository • Parsing and analyzing logs may became quite Sisyphean task • Each vendor has his own log format • Each log contains different values and fields • Extracting and normalizing these values may require a lot of effort and expertise • empow’s plugin repository is an opensource project containing a set of Logstash plugins for different products and vendors • Aligned with ECS format • Containing internal and optionally external threat intel. based enrichment - Internal – using logic that is part of the parser - External – using empow’s classification center (can be used for free with registration) • Uses the benefits of Logstash pipeline-to-pipeline technology 11
Pipeline to pipeline • Introduced in Logstash 6.7 • Enables to easily write, maintain, and manage a set of LS parsers. • Each parser has specific functionality that can be reused • Changing, updating, adding, or deleting some functionality can be done easily • empow’s pipeline-to-pipeline structure consists of • Input – responsible to receives the logs from various of inputs and dispatched them the actual per product parser • Per product parser – responsible to analyze the and normalized logs • Enrichment – optional parser that enrich logs (e.g. with external NLP based threat intel. classification) • Output – responsible to emit the normalized and analyzed logs 12 Fortinet Snort Symantec Carbon Black Single port Virtual Input empow NLP classifier elastic output
Pipeline Viewer - Preventing Pipeline-to Pipeline Misconfigurations • While using pipeline-to-pipeline technology simplifies the parser development, it requires manual configuration • This may lead to misconfiguration problems which may be difficult to find • Broken pipeline connectivity • Cycles • Etc. • empow’s opensource pipeline viewer is a simple tool that: • Enables to view the current multi-pipeline structure • Detects and views common configuration problems 13
Demo
About empow HEADQUARTERS Boston2014 FOUNDED R&D CENTER Tel Aviv 9 PATENTS ISSUED (6 pending) • i-SIEM – AI based SIEM which requires LESS THAN ONE security analyst to manage • Only SIEM in a commercial partnership with leading data search company 15 “Over the course of my 23 years in cyber security I have recommended very, very few products, but trust me, you will be impressed with this team.” Dannie Combs, CISO, Donnelley Financial Solutions “empow's Security Platform allowed us to optimize our security coverage, while ensuring privacy and extending visibility of what is happening in our network.” Michail Bletsas, Director of Network & Computing Systems, MIT Media Lab What our customers say:
Our Open Source Contributions 16 • LS logs plugins repo • Kibana dashboard per device logs • Pipeline viewer • Plugin extension into empow’s threat classification center (w/free subscription)
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

Recommended

Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 

Recommended

Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

More Related Content

What's hot

Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyJorge Orchilles
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 

What's hot (20)

Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 

Similar to EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2RazorEQX
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 

Similar to EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins (20)

FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Session Slide
Session SlideSession Slide
Session Slide
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 

More from FaithWestdorp

Using Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchUsing Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchFaithWestdorp
 
Observability from the Home
Observability from the HomeObservability from the Home
Observability from the HomeFaithWestdorp
 
Elasticsearch Goes to Congress
Elasticsearch Goes to CongressElasticsearch Goes to Congress
Elasticsearch Goes to CongressFaithWestdorp
 
Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020FaithWestdorp
 
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchMejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchFaithWestdorp
 
Evolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningEvolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningFaithWestdorp
 
Examining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchExamining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchFaithWestdorp
 
From the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFrom the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFaithWestdorp
 
Logstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreLogstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreFaithWestdorp
 
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...FaithWestdorp
 
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex... Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...FaithWestdorp
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using ElasticFaithWestdorp
 
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...FaithWestdorp
 
Elastic Observability
Elastic Observability Elastic Observability
Elastic Observability FaithWestdorp
 
Threat hunting with Elastic APM
Threat hunting with Elastic APMThreat hunting with Elastic APM
Threat hunting with Elastic APMFaithWestdorp
 
Guide to Data Visualization in Kibana
Guide to Data Visualization in KibanaGuide to Data Visualization in Kibana
Guide to Data Visualization in KibanaFaithWestdorp
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...FaithWestdorp
 
Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020FaithWestdorp
 

More from FaithWestdorp (18)

Using Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchUsing Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor search
 
Observability from the Home
Observability from the HomeObservability from the Home
Observability from the Home
 
Elasticsearch Goes to Congress
Elasticsearch Goes to CongressElasticsearch Goes to Congress
Elasticsearch Goes to Congress
 
Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020
 
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchMejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
 
Evolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningEvolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet Learning
 
Examining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchExamining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using Elasticsearch
 
From the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFrom the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deployment
 
Logstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreLogstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymore
 
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...
Elasticsearch's aggregations &amp; esctl in action or how i built a cli tool...
 
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex... Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using Elastic
 
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
 
Elastic Observability
Elastic Observability Elastic Observability
Elastic Observability
 
Threat hunting with Elastic APM
Threat hunting with Elastic APMThreat hunting with Elastic APM
Threat hunting with Elastic APM
 
Guide to Data Visualization in Kibana
Guide to Data Visualization in KibanaGuide to Data Visualization in Kibana
Guide to Data Visualization in Kibana
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
 
Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

  • 2. • A day in a life of a Security Analyst • Writing attack behavior security plugins - Why MITRE ? - Integrating MITRE intelligence into a plugin - Other classification techniques • Pipeline to Pipeline and debug tools • Demo • About empow & our contributions 2 Agenda
  • 3. A Day in the Life of a Security Analyst 3 • Onboarding of new data sources is too slow • The average security team sees hundreds of alerts per day • Over 95% are false alerts • Analysts need to write a correlation rule for each attack - takes 7-10 minutes each • Security analysts often triage only less than 10% of incoming alerts* * DarkReading
  • 4. The Motivation Behind MITRE • Provide analysts a common and popular security language they can use • Tactics represent the “why” of an ATT&CK technique, the reason for performing an action Examples: Credential Access, Discovery • Techniques represent the “how” an adversary achieves a tactical objective by performing an action Example: Dump credentials to gain access to useful credentials • Techniques may also represent the “what” - what type of information an adversary is after Examples: Security Software Discovery, System Network Configuration Discovery 4
  • 5. ATT&CK Object Model Relationships 5 How? Why? Who? “The Tools”
  • 7. 7 • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: Input capture • Tactic: Credential access • Detection: Found locally Security Alert What’s the value for the Analyst ? What next ? PAST • Spear phishing • Drive by • … Search for Cause & Identify Effect Root cause ? FUTURE • Brute force • Valid accounts • … Who next ? • Technique: Input capture • Tactic: Credential access • Detection: Found locally Performer Victim Know What to Look For
  • 8. <33>1 2019-12-11T17:13:07Z - ProofpointTAP - CLKPER [tapclk@21139 clickTime="2019-12-11T17:13:07Z" threatTime="2019-12-16T11:35:18Z" class="phish" recipient="ljlamkin@ou.edu" sender="magnus@thorstenn.com" senderIP="40.107.220.74" GUID="zSlyF5mZAoH9cAdocUE701V8cxXWzIyR" url="https://thorstenn.box.com/s/2yjenq1szqjt5tkowa8bxegesiyqc263" threatURL="https://threatinsight.proofpoint.com/ad9c1e33-d473-d6e4-190a-63e898072eea/threat/email/... Integrating MITRE intel into The Plugin 8 • Different values within the log provide clues that help determine the technique and tactic; • Event category and url specifies it is a Spearfishing Link, rather then Spearphishing Attachment or Spearphishing via Service
  • 9. Integrating MITRE intel into The Plugin 9 Apr 8 17:40:56 shany-ubuntu ossec: Alert Level: 5; Rule: 594 - Registry Integrity Checksum Changed; Location: (Win7) 192.168.22.137->syscheck-registry; classification: ossec,syscheck,; Previous MD5: 'ebf429b416ecc9bf7f891eeff875f9a5'; Current MD5: '64733e46f6a89f934d048af17cac9cf5’; …..; Integrity checksum changed for: ' HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun • A rule name is generally a good indicator to decipher the technique and tactic • This specific event is NOT a simple “Modify Registry” technique (Defense Evasion tactic), because the registry key itself guides us towards a more specific technique: Registry Run Keys / Startup Folder (Persistence tactic).
  • 10. 10 • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Description: Malware/Trojan ! Malware Alert Log (Trend Micro) • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: Input capture • Tactic: Credential access • Detection: Found locally Advanced Enrichment ECS NLP Classification What if there is NO Data For MITRE Classification ? Microsoft threat description: This threat can steal your user-names and passwords. It can arrive on your PC as a malicious spam email attachment. Checkpoint threat description: Trojan which gathers passwords and system information or settings… Some versions of this malware collect keystrokes…and spreads via spam mail attachments or malicious websites. Input capture • Name: TROJ_BAYROB.SM1 • Hash: 9c18ce5aa22a4c95… • Technique: ??? • Tactic: ??? • Detection: Found locally Threat Intelligence Feeds [Name: TROJ_BAYROB.SM1 ; Hash: 9c18ce5aa22a4c95…] Future effects Past cause
  • 11. Security Logs Logstash Plugins Open source Repository • Parsing and analyzing logs may became quite Sisyphean task • Each vendor has his own log format • Each log contains different values and fields • Extracting and normalizing these values may require a lot of effort and expertise • empow’s plugin repository is an opensource project containing a set of Logstash plugins for different products and vendors • Aligned with ECS format • Containing internal and optionally external threat intel. based enrichment - Internal – using logic that is part of the parser - External – using empow’s classification center (can be used for free with registration) • Uses the benefits of Logstash pipeline-to-pipeline technology 11
  • 12. Pipeline to pipeline • Introduced in Logstash 6.7 • Enables to easily write, maintain, and manage a set of LS parsers. • Each parser has specific functionality that can be reused • Changing, updating, adding, or deleting some functionality can be done easily • empow’s pipeline-to-pipeline structure consists of • Input – responsible to receives the logs from various of inputs and dispatched them the actual per product parser • Per product parser – responsible to analyze the and normalized logs • Enrichment – optional parser that enrich logs (e.g. with external NLP based threat intel. classification) • Output – responsible to emit the normalized and analyzed logs 12 Fortinet Snort Symantec Carbon Black Single port Virtual Input empow NLP classifier elastic output
  • 13. Pipeline Viewer - Preventing Pipeline-to Pipeline Misconfigurations • While using pipeline-to-pipeline technology simplifies the parser development, it requires manual configuration • This may lead to misconfiguration problems which may be difficult to find • Broken pipeline connectivity • Cycles • Etc. • empow’s opensource pipeline viewer is a simple tool that: • Enables to view the current multi-pipeline structure • Detects and views common configuration problems 13
  • 14. Demo
  • 15. About empow HEADQUARTERS Boston2014 FOUNDED R&D CENTER Tel Aviv 9 PATENTS ISSUED (6 pending) • i-SIEM – AI based SIEM which requires LESS THAN ONE security analyst to manage • Only SIEM in a commercial partnership with leading data search company 15 “Over the course of my 23 years in cyber security I have recommended very, very few products, but trust me, you will be impressed with this team.” Dannie Combs, CISO, Donnelley Financial Solutions “empow's Security Platform allowed us to optimize our security coverage, while ensuring privacy and extending visibility of what is happening in our network.” Michail Bletsas, Director of Network & Computing Systems, MIT Media Lab What our customers say:
  • 16. Our Open Source Contributions 16 • LS logs plugins repo • Kibana dashboard per device logs • Pipeline viewer • Plugin extension into empow’s threat classification center (w/free subscription)

Editor's Notes

  1. 3
  2. Cause techniques Effect techniques Based on detection type…
  3. 8
  4. 15
  5. 16