The document discusses using machine learning and group policy objects (GPOs) to automate prevention of ransomware. It describes how machine learning can be used to analyze network traffic patterns to detect ransomware behaviors. Indicators identified through machine learning analysis are then used as input to automatically generate and deploy GPOs across an Active Directory network to block detected ransomware threats in real-time. The approach aims to provide a more targeted and faster response than traditional signature-based antivirus solutions.
Threat hunting involves proactively searching for attacks and security threats within an organization's infrastructure. It is a human-driven process that helps discover breaches early in the attack lifecycle. Effective threat hunting requires collecting various types of endpoint, network, and security data from across the infrastructure and using tools to analyze that data. The threat hunting process involves generating hypotheses based on intelligence, situational awareness, and domain expertise and then systematically testing those hypotheses through the data to identify malicious activity. Key tactics like internal reconnaissance, persistence, command and control, lateral movement, and exfiltration are important for threat hunters to understand how adversaries operate. Formal methods, integrating people and technology, and balancing automated and manual techniques are important
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attackers. This session will present the latest frameworks, techniques and the unconventional machine-learning algorithms that Microsoft uses to protect its infrastructure and customers.
(Source : RSA Conference USA 2017)
Sysmon is a Windows system service and tool that monitors process creation and other system events. It provides visibility into process activity through logging process command lines, parent processes, file and network activity. The summary discusses how to deploy Sysmon, collect its logs, and analyze the logs for detections related to abnormal processes, applications, network connections, process injections and loaded drivers. It concludes with discussing rulesets for detections and future work.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
This document discusses network forensics and packet analysis. It provides an introduction to network forensics methodology and considerations for network-based digital evidence. This includes challenges like volatility, scattering of evidence across multiple sources, and encryption. The document also discusses the scope and role of network forensics, including standards for evidence acquisition, storage, analysis, and forensic readiness. Finally, it provides tips and examples for using Wireshark to analyze network traffic and identify abnormal packets through built-in features and example packet capture files.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
Threat hunting involves proactively searching for attacks and security threats within an organization's infrastructure. It is a human-driven process that helps discover breaches early in the attack lifecycle. Effective threat hunting requires collecting various types of endpoint, network, and security data from across the infrastructure and using tools to analyze that data. The threat hunting process involves generating hypotheses based on intelligence, situational awareness, and domain expertise and then systematically testing those hypotheses through the data to identify malicious activity. Key tactics like internal reconnaissance, persistence, command and control, lateral movement, and exfiltration are important for threat hunters to understand how adversaries operate. Formal methods, integrating people and technology, and balancing automated and manual techniques are important
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attackers. This session will present the latest frameworks, techniques and the unconventional machine-learning algorithms that Microsoft uses to protect its infrastructure and customers.
(Source : RSA Conference USA 2017)
Sysmon is a Windows system service and tool that monitors process creation and other system events. It provides visibility into process activity through logging process command lines, parent processes, file and network activity. The summary discusses how to deploy Sysmon, collect its logs, and analyze the logs for detections related to abnormal processes, applications, network connections, process injections and loaded drivers. It concludes with discussing rulesets for detections and future work.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
This document discusses network forensics and packet analysis. It provides an introduction to network forensics methodology and considerations for network-based digital evidence. This includes challenges like volatility, scattering of evidence across multiple sources, and encryption. The document also discusses the scope and role of network forensics, including standards for evidence acquisition, storage, analysis, and forensic readiness. Finally, it provides tips and examples for using Wireshark to analyze network traffic and identify abnormal packets through built-in features and example packet capture files.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
Death from a million bugs. Android has become one of the world’s most deployed operating systems. Recently researchers have been focused on uncovering vulnerabilities in the Android smartphone ecosystem. This session will present newly developed automated vulnerability analysis techniques that resulted in the discovery of hundreds of previously unknown vulnerabilities.
Learning Objectives:
1: Learn how to use automated vulnerability analysis to ID security bugs at scale.
2: Learn about state-of-the-art and novel techniques for automated vulnerability analysis.
3: Learn proven techniques to find vulnerabilities in bootloaders, kernel drives and apps.
(Source: RSA Conference USA 2018)
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
This document discusses techniques for achieving successful automated dynamic analysis of evasive malware through full system emulation. It begins by introducing the speaker and their background in malware research. It then discusses the goals of automated malware analysis, different analysis approaches (such as system call hooking and process emulation), and how full system emulation provides the highest visibility and fidelity while maintaining good performance. The document also covers challenges posed by malware evasion techniques and ways analysis systems can work to bypass triggers and detect stalling code.
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
This document discusses automated malware analysis techniques used by Dissect || PE. It describes the challenges of processing large volumes of samples from different sources. The system uses a feed server, scheduler, unpackers, dissectors, and kernel driver. Samples are run in virtual machines and real machines. Plugins allow custom analysis. The architecture is scalable and supports community research through shared samples and results.
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
This document discusses strategies for effective security monitoring and incident response. It outlines a layered defense approach using tools like Sysmon and Splunk to analyze logs from endpoints, networks, and other systems. Specific events and log sources are identified that can help detect attacks by revealing new processes, account logins, file/share access, and other anomalous activity. The document emphasizes preparation, testing incident response plans, and hunting for threats by scrutinizing logs and following forensic trails left by attackers.
Materials Project Validation, Provenance, and Sandboxes by Dan GunterDan Gunter
Summary of Goals, Progress, and Next steps for these three aspects of the Materials Project (materialsproject.org) infrastructure
* Validation: constantly guard against bugs in core data and imported data
* Provenance: know how data came to be
* Sandboxes: combine public and non-public data; "good fences make good neighbors"
Presenter: Dan Gunter, LBNL
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Charles Lim presented on malware analysis at a conference in Yogyakarta, Indonesia. He discussed various techniques for analyzing malware, including static analysis of program code and files, dynamic analysis by executing programs in sandboxes or virtual machines, and memory analysis of running processes. He also provided a case study of analyzing a malware infection that caused a denial of service attack through traffic flooding. Future challenges in malware analysis include dealing with packed or encrypted malware, evasive malware that uses anti-analysis techniques, and continuing to improve analysis through machine learning.
Penetration testing involves assessing an organization's security processes and vulnerabilities by simulating real-world attacks. This is done through methodologies like OSSTMM and standards like CIS guides and ISO 2700x. The goals are to estimate security, gain unauthorized access to systems, and access certain information/data. Approaches include perimeter, wireless, and internal testing from user workstations or network segments. Real attacks aim to hack, while penetration testing is legal and aims to help organizations. Common tools used include Nmap, Metasploit, Cain & Abel, Aircrack, and browser/notepad. Examples demonstrated password cracking, SQL injection exploitation, and privilege escalation in Active Directory. Wireless, social engineering,
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
The document discusses malware kits and their role in malicious cyber attacks. Malware kits allow automatic installation of malware by exploiting system vulnerabilities. They are regularly updated and sold commercially. Popular kits like MPack and IcePack use obfuscation techniques and browser exploits to infect users through websites and emails. The document analyzes specific malware kits and browser and file format vulnerabilities exploited by them.
Zmap fast internet wide scanning and its security applicationslosalamos
Internet-wide network scanning has numerous security
applications, including exposing new vulnerabilities and
tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is
both difficult and slow. We introduce ZMap, a modular,
open-source network scanner specifically architected to
perform Internet-wide scans and capable of surveying
the entire IPv4 address space in under 45 minutes from
user space on a single machine,
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
See https://medium.com/@jamessirota for a series of blog entries that goes with this deck...
Defense in Depth for Big Data
Network Anomaly Detection Overview
Volume Anomaly Detection
Feature Anomaly Detection
Model Architecture
Deployment on OpenSOC Platform
Questions
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk
This document provides information about detecting various web attacks and lateral movement in a Splunk environment. It includes examples of searches to detect SQL injection and pass the hash attacks in event data, as well as how to identify lateral movement by analyzing changes in network traffic patterns. DNS exfiltration techniques are also discussed, along with using Shannon entropy and subdomain length to identify potential data exfiltration in DNS query logs.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
This document provides an index of topics about a city, including its geographical situation in southern Great Britain, its flag consisting of blue, red, and white colors, and mentions habitats, surface area, districts, currency, mayor, museums, typical food, and important places to visit.
This document discusses distributed denial of service (DDoS) attacks, including that Akamai has over 27 years of experience defending against DDoS attacks, mitigates over 10-15 attacks per day, and mitigated the largest attack in Q3 2014 which was 320Gbps. The document also provides statistics on the types of DDoS attacks seen in Q1 and Q3 2014, and recommends preparing comprehensive mitigation strategies and extending security perimeters to protect against increasing attacks.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
Death from a million bugs. Android has become one of the world’s most deployed operating systems. Recently researchers have been focused on uncovering vulnerabilities in the Android smartphone ecosystem. This session will present newly developed automated vulnerability analysis techniques that resulted in the discovery of hundreds of previously unknown vulnerabilities.
Learning Objectives:
1: Learn how to use automated vulnerability analysis to ID security bugs at scale.
2: Learn about state-of-the-art and novel techniques for automated vulnerability analysis.
3: Learn proven techniques to find vulnerabilities in bootloaders, kernel drives and apps.
(Source: RSA Conference USA 2018)
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
This document discusses techniques for achieving successful automated dynamic analysis of evasive malware through full system emulation. It begins by introducing the speaker and their background in malware research. It then discusses the goals of automated malware analysis, different analysis approaches (such as system call hooking and process emulation), and how full system emulation provides the highest visibility and fidelity while maintaining good performance. The document also covers challenges posed by malware evasion techniques and ways analysis systems can work to bypass triggers and detect stalling code.
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
This document discusses automated malware analysis techniques used by Dissect || PE. It describes the challenges of processing large volumes of samples from different sources. The system uses a feed server, scheduler, unpackers, dissectors, and kernel driver. Samples are run in virtual machines and real machines. Plugins allow custom analysis. The architecture is scalable and supports community research through shared samples and results.
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
This document discusses strategies for effective security monitoring and incident response. It outlines a layered defense approach using tools like Sysmon and Splunk to analyze logs from endpoints, networks, and other systems. Specific events and log sources are identified that can help detect attacks by revealing new processes, account logins, file/share access, and other anomalous activity. The document emphasizes preparation, testing incident response plans, and hunting for threats by scrutinizing logs and following forensic trails left by attackers.
Materials Project Validation, Provenance, and Sandboxes by Dan GunterDan Gunter
Summary of Goals, Progress, and Next steps for these three aspects of the Materials Project (materialsproject.org) infrastructure
* Validation: constantly guard against bugs in core data and imported data
* Provenance: know how data came to be
* Sandboxes: combine public and non-public data; "good fences make good neighbors"
Presenter: Dan Gunter, LBNL
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Charles Lim presented on malware analysis at a conference in Yogyakarta, Indonesia. He discussed various techniques for analyzing malware, including static analysis of program code and files, dynamic analysis by executing programs in sandboxes or virtual machines, and memory analysis of running processes. He also provided a case study of analyzing a malware infection that caused a denial of service attack through traffic flooding. Future challenges in malware analysis include dealing with packed or encrypted malware, evasive malware that uses anti-analysis techniques, and continuing to improve analysis through machine learning.
Penetration testing involves assessing an organization's security processes and vulnerabilities by simulating real-world attacks. This is done through methodologies like OSSTMM and standards like CIS guides and ISO 2700x. The goals are to estimate security, gain unauthorized access to systems, and access certain information/data. Approaches include perimeter, wireless, and internal testing from user workstations or network segments. Real attacks aim to hack, while penetration testing is legal and aims to help organizations. Common tools used include Nmap, Metasploit, Cain & Abel, Aircrack, and browser/notepad. Examples demonstrated password cracking, SQL injection exploitation, and privilege escalation in Active Directory. Wireless, social engineering,
How to Hunt for Lateral Movement on Your NetworkSqrrl
The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
The document discusses malware kits and their role in malicious cyber attacks. Malware kits allow automatic installation of malware by exploiting system vulnerabilities. They are regularly updated and sold commercially. Popular kits like MPack and IcePack use obfuscation techniques and browser exploits to infect users through websites and emails. The document analyzes specific malware kits and browser and file format vulnerabilities exploited by them.
Zmap fast internet wide scanning and its security applicationslosalamos
Internet-wide network scanning has numerous security
applications, including exposing new vulnerabilities and
tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is
both difficult and slow. We introduce ZMap, a modular,
open-source network scanner specifically architected to
perform Internet-wide scans and capable of surveying
the entire IPv4 address space in under 45 minutes from
user space on a single machine,
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
See https://medium.com/@jamessirota for a series of blog entries that goes with this deck...
Defense in Depth for Big Data
Network Anomaly Detection Overview
Volume Anomaly Detection
Feature Anomaly Detection
Model Architecture
Deployment on OpenSOC Platform
Questions
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk
This document provides information about detecting various web attacks and lateral movement in a Splunk environment. It includes examples of searches to detect SQL injection and pass the hash attacks in event data, as well as how to identify lateral movement by analyzing changes in network traffic patterns. DNS exfiltration techniques are also discussed, along with using Shannon entropy and subdomain length to identify potential data exfiltration in DNS query logs.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
This document provides an index of topics about a city, including its geographical situation in southern Great Britain, its flag consisting of blue, red, and white colors, and mentions habitats, surface area, districts, currency, mayor, museums, typical food, and important places to visit.
This document discusses distributed denial of service (DDoS) attacks, including that Akamai has over 27 years of experience defending against DDoS attacks, mitigates over 10-15 attacks per day, and mitigated the largest attack in Q3 2014 which was 320Gbps. The document also provides statistics on the types of DDoS attacks seen in Q1 and Q3 2014, and recommends preparing comprehensive mitigation strategies and extending security perimeters to protect against increasing attacks.
Over the last few months, there has been tremendous growth in the number of ransomware attacks in the wild. What was once an attack technique aimed at susceptible individual users can now infiltrate advanced enterprise networks as well. In this presentation, you will learn how ransomware attacks propagate and what steps your organization can take to prevent them.
This document discusses using machine learning to detect ransomware through analyzing microbehaviors rather than static signatures. It introduces the concept of using machine learning for cybersecurity and labeling data to help algorithms learn. The document then discusses modeling ransomware behaviors like file system modifications and callbacks. It outlines a plan to take labeled exploit and benign traffic data, extract microbehaviors, use machine learning to detect anomalies, and generate indicators of compromise.
This document summarizes information about Hepatitis A, B, C, D, and E viruses. It discusses their causative agents and characteristics, modes of transmission, clinical manifestations and phases of infection, diagnosis, treatment, prevention, and specific details about Hepatitis A and B viruses. Key points covered include that Hepatitis A and E viruses are transmitted via the fecal-oral route while Hepatitis B, C, and D are transmitted parenterally. It provides details on the incubation periods, symptoms, laboratory tests, and clinical courses of acute Hepatitis A infection. Prevention strategies like immunoglobulin and vaccination are summarized. Risk factors, transmission routes, and importance of screening blood products for Hepatitis B are also highlighted.
Brent Homan is a professional bass fisherman who has been featured in Bassmaster Magazine and on Bassmaster.com multiple times in 2015, gaining an estimated 21 million impressions. He served 12 years in the U.S. Army until being medically retired after sustaining injuries from an IED explosion in Iraq in 2007. Since then, he has pursued his passion for fishing professionally while advocating for wounded veterans.
This document discusses ransomware, including its impact, evolution, and prevention. It defines ransomware as malicious software that blocks access to a computer system until a ransom is paid. There are two main types: locker ransomware which locks the system, and crypto ransomware which encrypts files. The document then discusses how ransomware enters systems, how it executes once inside, examples of ransomware strains, and defensive measures like backups and training users.
Digital Mitford: Mitford Annotation Toolericazimmer
Presents work-in-progress of Digital Mitford: The Mary Russell Mitford Archive to develop an XQuery-based tool for dynamic, corpus-based annotation in TEI-encoded archives.
#FlipMyFunnel Atlanta 2016 - Bill Kent & Troy O'Bryan - What's Working With A...#FlipMyFunnel
This document discusses strategies for account-based marketing (ABM) content and engagement. It provides examples of personalized assessments that can be used to start conversations with target accounts, highlighting problems the accounts may face and customizing the discussion based on each account's profile. It also outlines principles for creating irresistible content, such as focusing on market problems and emotional drivers, personalizing engagement after initial responses, and iterating content based on measurement.
The document describes a travel agency management system that offers the following key features:
- Integrated travel agents located directly in companies to make reservations and issue tickets.
- An electronic booking system that is IATA approved along with state-of-the-art technology.
- Dedicated and bilingual staff that provide personalized service and account management for corporate travel needs.
- One-stop shopping for all travel arrangements along with corporate agreements with airlines.
Designed for Administrators, this course shows you how to set up your data collection according to your organization’s data sources. Best practices around deployment options ensure you choose a deployment that scales as your organization grows. Because metadata is so important to a healthy environment, learn how to design and set up a naming convention that works best for your teams. Use Chef, Puppet or the likes? Learn how to automate your deployment. Test your deployment with simple searches, and learn to take advantage of optimization tools that can help you stay on top of your deployment.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch presents on packet analysis for network security at the MMIX Peering Forum and MMNOG 2020 in Yangon, Myanmar, from 13 to 17 January 2020.
Cisco Automation with Puppet and onePK - PuppetConf 2013Puppet
"Cisco Automation with Puppet and onePK" by Jason Pfeifer Technical Marketing Engineer, Cisco.
Presentation Overview: This session will provide an overview of the cisco developed puppet functionality for management and configuration of Cisco devices.
Speaker Bio: Jason is a Cisco Technical Marketing Engineer focusing on programmability and automation of Cisco network devices. He is currently supporting, discussing, evangelizing, and writing applications against Cisco's onePK SDK. He also has a long term love affair with Cisco's Embedded Event Manager.
The document discusses the Meterpreter payload and its advantages over traditional command shells. Meterpreter runs by injecting itself into vulnerable processes, allowing it to avoid detection. It has a full command shell and extensions that allow flexible post-exploitation activities like privilege escalation and maintaining stealth. Meterpreter commands demonstrated include keylogging, packet sniffing, and modifying file timestamps to evade forensic analysis.
This document discusses tools and services for data intensive research in the cloud. It describes several initiatives by the eXtreme Computing Group at Microsoft Research related to cloud computing, multicore computing, quantum computing, security and cryptography, and engaging with research partners. It notes that the nature of scientific computing is changing to be more data-driven and exploratory. Commercial clouds are important for research as they allow researchers to start work quickly without lengthy installation and setup times. The document discusses how economics has driven improvements in computing technologies and how this will continue to impact research computing infrastructure. It also summarizes several Microsoft technologies for data intensive computing including Dryad, LINQ, and Complex Event Processing.
Catch Me If You Can - Finding APTs in your networkDefCamp
Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Get Certified as a Sumo Power User!
Video: Video: https://www.sumologic.com/online-training/#Start
Designed for users, this series deep-dives into every aspect of analyzing your data. Run as a "how-to" webinar, this session walks viewers through data searching, filtering, parsing, and advanced analytics. This series concludes with "how to"details to create dashboards and alerts to monitor your data and get Sumo Logic to work for you.
The document discusses the FOIS DBA team and their responsibilities in maintaining the FOIS setup. The 12 member team manages a complex infrastructure including Oracle databases, Tuxedo and Weblogic application servers, and hardware including Exadata, HP servers, and storage arrays. The team is responsible for installation, configuration, security, backups, disaster recovery and monitoring of the infrastructure to keep FOIS running continuously. Best practices for the databases, operating systems, application servers and backups are also outlined.
This document provides an overview of information gathering and vulnerability scanning techniques for the CompTIA Pentest+ certification. It discusses the importance of gathering both technical and people information about the target. It covers passive information gathering techniques like searching public databases and active techniques like port scanning and website crawling. The document demonstrates tools for discovering domains, IP addresses, ports, services and technical details through techniques like DNS queries, Nmap scanning, and using search engines and Shodan. It emphasizes using both passive and active approaches to fully map the target environment.
Security Delivery Platform: Best practicesMihajlo Prerad
Security Delivery Platform: Best practices
The traditional Security model was one that operated under simple assumptions. Those assumptions led to deployment models which in todays’ world of cyber security have been proven to be quite vulnerable and inadequate to growing amount and diversity of threats.
A Security Delivery Platform addresses the above considerations and provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such platform delivers visibility into the lateral movement of malware, accelerate the detection of ex-filtration activity, and could significantly reduce the overhead, complexity and costs associated with such security deployments.
In today’s world of industrialized and well-organized cyber threats, it is no longer sufficient to focus on the security applications exclusively. Focusing on how those solutions get deployed together and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cyber security strategy.
Webinar: https://www.sumologic.com/online-training/#SettingUpSumo
Designed for Administrators, this course shows you how to set up your data collection according to your organization’s data sources. Best practices around deployment options ensure you choose a deployment that scales as your organization grows. Because metadata is so important to a healthy environment, learn how to design and set up a naming convention that works best for your teams. Use Chef, Puppet or the likes? Learn how to automate your deployment. Test your deployment with simple searches, and learn to take advantage of optimization tools that can help you stay on top of your deployment.
Distributed Systems: How to connect your real-time applicationsJaime Martin Losa
This document provides an overview of distributed systems and how to connect real-time applications using the Data Distribution Service (DDS) standard. It introduces DDS and its architecture, including topics, instances, keys, quality of service policies. It then demonstrates how to create a basic "hello world" publisher/subscriber example in both eProsima Fast RTPS and RTI Connext DDS middleware in 3 steps: defining the data type, generating code, and building/running the publisher and subscriber.
Webinar: https://www.sumologic.com/online-training/#SettingUpSumo
Designed for Administrators, this course shows you how to set up your data collection according to your organization’s data sources. Best practices around deployment options ensure you choose a deployment that scales as your organization grows. Because metadata is so important to a healthy environment, learn how to design and set up a naming convention that works best for your teams. Use Chef, Puppet or the likes? Learn how to automate your deployment. Test your deployment with simple searches, and learn to take advantage of optimization tools that can help you stay on top of your deployment.
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
Network engineers increasingly must view the network as one big software system, which streams telemetry data from software sensors and network devices to an analytics engine.
To implement the whitelist-based segmentation and zero-trust policy model generated from the data analysis, automation is a requirement when dealing with tens of thousands of workloads and complex rules.
This session examines how Cisco Tetration Analytics combined with automation can be used to implement a zero-trust policy model on multi-vendor network fabrics, firewalls and application delivery controllers.
Wire data provides deep insights across IT, security and business use cases by capturing the communications transmitted over the wire between machines and applications in real-time. The Splunk App for Stream enables new operational intelligence by indexing this wire data without needing instrumentation. It provides enhanced visibility, efficient cloud-ready collection, and fast time to value through interface-driven deployment. Key features include protocol decoding, attribute filtering, aggregations, and custom content extraction for analysis in Splunk.
Application of Machine Learning in CybersecurityPratap Dangeti
The document discusses applying machine learning techniques in cybersecurity. It provides examples of using ML for automatic intrusion detection, including phishing URL detection, malware detection, network behavior anomaly detection, and insider threat detection. Additional applications covered include assessing password strength and using deep steganography for encrypting messages. The document references several datasets and outlines the machine learning workflow and evaluation metrics for each application.
Distributed Trace & Log Analysis using MLJorge Cardoso
The field of AIOps, also known as Artificial Intelligence for IT Operations, uses advanced technologies to dramatically improve the monitoring, operation, and troubleshooting of distributed systems. Its main premise is that operations can be automated using monitoring data to reduce the workload of operators (e.g., SREs or production engineers). Our current research explores how AIOps – and many related fields such as deep learning, machine learning, distributed traces, graph analysis, time-series analysis, sequence analysis, advanced statistics, NLP and log analysis – can be explored to effectively detect, localize, predict, and remediate failures in large-scale cloud infrastructures (>50 regions and AZs) by analyzing service management data (e.g., distributed traces, logs, events, alerts, metrics). In particular, this talk will describe how a particular monitoring data structure, called distributed traces, can be analyzed using deep learning to identify anomalies in its spans. This capability empowers operators to quickly identify which components of a distributed system are faulty.
Similar to SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs (20)
SPEAKERS
Phil Royer, Research Engineer, Splunk
Rod Soto, Principal Security Research Engineer, Splunk
Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a...
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
Rod Soto and Joseph Zadeh discuss detecting webshells in compromised perimeter assets using machine learning algorithms. They define webshells and how they are commonly used by attackers to gain access to networks. Two approaches are described for detecting webshells using ML: global models that analyze overall asset behavior, and local models that examine individual web server content and traffic patterns. Detecting deviations from normal behavior across both local and global views can help identify compromised assets with webshells.
The Lambda Defense Functional Paradigms for Cyber SecurityRod Soto
The document proposes a methodology called "The Lambda Defense" to help automate the detection of adversarial behaviors. The methodology is based on two principles: 1) functionally decomposing attack patterns into sequential and non-sequential components, and 2) applying the Lambda Architecture which blends batch and real-time processing. The Lambda Defense treats each tactic, technique, or procedure as a stochastic process that can be modeled. It describes how to enumerate the threat surface, decompose behaviors functionally, assign machine learning and other models, and evolve models over time using map-reduce operations.
This document discusses using machine learning and big data technologies to improve security workflows. It describes the challenges of analyzing large amounts of security data from many sources to detect threats. Machine learning can help by analyzing patterns in the data at scale. The document introduces the Lambda Defense approach, which applies a lambda architecture to build a "central nervous system" for security. This combines batch and real-time machine learning models to detect threats based on both sequential and unordered behaviors.
This document describes Aktaion, an open source machine learning tool for ransomware detection. It analyzes micro behaviors and contextual indicators in network traffic to detect ransomware even if the malware's code has been modified. The tool mines logs for micro behaviors like call back patterns. It uses Apache Spark and machine learning to provide risk scores and detect ransomware. The output includes suspicious IPs, domains, and file names. The document discusses using the tool for active defense by triggering actions like blocking infected files through Group Policy once ransomware is detected.
Crypto ransomware encrypts user files and demands ransom payment in bitcoin to decrypt the files. It spreads through email attachments and infected websites. To recover, users should disconnect infected devices, check backups, identify the variant, and wipe infected systems if necessary. Prevention methods include backups, patching systems, and educating users about safe browsing habits. Seeking help from law enforcement is also recommended over paying ransoms.
1. SESSION ID:SESSION ID:
#RSAC
Rod Soto
Automated Prevention of Ransomware
with Machine Learning and GPOs
SPO2-T11
Senior Security Researcher
Splunk, Inc.
@rodsoto
Joseph Zadeh
Senior Data Scientist
Splunk, Inc.
@josephzadeh
2. #RSAC
$Whoami
Rod Soto @rodsoto
Principal Security Researcher at Splunk UBA, former AKAMAI, Prolexic PLXSert.
Like to break things, p0wn botnets and play CTFs.
Joseph Zadeh @JosephZadeh
Data Scientist at Splunk UBA, building behavioral intrusion detection technologies
at scale. Enjoy working on defense projects that combine security, artificial
intelligence and distributed systems.
5. #RSAC
Commonly found Ransomware IOCs
• The modification of the registry keys (Most associated with persistence. I.E
execute after reboot).
• Renames and encrypts file extensions of files (Targets User’s docs. I.E .doc, xls,
ppt, mp3, wallet).
• Modifies Master Boot Record to prevent rebooting, usually encrypting it
relocating it and placing a replacement.
• Removal of Volume Snapshot Service files (VSS) or volume shadow files, use for
system restoration and backup
• Polymorphic/metamorphic behavior
6. #RSAC
Enterprises challenged by Ransomware
Current mitigation technique is… paying…
Disaster Recovery & Offsite backup.
Use of Macros/Embedded scripting in Enterprise Document office suites,
very difficult and impractical at times to regulate due to business reasons.
Users are the weakest link, not matter how hardened or strict controls are. It
only takes an user action to bypass them. Phishing + Ransomware very
effective attack vector.
New exploitation frameworks/malware using PowerShell to leverage post
exploitation.
7. #RSAC
Ransomware Detection in the New Age
ANOMALY
DETECTION
THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR
MODELING
REAL-TIME & BIG
DATA FOUNDATION
NEW PARADIGM: DATA DRIVEN INDICATORS
8. #RSAC
Automation Tools for the Enterprise
• Threat Intelligence Platforms
(TIP)
• Threat and Vulnerability
Platforms (TVM)
• User and Behaviour Analytics
(UEBA)
• Security Incident Response
platforms (SIRP)
• Security Operations
Automation Platforms
(SOAP)
= Automate the ingestion of an unlimited range
of contextual & threat data
= Consolidation and normalization (not
execution) of of vulnerability assessment results
= Detect and prioritize anomalous/malicious
events via machine learning & data-science
techniques
= Formalize, enforce and automate incident
response playbooks, policies and processes
= provide a selection of connectors, scripts and
templates to remediate third-party devices and
applications that can be used to fully automate
or semi-automate security operations activities.
9. #RSAC
Big Data & Machine Learning
Big Data: Synthesis of technology providing visibility into
the analysis of large data sets and the ability to discover
patterns, trends, and associations, especially relating to
human behavior and interactions.
Machine Learning: Subfield of computer science/statistics.
Explores and study construction of algorithms that can
learn from and make predictions on Data.
10. #RSAC
Too Many Dimensions
Too Many Technologies Too Many Time-Slices
Too Many Statistical Methods
Too Many ML Categories
Too Many ML Algorithms
Within Each ML Category
ML At Scale: Multi Faceted Problem
ML allows us to go beyond
of static signature based
technologies but can be
challenging to deal with for
enterprise volumes of user
data.
Combining Traditional
Security Tools + Data science
creates a scenario where
detection of threats based
on dynamic and multi
contextual indicators is
possible (Aktaion is meant to
be an example of this).
11. #RSAC
Guerrilla Machine Learning for Cyber security
Fractal Defense: Reuse logic (and code) across different
security use cases. Make behavior based IOC’s map to
adversary tactics, techniques and procedures for better
scalability.
Cybersecurity Analytics ROI: Make security requirements
functional by setting realistic benchmarks based on your own
data
Lambda Architecture: a generic problem solving system built
on immutability and hybrid batch/real-time workflows
12. #RSAC
Aktaion Detection Workflow
1. Take PCAPs of known (labeled) exploits and known (labeled) benign behavior
and convert them to bro format
2. Convert each Bro log to a sequence of micro behaviors (machine learning
input)
3. Compare the sequence of micro behaviors to a set of known benign/malicious
samples using a Random Forest Classifier
(http://weka.sourceforge.net/doc.dev/weka/classifiers/trees/RandomForest.h
tml)
4. Derive a list of indicators from any log predicted as malicious
5. Pass the list of IOCs (JSON) to a GPO generation script
(https://github.com/jzadeh/Aktaion/tree/master/python)
13. #RSAC
Mapping Available Data to a ML Solution
• Sweet
Spot:
Exploit
Delivery
• Ransomware
Behaviors:
– File system
Specific
– Call Back
Specific
• Exploit Kits
– Command and
Control
behavior can
vary widely
depending on
the post exploit
agenda
15. #RSAC
Building a Random Forest
Random forest trained on labeled malicious and
benign samples
Learning Machine
Libraries : Splunk
MLTK, Spark, Weka,
scikit-learn
16. #RSAC
Radom Forest Using Splunks Machine Learning
Toolkit
The simple linear model gives us output that separates the Signal
from the Noise (this is not always possible with a model)
Learning Machine:
MLKT Command
17. #RSAC
Data Sets Used To Train the Model
Open Source Examples: github.com/jzadeh/Aktaion/tree/master/data
386 Labeled Exploit chain examples from Contagio (pcap extracts into a generic
proxy format). Thanks to the hard work of Contagio and Mila Parkour
http://contagiodump.blogspot.com/
CRIME Database from DeepEnd Research (DeepEnd Research):
www.dropbox.com/sh/7fo4efxhpenexqp/AADHnRKtL6qdzCdRlPmJpS8Aa/CRIM
E?dl=0
Ransomware Samples: small amount of mixed call back/file system level
indicators
Labeled benign user traffic (days of http user browsing and related activities)
Anonymized bluecoat traffic
19. #RSAC
Think of Group Policy as “touch once, configure many.”
Group Policy is simply the easiest way to reach out and configure
computer and user settings on networks based on Active Directory
Domain Services (AD DS)
What is a GPO?
20. #RSAC
Requirements for GPOs (Overview)
The requirements for using Group Policy and following the instructions
that this white paper provides are straightforward:
The network must be based on AD DS (that is, at least one server must
have the AD DS role installed). To learn more about AD DS, see Active
Directory Domain Services Overview on TechNet.
Computers that you want to manage must be joined to the domain,
and users that you want to manage must use domain credentials to
log on to their computers.
You must have permission to edit Group Policy in the domain.
21. #RSAC
Advantages of using GPOs
With GPOs, administrators can apply settings in granular, distributed
and expedited way. (Think permissions, access rights, allowed
processes, user/computer profiles)
Enforce security settings on large scale (I.E password policy, firewall
profile)
Apply and enforce patching and security updates
Apply security updates in a targeted, prompt and efficient manner.
22. #RSAC
Security Settings node of a Group Policy object.
Account Policies (Password Policy, Account Lockout, Kerberos Auth)
Local Policies (Logons, Filed Read, User Rights Management, Force logoff, halt if unable to
audit)
Event Log (Detailing log of events)
Restricted Groups (Management of user/group membership)
Systems Services (Rights given to services, auditing level for systems)
Registry (Auditing registry keys/sub keys)
File System (Access/Modification for system files/folders)
Public Key Policies (Security Certificates)
Internet Protocol Security Policies on Active Directory ( how server responds to a request
for IPSec communications)
23. #RSAC
Machine Learning + GPO = Active Defense.
By leveraging big data and machine learning we can
provide more granular and specific items applicable to
Group Policy Objects.
These ML+BD derived GPOs can be crafted and
applied in an automated fashion, speeding up reaction
measures.
These GPOs can be more effective than static based
signatures (Think about Malware variants and AV
updates)
24. #RSAC
General Challenges using GPOs
Scope must be clearly defined. It requires system administrators to
organize user, assets, groups.
There is a level of skill required of administrators in order to apply
GPOs efficiently (GPO settings)
General infrastructure connectivity and redundancy can pose
challenges (DNS, Subnets, WAN/LAN, etc)
25. #RSAC
Machine Learning + GPO = Active Defense.
By leveraging big data and machine learning we can provide more
granular and specific items applicable to Group Policy Objects.
These ML+BD derived GPOs can be crafted and applied in an
automated fashion, speeding up reaction measures.
These GPOs can be more effective than static based signatures (Think
about Malware variants and AV updates)
26. #RSAC
Proof of Concept
• Ransomware network traffic analyzed using Machine Learning open source tool: (Aktaion
- https://github.com/jzadeh/Aktaion)
• This tool analyzes Micro Behaviors present in Ransomware
• Output of tool is input to python script which builds main indicators for GPO generation
(Executable name, Domain, IP Address)
• Python scripts executes SSH into an AD host that can push GPO into Windows Domain via
powershell.
31. #RSAC
Proof of Concept – Further GPO actions
• Force logoff
• Remove Computer from Domain
• Disable password changes
• Disable access to network shares
• Enforce account lockout
• Prevent further download of payloads from internet
• Apply firewall rules
32. #RSAC
Conclusions
• Machine Learning + Big Data technologies + GPO can
be effectively applied for active defense.
• These tools are available for use without major
investment in every enterprise.
• Application of Machine Learning techniques provide
enterprises with an alternative to passive, high cost
low efficiency signature based technologies.
• Machine learning provides leverage against constant
adversarial drift and TTPs