This document discusses challenges in detecting lateral movement attacks and proposes a solution using machine learning models. It summarizes:
1) Independent alert streams from security tools create a triage burden and do not capture complex attacks.
2) A combined model is built to detect compromised accounts/machines from Windows event logs, assessing login probability, credential elevation, and other signals.
3) The combined model ranks sessions using gradient descent learning to rank. Testing with penetration testers showed the top-ranked sessions had a 96% precision.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
This joint webinar, in collaboration with IBM, offers a look at the industry leading Threat Hunting App for IBM QRadar. By combining the threat detection capabilities of QRadar and Sqrrl, security analysts are armed with advanced analytics and visualization to hunt for unknown threats and more efficiently investigate known incidents.
Watch the training with audio here: http://info.sqrrl.com/sqrrl-ibm-threat-hunting-for-qradar-users
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
This joint webinar, in collaboration with IBM, offers a look at the industry leading Threat Hunting App for IBM QRadar. By combining the threat detection capabilities of QRadar and Sqrrl, security analysts are armed with advanced analytics and visualization to hunt for unknown threats and more efficiently investigate known incidents.
Watch the training with audio here: http://info.sqrrl.com/sqrrl-ibm-threat-hunting-for-qradar-users
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
A presentation given at the Glasgow Caledonian University, Digital Forensics Student Conference in 2014 discussing some of the technical challenges we face in cyber forensics and possible research areas.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
A presentation given at the Glasgow Caledonian University, Digital Forensics Student Conference in 2014 discussing some of the technical challenges we face in cyber forensics and possible research areas.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Talk at TechUG day in Leeds on 22nd October 2015
The way in which many (most?) software teams use logging needs a re-think as we move into a world of microservices and remote sensors. Instead of using logging merely to dump out stack traces, our logs become a continuous trace of application state, with unique-enough identifiers for every interesting point of execution. We also use transaction identifiers to trace calls across components, services, and queues, so that we can reconstruct distributed calls after the fact. Logging becomes a rich source of insight for developers and operations people alike, as we 'listen to the logs' and tighten feedback cycles to improve our software systems.
Log Standards & Future Trends by Dr. Anton ChuvakinAnton Chuvakin
The presentation will discuss how to bring order (in the form of standards!) to the chaotic world of logging.
It will give a brief introduction to logs and logging and explain how and why logs grew so chaotic and disorganized.
Next it will cover why log standards are sorely needed.
It will offer a walk-through that highlights the critical areas of log standardization. Current standard efforts will be discussion.
Finally, the presentation will cover a few of the emerging and yet-to-emerge trends related to logging and log management.
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
Exabeam uses common log sources to stitch together events in plain text to easily answer the important question: What happened before, during and after?
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
Designing secure architecture can always be more expensive, time consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Come to the session and learn what mistakes we eliminated when working with our customers.
Threat Hunting with Windows Event Forwarding & MITRE ATT&CK Framework
In this talk, you will gain an overview of using Windows Event Forwarding (WEF) for incident detection, with configuration and management workflows guidance. The talk will also provide an introduction to the MITRE ATT&CK Framework.
2° Ciclo Microsoft Fondazione CRUI 7° Seminario: Proteggersi dai Cyber Attack...Jürgen Ambrosi
Oggi, il tema della sicurezza informatica si è spostato dal datacenter a livelli più alti. Gli attacchi e le minacce sono cresciuti notevolmente oltre ad essere più sofisticati.
Gli attackers risiedono all'interno di una rete una media di otto mesi prima di essere rilevati. La percentuale maggiore degli attacchi compromettono le credenziali utente e utlizzano strumenti legittimi piuttosto che malware, rendendo molto difficile la loro rilevazione.
In questo webinar conosceremo ATA (Advanced Threat Analytics) strumento che aiuta le aziende a tenere sotto controllo comportamenti anomali e non leciti all’interno della propria organizzazione li dove gli strumenti di sicurezza tradizionali offrono una protezione limitata contro questo tipo di attacchi.
Un-broken logging - the foundation of software operability - Operability.io -...Matthew Skelton
From a talk at OIO15
The way in which many (most?) software teams use logging needs a re-think as we move into a world of microservices and remote sensors. Instead of using logging merely to dump out stack traces, our logs become a continuous trace of application state, with unique-enough identifiers for every interesting point of execution. We also use transaction identifiers to trace calls across components, services, and queues, so that we can reconstruct distributed calls after the fact. Logging becomes a rich source of insight for developers and operations people alike, as we 'listen to the logs' and tighten feedback cycles to improve our software systems.
The way in which many (most?) software teams use logging needs a re-think as we move into a world of microservices and remote sensors. Instead of using logging merely to dump out stack traces, our logs become a continuous trace of application state, with unique-enough identifiers for every interesting point of execution. We also use transaction identifiers to trace calls across components, services, and queues, so that we can reconstruct distributed calls after the fact. Logging becomes a rich source of insight for developers and operations people alike, as we 'listen to the logs' and tighten feedback cycles to improve our software systems.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
17. Windows Security Events Data
On average, an online service in O365 produces 30 billion
sessions/day; 82 TB/day
Data: Sequences of Windows security event IDs from user
sessions
• Examples: User logs into machine, process start, credential
switch, etc.
• 367 unique security event IDs
18. - We built separate models to detect
our goal of compromised
account/machines
- The models, independently assess if
the account is acting suspiciously
19. probability of logging
sequences of events
credential elevation
auto-generated
25. Testing the system
• Wargame with the red team
• Blind experiment
• 8 out of 12 top-ranked sessions on day
1 among ~28 billion sessions are pen
testers, precision at 12 is 96%
30. Reality
Constantly changing environment…
….but you can account for it during training
and adding metadata
In the beginning, there will be false positives…
….but you will reduce your attack surface
No labelled data…
….but you can get away with a good red team
31.
32. Takeaways
Combine alert streams
Make your alerts interpretable
Capture feedback and close the last mile
Check out ranking algorithms – they are
powerful!
Editor's Notes
Lateral movem
“After the lateral stage, attackers are now virtually undetected by traditional security methods”
- Connecting APT Dots1
[1] http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf
Single detections… rarely indicate security-interest
Malware detected….what next?
Suspicious process launched…what next?
Unusual logins…what next?
-> O365 has 150 detections in the pipeline; ArcSight has 100 or so detections that come out of the box.
N detections, k top alerts surfaced = N*k alerts for the analyst to triage
Hand written rules, they might be useful volume of the alerts.
Interpretable - rules might be more interpretable. Be interpretable but also have low noise.
Classification probably isn’t the right way to think about approaching ad hoc IR:
Classification problems: Map to a unordered set of classes
Regression problems: Map to a real value
Ordinal regression problems: Map to an ordered set of classes
A fairly obscure sub-branch of statistics, but what we want here
This formulation gives extra power:
Relations between relevance levels are modeled
Documents are good versus other documents for query given collection; not an absolute scale of goodness