SlideShare a Scribd company logo

Threat Hunting with Elastic at SpectorOps: Welcome to HELK

Elasticsearch
Elasticsearch

This document provides an overview and agenda for the Elastic Tour 2018 conference. It introduces the speaker, Cyb3rWard0g, and outlines their background and expertise in threat hunting. The agenda covers topics like threat hunting techniques and data, the role of threat hunters, integrating threat hunting with SIEMs, and pre-hunt activities. It also introduces HELK, an open source project that extends the Elastic Stack with advanced analytics capabilities to empower threat hunters. Key components of HELK include Apache Spark, Elasticsearch, and Jupyter notebooks. The document discusses how these tools can help with tasks like threat modeling, data analysis, and developing threat hunting playbooks. It concludes by discussing potential future directions for the HELK

Technology
1 of 62
Welcome To HELK! Elastic Tour 2018 1
@Cyb3rWard0g ● Adversary Detection Analyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Former:
 Capital One - USA, Senior Threat Hunter
 DuPont - USA, Security Specialist
 2https://github.com/Cyb3rWard0g
Agenda ● Threat hunting & data ● Threat hunting & hunters ● Threat hunting & SIEMs ● Pre-Hunt activities and data ● HELK ● What’s next for HELK? 3
Effective Threat Hunting Are you being effective? 4
Threat Hunting (Expectation) 5 Threat Hunting Actual Hunting TIME Pre- Hunt
Threat Hunting (Reality) 6 Threat Hunting Actual Hunting TIME Pre-Hunt
Pre-Hunt Activities ● Identification of adversarial techniques ● Identification of data sources required to validate the detection of adversarial techniques ● Data Documentation (Data Dictionaries) ● Data Modeling ● Data quality Assessment ○ Completeness & Standardization ● Development of data analytics ● Development of playbooks 7
Pre-Hunt Activities ● Identification of adversarial techniques ● Identification of data sources required to validate the detection of adversarial techniques ● Data Documentation (Data Dictionaries) ● Data Modeling ● Data quality Assessment ○ Completeness & Standardization ● Development of data analytics ● Development of playbooks 8
Threat Hunting & Data LOG ITALL-> HUNT-> FIND EVIL-REPEAT… Right?,Maybe? 9
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis Threat Hunting 10
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 11 Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 12 Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 13 Threat Hunting Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 14 Threat Hunting Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
Diverse Attacks Call for Diverse Data Sets ● Endpoint Data Sets ○ Built-In Windows Logs ○ Sysmon Logs ○ Antivirus Logs ○ Data Loss Prevention (DLP) Logs ● Network Data Sets ○ Proxy Logs ○ Bro (Now Zeek) Logs ○ Full Packet Capture
 15
Data Lakes & Threat Hunting (In-Theory) E XTRACT T RANSFORM L OAD E XTRACT T RANSFORM L OAD 16
Data Swamps & Threat Hunting (Reality) 17
Threat Hunting & Hunters Can we do better? 18
Data Engineers & Data Analysts Are Siloed!! 19 Data Analyst (Threat Hunter)Data Engineer
Data Engineers & Data Analysts Are Siloed!! 20 Data Analyst (Threat Hunter)Data Engineer Collection Documentation & Standardization
Data Engineers & Data Analysts Are Siloed!! 21 Data Analyst (Threat Hunter)Data Engineer Collection Documentation & Standardization Data Modeling
Threat Hunting & SIEMs What are we trying to accomplish? 22
What Is The Main Goal? 23
Enable Threat Hunters ● Perform flexible data analysis at scale ● Go beyond Indicators of compromise (IOC) ○ Basic queries to find an IP address from an intel report ● Identify specific structured patterns ○ Streaming, Graphing ● Describe the data in a more intuitive and efficient way ● Integrate with other threat hunting procedures ○ Playbooks ○ Training 24
Pre-Hunt activities and data Bringing Data Engineers and Data Analysts Together 25
Threat Hunting Approach 26 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
Data Dictionaries (Sysmon Event ID 1) 27 Windows Sysmon https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
Sysmon Data Model After Documentation 28https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
Adversary Technique 29 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed Data Sources & Data Modeling https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
Threat Hunting & Data 30 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
HELK
 [Alpha] An open source ELK with Advanced Analytics Capabilities 31 https://github.com/Cyb3rWard0g/HELK
What the HELK? ● An ecosystem composed of several open source frameworks ● Main goal of empowering threat hunters and extending the functionalities of an Elastic ELK stack by enabling advanced analytics capabilities ● First Public Documented & Standardized Pipeline ○ OSSEM Project: https://github.com/Cyb3rWard0g/OSSEM ○ Documenting new events as they show up in new tests ● Awesome additions to the pipeline by Nate Guagenti @neu5ron 32https://github.com/Cyb3rWard0g/HELK
What the HELK? 33
Why Spark? “Apache Spark is a unified computing engine and a set of libraries for parallel data processing on computer clusters” 34Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144). O'Reilly Media. Kindle Edition
Why Spark? 35Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144). O'Reilly Media. Kindle Edition
Why Spark? 36
Why Spark? 37
Why Spark? 38 ES-Hadoop
Why Jupyter? ● The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. ● Uses include: ○ data cleaning and transformation ○ numerical simulation ○ statistical modeling ○ data visualization ○ machine learning, and much more. 39http://jupyter.org/
Why Jupyter? 40http://jupyter.org/
Spark + Jupyter 41http://jupyter.org/ Driver Process User Code Spark Session Standalone Manager Executor Executor Executor Executor Worker Worker PySpark Kernel
Elasticsearch + Spark + Jupyter 42http://jupyter.org/ Driver Process User Code Spark Session Standalone Manager Executor Executor Executor Executor Worker Worker PySpark Kernel
What The HELK? HELKing the community... 43
Threat Hunting Approach 44 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
Threat Hunting Approach 45 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
Threat Hunting Approach 46 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
IdentifyTechnique: Pass the Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 47
Define Technique Variation: Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 48 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It may require elevated privileges (privilege::debug or SYSTEM account) ○ Depends on how this attack is performed. ○ You might not need to be admin
Technical Details: Normal kerberos Authentication https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 49
Technical Details: Overpass-the-hash https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 50
Technical Details: Rubeus -Overpass-the-hash https://github.com/GhostPack/Rubeus 51 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute-assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
Technical Details: Rubeus -Overpass-the-hash https://github.com/GhostPack/Rubeus 52
Mmmm… Rubeus? 53
Mmmm… Rubeus? 54
Jupyter Notebooks -> Threat Hunter Playbooks https://github.com/Cyb3rWard0g/HELK 55
Creating a Threat Hunter Playbook 56
What’s next for HELK? HELKing the community... 57
Cypher for Apache Spark 58
Spark Structured Streaming 59
Spark Structured Streaming 60
KSQL 61
Thank You! Muchas Gracias! 62

Recommended

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 

Recommended

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
ENOInstitute
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Prachi Mishra
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 

More Related Content

What's hot

Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
ENOInstitute
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Prachi Mishra
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 

What's hot (20)

Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 

Similar to Threat Hunting with Elastic at SpectorOps: Welcome to HELK

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
ssuser9fc96c
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
reconvillage
 
Agile development of data science projects | Part 1
Agile development of data science projects | Part 1 Agile development of data science projects | Part 1
Agile development of data science projects | Part 1
Anubhav Dhiman
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
Privacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconPrivacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria Gascon
Ulrik Lyngs
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Chris Hammerschmidt
 
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
Austin Ogilvie
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security data
markgrover
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019
RedHunt Labs
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
Demi Ben-Ari
 
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis PapaemmanouilGDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
Panagiotis Papaemmanouil
 

Similar to Threat Hunting with Elastic at SpectorOps: Welcome to HELK (20)

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Agile development of data science projects | Part 1
Agile development of data science projects | Part 1 Agile development of data science projects | Part 1
Agile development of data science projects | Part 1
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Privacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria GasconPrivacy-Preserving Data Analysis, Adria Gascon
Privacy-Preserving Data Analysis, Adria Gascon
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
 
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security data
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis PapaemmanouilGDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
GDG DEvFest Hellas 2020 - Automated ML - Panagiotis Papaemmanouil
 

More from Elasticsearch

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 

More from Elasticsearch (20)

An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
From MSP to MSSP using Elastic
From MSP to MSSP using ElasticFrom MSP to MSSP using Elastic
From MSP to MSSP using Elastic
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios webCómo crear excelentes experiencias de búsqueda en sitios web
Cómo crear excelentes experiencias de búsqueda en sitios web
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas Te damos la bienvenida a una nueva forma de realizar búsquedas
Te damos la bienvenida a una nueva forma de realizar búsquedas
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic CloudTirez pleinement parti d'Elastic grâce à Elastic Cloud
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.Plongez au cœur de la recherche dans tous ses états.
Plongez au cœur de la recherche dans tous ses états.
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolboxAn introduction to Elasticsearch's advanced relevance ranking toolbox
An introduction to Elasticsearch's advanced relevance ranking toolbox
 
Welcome to a new state of find
Welcome to a new state of findWelcome to a new state of find
Welcome to a new state of find
 
Building great website search experiences
Building great website search experiencesBuilding great website search experiences
Building great website search experiences
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified searchKeynote: Harnessing the power of Elasticsearch for simplified search
Keynote: Harnessing the power of Elasticsearch for simplified search
 
Cómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisionesCómo transformar los datos en análisis con los que tomar decisiones
Cómo transformar los datos en análisis con los que tomar decisiones
 
Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud Explore relève les défis Big Data avec Elastic Cloud
Explore relève les défis Big Data avec Elastic Cloud
 
Comment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitablesComment transformer vos données en informations exploitables
Comment transformer vos données en informations exploitables
 
Transforming data into actionable insights
Transforming data into actionable insightsTransforming data into actionable insights
Transforming data into actionable insights
 
Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?Opening Keynote: Why Elastic?
Opening Keynote: Why Elastic?
 
Empowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside GovernmentEmpowering agencies using Elastic as a Service inside Government
Empowering agencies using Elastic as a Service inside Government
 
The opportunities and challenges of data for public good
The opportunities and challenges of data for public goodThe opportunities and challenges of data for public good
The opportunities and challenges of data for public good
 
Enterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and ElasticEnterprise search and unstructured data with CGI and Elastic
Enterprise search and unstructured data with CGI and Elastic
 

Recently uploaded

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Threat Hunting with Elastic at SpectorOps: Welcome to HELK

  • 2. @Cyb3rWard0g ● Adversary Detection Analyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Former:
 Capital One - USA, Senior Threat Hunter
 DuPont - USA, Security Specialist
 2https://github.com/Cyb3rWard0g
  • 3. Agenda ● Threat hunting & data ● Threat hunting & hunters ● Threat hunting & SIEMs ● Pre-Hunt activities and data ● HELK ● What’s next for HELK? 3
  • 4. Effective Threat Hunting Are you being effective? 4
  • 5. Threat Hunting (Expectation) 5 Threat Hunting Actual Hunting TIME Pre- Hunt
  • 6. Threat Hunting (Reality) 6 Threat Hunting Actual Hunting TIME Pre-Hunt
  • 7. Pre-Hunt Activities ● Identification of adversarial techniques ● Identification of data sources required to validate the detection of adversarial techniques ● Data Documentation (Data Dictionaries) ● Data Modeling ● Data quality Assessment ○ Completeness & Standardization ● Development of data analytics ● Development of playbooks 7
  • 8. Pre-Hunt Activities ● Identification of adversarial techniques ● Identification of data sources required to validate the detection of adversarial techniques ● Data Documentation (Data Dictionaries) ● Data Modeling ● Data quality Assessment ○ Completeness & Standardization ● Development of data analytics ● Development of playbooks 8
  • 9. Threat Hunting & Data LOG ITALL-> HUNT-> FIND EVIL-REPEAT… Right?,Maybe? 9
  • 10. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis Threat Hunting 10
  • 11. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 11 Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
  • 12. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 12 Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
  • 13. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 13 Threat Hunting Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
  • 14. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned 
 - Metrics
 - Report Findings
 - Transition to IR? - What didn’t work? Hunt - Data Analytics
 > Behavioral
 > Anomalies/Outliers - Validate Detection Threat Hunting 14 Threat Hunting Pre-Hunt - Define Hunt Model
 - Set Scope
 - Define Team Roles - Identify Adversarial Technique
 - Develop Hypothesis
  • 15. Diverse Attacks Call for Diverse Data Sets ● Endpoint Data Sets ○ Built-In Windows Logs ○ Sysmon Logs ○ Antivirus Logs ○ Data Loss Prevention (DLP) Logs ● Network Data Sets ○ Proxy Logs ○ Bro (Now Zeek) Logs ○ Full Packet Capture
 15
  • 16. Data Lakes & Threat Hunting (In-Theory) E XTRACT T RANSFORM L OAD E XTRACT T RANSFORM L OAD 16
  • 17. Data Swamps & Threat Hunting (Reality) 17
  • 18. Threat Hunting & Hunters Can we do better? 18
  • 19. Data Engineers & Data Analysts Are Siloed!! 19 Data Analyst (Threat Hunter)Data Engineer
  • 20. Data Engineers & Data Analysts Are Siloed!! 20 Data Analyst (Threat Hunter)Data Engineer Collection Documentation & Standardization
  • 21. Data Engineers & Data Analysts Are Siloed!! 21 Data Analyst (Threat Hunter)Data Engineer Collection Documentation & Standardization Data Modeling
  • 22. Threat Hunting & SIEMs What are we trying to accomplish? 22
  • 23. What Is The Main Goal? 23
  • 24. Enable Threat Hunters ● Perform flexible data analysis at scale ● Go beyond Indicators of compromise (IOC) ○ Basic queries to find an IP address from an intel report ● Identify specific structured patterns ○ Streaming, Graphing ● Describe the data in a more intuitive and efficient way ● Integrate with other threat hunting procedures ○ Playbooks ○ Training 24
  • 25. Pre-Hunt activities and data Bringing Data Engineers and Data Analysts Together 25
  • 26. Threat Hunting Approach 26 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
  • 27. Data Dictionaries (Sysmon Event ID 1) 27 Windows Sysmon https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
  • 28. Sysmon Data Model After Documentation 28https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
  • 29. Adversary Technique 29 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed Data Sources & Data Modeling https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
  • 30. Threat Hunting & Data 30 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
  • 31. HELK
 [Alpha] An open source ELK with Advanced Analytics Capabilities 31 https://github.com/Cyb3rWard0g/HELK
  • 32. What the HELK? ● An ecosystem composed of several open source frameworks ● Main goal of empowering threat hunters and extending the functionalities of an Elastic ELK stack by enabling advanced analytics capabilities ● First Public Documented & Standardized Pipeline ○ OSSEM Project: https://github.com/Cyb3rWard0g/OSSEM ○ Documenting new events as they show up in new tests ● Awesome additions to the pipeline by Nate Guagenti @neu5ron 32https://github.com/Cyb3rWard0g/HELK
  • 34. Why Spark? “Apache Spark is a unified computing engine and a set of libraries for parallel data processing on computer clusters” 34Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144). O'Reilly Media. Kindle Edition
  • 35. Why Spark? 35Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144). O'Reilly Media. Kindle Edition
  • 39. Why Jupyter? ● The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. ● Uses include: ○ data cleaning and transformation ○ numerical simulation ○ statistical modeling ○ data visualization ○ machine learning, and much more. 39http://jupyter.org/
  • 41. Spark + Jupyter 41http://jupyter.org/ Driver Process User Code Spark Session Standalone Manager Executor Executor Executor Executor Worker Worker PySpark Kernel
  • 42. Elasticsearch + Spark + Jupyter 42http://jupyter.org/ Driver Process User Code Spark Session Standalone Manager Executor Executor Executor Executor Worker Worker PySpark Kernel
  • 43. What The HELK? HELKing the community... 43
  • 44. Threat Hunting Approach 44 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 45. Threat Hunting Approach 45 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 46. Threat Hunting Approach 46 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 47. IdentifyTechnique: Pass the Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 47
  • 48. Define Technique Variation: Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 48 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It may require elevated privileges (privilege::debug or SYSTEM account) ○ Depends on how this attack is performed. ○ You might not need to be admin
  • 49. Technical Details: Normal kerberos Authentication https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 49
  • 51. Technical Details: Rubeus -Overpass-the-hash https://github.com/GhostPack/Rubeus 51 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute-assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
  • 52. Technical Details: Rubeus -Overpass-the-hash https://github.com/GhostPack/Rubeus 52
  • 55. Jupyter Notebooks -> Threat Hunter Playbooks https://github.com/Cyb3rWard0g/HELK 55
  • 56. Creating a Threat Hunter Playbook 56
  • 57. What’s next for HELK? HELKing the community... 57
  • 58. Cypher for Apache Spark 58
  • 62. Thank You! Muchas Gracias! 62