Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securely explore your data
IT’S HUNTING
SEASON!
Tips for getting started with proactive detection
© 2015 Sqrrl | All Rights Reserved
ABOUT ME
Security Architect at Sqrrl. Research areas include
threat intelligence, secur...
© 2015 Sqrrl | All Rights Reserved
WHAT IS “HUNTING”?
The collective name for any manual or
machine-assisted techniques us...
HOW TO BUILD A HUNT CAPABILITY
© 2015 Sqrrl | All Rights Reserved
Embrace Big Data
Get Your Data Science On
Always Have a ...
Securely explore your data
TIP #1: EMBRACE BIG
DATA
THE THREE DATA DOMAINS
© 2015 Sqrrl | All Rights Reserved
Keep as much as you can comfortably store
Network
•  Authenticat...
THE HUNTING PROCESS
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
Successful
hunting requires
many i...
THE HUNTING PROCESS
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
Keep as much data as
you can comfo...
Securely explore your data
TIP #2: GET YOUR
DATA SCIENCE ON
WHEN’S THE LAST TIME YOU HEARD…?
© 2015 Sqrrl | All Rights Reserved
“It is a Best Practice to review all your
logs each da...
WHEN’S THE LAST TIME YOU HEARD…?
© 2015 Sqrrl | All Rights Reserved
“It is a Best Practice to review all your
logs each da...
BEST-ER PRACTICE
© 2015 Sqrrl | All Rights Reserved
Data Deduplication & Reduction
Machine-Assisted Analysis
Parsing & Nor...
MACHINE-ASSISTED ANALYSIS
© 2015 Sqrrl | All Rights Reserved
Computers
Bad at context and
understanding
Good at repetition...
Securely explore your data
TIP #3: ALWAYS HAVE
A GOOD STRATEGY
STRATEGY ENABLES RESULTS
© 2015 Sqrrl | All Rights Reserved
Where
do I
start?
What
should I
look for?
What’s
my path
to
im...
STRATEGY #1
© 2015 Sqrrl | All Rights Reserved
Make the most of what you already collect
Advantages Disadvantages
You prob...
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation In...
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation In...
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation In...
STRATEGY #2
© 2015 Sqrrl | All Rights Reserved
Follow the Kill Chain
Reconnaissance Weaponization Delivery Exploitation In...
Securely explore your data
TIP #4: ASK LOTS OF
QUESTIONS
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
Is the...
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
Is the...
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
Is the...
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
Is the...
© 2015 Sqrrl | All Rights Reserved
ALL HUNTS START WITH QUESTIONS
What data do I
have and what
does it “look like”?
Is the...
QUESTIONS BECOME HYPOTHESES
© 2015 Sqrrl | All Rights Reserved
Hypothesize
Query
Analyze
Revise
“If this activity is going...
Securely explore your data
TIP #5: PIVOT… THEN
PIVOT AGAIN
© 2015 Sqrrl | All Rights Reserved
ATTACKERS LEAVE TRAILS
EVERYWHERE
Email logs
Endpoint
process
accounting
HTTP proxy
log...
© 2015 Sqrrl | All Rights Reserved
DATA DIVERSITY
Leverage different types of data to…
Reveal
relationships
Clarify the
si...
© 2015 Sqrrl | All Rights Reserved
TOOLSET DIVERSITY
Different techniques, different perspectives
Securely explore your data
BONUS TIP:
AUTOMATION IS THE
KEY TO
IMPROVEMENT
© 2015 Sqrrl | All Rights Reserved
Securely explore your data
CONCLUSION
LET’S REVIEW
© 2015 Sqrrl | All Rights Reserved
Embrace Big Data
Get Your Data Science On
Always Have a Good Strategy
Ask ...
QUESTIONS?
© 2015 Sqrrl | All Rights Reserved
David J. Bianco
dbianco@sqrrl.com
@DavidJBianco
Upcoming SlideShare
Loading in …5
×

April 2015 Webinar: Cyber Hunting with Sqrrl

398 views

Published on

The days when Security Operations Center analysts could sit back and wait for alerts to come to them have long passed. Years of breaches and attacks at Fortune 100 banks, retailers, and government agencies have shown that traditional measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s threats demand a more active role in detecting and isolating sophisticated attacks. It’s hunting season!

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

April 2015 Webinar: Cyber Hunting with Sqrrl

  1. 1. Securely explore your data IT’S HUNTING SEASON! Tips for getting started with proactive detection
  2. 2. © 2015 Sqrrl | All Rights Reserved ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).
  3. 3. © 2015 Sqrrl | All Rights Reserved WHAT IS “HUNTING”? The collective name for any manual or machine-assisted techniques used to detect security incidents.
  4. 4. HOW TO BUILD A HUNT CAPABILITY © 2015 Sqrrl | All Rights Reserved Embrace Big Data Get Your Data Science On Always Have a Good Strategy Ask Lots of Questions Pivot… Then Pivot Again Automation is the Key to Continuous Improvement
  5. 5. Securely explore your data TIP #1: EMBRACE BIG DATA
  6. 6. THE THREE DATA DOMAINS © 2015 Sqrrl | All Rights Reserved Keep as much as you can comfortably store Network •  Authentication •  Session data •  Proxy Logs •  File transfers •  DNS resolution Host •  Authentication •  Audit logs •  Process creation Application •  Authentication •  DB queries •  Audit & transaction logs •  Security alerts
  7. 7. THE HUNTING PROCESS © 2015 Sqrrl | All Rights Reserved Hypothesize Query Analyze Revise Successful hunting requires many iterations through this cycle. The faster your analysts get through this loop, the better. Apache’s Hadoop platform offers fast search and processing of huge amounts of data. You will still need tooling on top of whatever platform you choose.
  8. 8. THE HUNTING PROCESS © 2015 Sqrrl | All Rights Reserved Hypothesize Query Analyze Revise Keep as much data as you can comfortably store… …and work with!
  9. 9. Securely explore your data TIP #2: GET YOUR DATA SCIENCE ON
  10. 10. WHEN’S THE LAST TIME YOU HEARD…? © 2015 Sqrrl | All Rights Reserved “It is a Best Practice to review all your logs each day.”
  11. 11. WHEN’S THE LAST TIME YOU HEARD…? © 2015 Sqrrl | All Rights Reserved “It is a Best Practice to review all your logs each day.”
  12. 12. BEST-ER PRACTICE © 2015 Sqrrl | All Rights Reserved Data Deduplication & Reduction Machine-Assisted Analysis Parsing & Normalization
  13. 13. MACHINE-ASSISTED ANALYSIS © 2015 Sqrrl | All Rights Reserved Computers Bad at context and understanding Good at repetition and drudgery Algorithms work cheap! People Contextual analysis experts who love patterns Posses curiosity & intuition Business knowledge Empowered Analysts Process massive amounts of data Agile investigations Quickly turn questions into insight
  14. 14. Securely explore your data TIP #3: ALWAYS HAVE A GOOD STRATEGY
  15. 15. STRATEGY ENABLES RESULTS © 2015 Sqrrl | All Rights Reserved Where do I start? What should I look for? What’s my path to improve? Your strategy determines the quality of your results. Choose a strategy that supports your detection goals. Don’t underestimate the importance of good planning!
  16. 16. STRATEGY #1 © 2015 Sqrrl | All Rights Reserved Make the most of what you already collect Advantages Disadvantages You probably already collect at least some data. Someone is already familiar with its contents. You may already have some idea of the key questions you want answered. Your ability to ask questions is limited by the available data. External forces have more influence over your results. May confuse “easy” with “effective”.
  17. 17. STRATEGY #2 © 2015 Sqrrl | All Rights Reserved Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015)
  18. 18. STRATEGY #2 © 2015 Sqrrl | All Rights Reserved Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015) Find attacks already happening
  19. 19. STRATEGY #2 © 2015 Sqrrl | All Rights Reserved Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015) Find attacks already happening Expand the stories you are able to tell
  20. 20. STRATEGY #2 © 2015 Sqrrl | All Rights Reserved Follow the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked April 29th,2015) Find attacks already happening Expand the stories you are able to tell Predict attacks before they happen
  21. 21. Securely explore your data TIP #4: ASK LOTS OF QUESTIONS
  22. 22. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”?
  23. 23. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”? Is there any data exfiltration going on in my network?
  24. 24. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”? Is there any data exfiltration going on in my network? Are there any unauthorized users on my VPN?
  25. 25. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”? Is there any data exfiltration going on in my network? Are there any unauthorized users on my VPN? Have my users been spearphished?
  26. 26. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”? Is there any data exfiltration going on in my network? Are there any unauthorized users on my VPN? Is anyone misusing their database credentials? Have my users been spearphished?
  27. 27. © 2015 Sqrrl | All Rights Reserved ALL HUNTS START WITH QUESTIONS What data do I have and what does it “look like”? Is there any lateral movement going on? Is there any data exfiltration going on in my network? Are there any unauthorized users on my VPN? Is anyone misusing their database credentials? Have my users been spearphished?
  28. 28. QUESTIONS BECOME HYPOTHESES © 2015 Sqrrl | All Rights Reserved Hypothesize Query Analyze Revise “If this activity is going on, it might look like…” That’s your hypothesis! If at first you don’t succeed, reimagine it.
  29. 29. Securely explore your data TIP #5: PIVOT… THEN PIVOT AGAIN
  30. 30. © 2015 Sqrrl | All Rights Reserved ATTACKERS LEAVE TRAILS EVERYWHERE Email logs Endpoint process accounting HTTP proxy logs Authentication records Filesystem metadata Network session data Database query logs
  31. 31. © 2015 Sqrrl | All Rights Reserved DATA DIVERSITY Leverage different types of data to… Reveal relationships Clarify the situation Highlight inconsistencies Tell a complete story
  32. 32. © 2015 Sqrrl | All Rights Reserved TOOLSET DIVERSITY Different techniques, different perspectives
  33. 33. Securely explore your data BONUS TIP: AUTOMATION IS THE KEY TO IMPROVEMENT
  34. 34. © 2015 Sqrrl | All Rights Reserved
  35. 35. Securely explore your data CONCLUSION
  36. 36. LET’S REVIEW © 2015 Sqrrl | All Rights Reserved Embrace Big Data Get Your Data Science On Always Have a Good Strategy Ask Lots of Questions Pivot… Then Pivot Again Automation is the Key to Continuous Improvement
  37. 37. QUESTIONS? © 2015 Sqrrl | All Rights Reserved David J. Bianco dbianco@sqrrl.com @DavidJBianco

×