Back in the Hunt

princess is up pretty good gonna last in his last pot talk to all the teams and he is actually spawn right going on open us unstructured to pata a lot of the border through the data that's not going to find you gesture you are going to find the breach probably not apply a dictator indicator top five you don't know what's looking for or what you're doing will let you to what data you're collecting right so my talk is going to help hopefully go through so I need a lot of that some I'll be stressing about one teams will worse if anybody's looking to start on latina wanna give a big kiss on what I mean in I should

structure it some of the processes and things go along with that so it's just a sign your who here is that let's go on today the old TT for a trick so assuming threaten you vision a joke you need to do one we're just interested right handful very Munir look like and so forth ought to be outrageous capability alright alright so exemple bees is their toys most are operating like this right so you collect log events information of some sort about what's going on in your environment right you pour that into some sort of system we're now going to do so sort of analysis you know run queries against it maybe it's correlated Jers a lot of attica progression and

then you're going to mess that up again probably known attacks those behaviors that you want to be alert about right so things like hey I want to know when 10 accounts are lost out in a very short order like in a hundred twenty seconds from the network why do you do that because we see behavior like that before and we want to stop that from happening in the future you want to know about it because that happened is like malicious software as trying to enumerate passwords wipe out the blessed account you want to know when that stuff happens right we want to be kind of fluid ahead of it resident getting behind it we're we're getting like 40 calls the health

as they didn't pluck out hand lock down on them so the stock Alice if they validate that the event is a true security incident we do some sort of mediation resolve it over you learn from that we feed back into loop so then where did send me back moving forward in the future and that works somewhat okay right everybody has locked it up we're getting every store someone right but have some challenges so they're great for that simply no attack time so we we do all things for the attackers work or how they're going to work probably to data we can define that put this together you staged whatever you might have a query look for it be

alerted when they have it's great but it's struggle to err on most of behaviour when they are branding input if things are not looking for right so that's where love comes into play the bad guys really do know it's written guides your pen testers so what we're looking for the thought so they're pretty good about being creative in hiding what they do changing altering the behaviors to evade detection see highs are going to look at it so as background I've read away my career in the Marines right with information systems gaya till we had a box and you know one of the first loss of all remember implementing Galah firewall dreams to spottywot and you know it was good we got worried

it for okay help sir so 3 2016 3 nights I went home one begins right when did the bad guys do their stuff will he get it we're looking right at it from 1630 in the afternoon dispensaries next morning we're all begins we have like 24 or 30 hours to go across our network right this year smart right you should go 24 by 7 so you can tend to guys do itself Allegiant that's good so that guy's the game just changed behavior now they're really addicted in with the peak of our traffic right so what are they probably doing there will work in an hour probably come one day of dude the people server things look easy

to when your internet traffic light easy to exfiltrate here if he is the high in the network traffic closer to going on so our genitals are you got a few other challenges in the circle yeah I think this probably gives a good idea on on how good our socks are doing right every probably your visit it's almost like five months to detect malicious behavior or breach on your network and the majority five so it's going to let you know a lot so that's probably not suck it right so you start I mean maybe we can agree to get B it is - fifty - so there's a lot of challenges a lot of it when working

against our socks today in town we know that they're there and share this guy the latest musket and on drums to show their printers the toy house right so in the beak on fire the way to die but if they're right said looks companies that it reached and they know about it reach - they don't know about it pretty much the way to the opposite of every we operated a so this is where thrift hunting comes into play we know that they are probably there we know that they're going to invade our the way that we're searching for them right they're going to put attacks later so they are search pattern if that's where all keeps

kind of keep the playwright's we will start figuring out how we find poisonous or an almost behave as a positive and so with 19 this is whether it's right is correctly looking and analyzing your data that you're collecting figure out methods that are trying to defend your decision may be a fixture of daniel and automated based positive and I feel even worse together with your intelligence team with your sock with the internet response team and let's beam this crate and we're doing two things with a lot right so what is we're shifting where we're looking for each so before we to be kind of way at the far and the streams of data right we had computed Isis very

event being we look for people to eat maybe a firewall denying event we'll go investigate that we got box so it moves further downstream reflect a lot more information we're pretty together known attack patterns verifying those if you know works although investigate instrument whether or not we're actually detect now we're down at the loss right so we got OB computer that's gonna being a coming in and now we're trying to figure out how do we go and find unknown attackers like I said before you know it's just not as the street peered over time just a a guy here's your data Lake you know you're gonna dupe environment to start where is good against it find

stuff is happening that they will never probably ever find you anything because you can just go down the rat hole your query pivot another query the pivot where you used it all day long you probably won't find anything that will be dedicated come anything new we're doing is we're shifting when we look the waitress right so historically we operate kind of here the most free intermediation someone told me about it like a FBI called me as an agency tells you get so does it interest you might want to go check out though we were reached now we got a rainy game work from this point we're over that sauce going to get into the middle where we can leave the dick the

woman in reach as a non programming for home we gave ahead of that I'm doing three breach works life indicator the compromise when there other network prior to data exfiltration if so we come down to the philosophy of Iman and this is kind of live lot on how fun teams should work and why unstructured an O&M team does not work right is that the first time when we find Sophia convene science right the second time we want to automate it and the third time we'll make sure that we can push it down to the low-level analyst to protect it over and over and over again right so I've looked at a diverse sauce we we have a way of

methodology my company's you venture the capability maturity we have no socks today he our sim was the forget grateful as we threw a team in place and while we started finding stuff so the person doesn't work we go home on because that's working for us and things should be good unfortunately we thought that those organizations actually went backwards into capability imagery why is that is if this rule right here is that our officers are fighting stuff and if they find something of interest and I don't have a lot or automated mechanisms you find it over and over again 100 they saw this activity this week that means next week the answer to equity and do some

and the third week respectively new stuff new stuff is still and do I have people do that handset right so what we thought really said that your automation orchestration formation of event you helped you alleviate the workload of the hunters and push that down into sauce so that they can continue find things so whatever lefty would like and 50 that is a probability factor now so these became believed that really actually a much need inhale as their the top is not what you can ounces the monkey doesn't necessary definitely need to be consumers and be aware that and it's very important very key for the hospital to talk about that especially bring up it has detention context of this is you

know when we discover something an indicator colonizers thread through I mean how do we define that that if you're that issue soft with them to find in later iterations that rapid Milwaukee analysis system a network houses timeline analysis so these are have an analytical means without actively skewing our assessment says I think it worked as well security analyst and visualization and probably the most important thing I think that one team should be involved in in every indicator so how many operations really comprises all victim pieces of those functions capabilities they'll pass if you don't they certainly had access to that so that they can validate verify that things are fine animal

so there's three focus areas I like to fly when it comes to you I'd be frightened they operate in brain intelligence a root cause analysis have two honking itself I only pop up to really talk about root cause analysis today but every threat intelligence is important like I said earlier and open the search isn't really going to find you what you're looking for you really need to have some sort of direction you guys understand of what you collect what you're looking for what's important to you from a risk perspective and think about camp I was an attacker and I was going to attack this asset how would I do that knowing what I wanted here today

if you like I don't water today would be enough collection to let these and how can I find that behavior I start looking for and that'll start the threat intelligence so like the most awesome student edge alert is it go ringing alright you have to read some resume right so we're fair is being for the best so when we are operating somewhere property close to one of the guys to think that we're operating far away we're already best parlayed one bad guy thinks that were already closed right word active you haven't think that we're not acting where we are able to attack a lot of the think that we're not waiting for them that's what intelligence about

so it's really allowing us the plan and strategize on our offensive posture based on the things they're doing we want to really eliminate or reduce as much uncertainty as we can through intelligence now can I tell adjustable dip right it's knowing and manipulating the intelligence capability adversary so I don't know if it's probably a lot of these that counter is all the steams anybody do them can I tell you find out entire sector rather than private sector I know the military does to click the NSA CIA this years to do that bright silk and one bank that works kind of in this area but there's ever a few that if you cyber or counter intelligence rather so that gives into

the hongting and how do we know so this is the problem right we've got the needle and Hayden back we got a ton of data we're collecting it and we need to weigh a structured way to go through and find attack patterns happening around so what comes on a straight line you want to want I think this - we've been doing it I consider that we have the structured approach right we add analytical questions about the theater we have where we have expected outcome right and then we go and establish the hypothesis and search for those indicators do the one is substructures and this really comes when you're that add this is not open hunting right but the structuring

really comes where we are looking at dataset without necessarily expected outcome but we're doing with the security focus and this is were things like behavior analysis comes into play right where we drew on a nation we can look at process and over a given amount of time determine what's expected behavior right so we could look at things like they a clerk's an Accounts Payable works the count stable will active probably in Texas students receive 1015 after the thief type of data as one another right so we can compare the Hubert we know that probably will all have authorization or financial transactions so we can face by the next day and their behaviors when Stalin does

something different like a maybe all the clips an account payable will approve purchase orders for payment of specific dollars nominal so we see once it comes in three for two hundred thousand dollars while that policy that might have been allowed but by practice it doesn't only happens that's something we want to go bhisma key which so we had a big neuter pattern that we can look at and say hey this was not normal we could go figure out and see if this was bullishness in fact or not and again don't let it worse feel that vulgar interesting but only one really fine speeches cost over 20 so there are five processes that I can follow or think of

it comes to structure honey right first we start with a little query so we develop a question you think about we have their data that we can obtain what is that we're looking for nearby sam'l a lot of I think of they are very suspicious processes running on may be and of course sir these guys are credit card service you can clip it in yes we can collect early information of all processes that are running and then we can figure out the analytics there's something running that shouldn't be running something that's unexpected that system so the next there is now a graph of this by opposite together is we want to oscillate gets together and make its weight in a way so

that the analytical tools and investigate I'm looking so for example retrieve the province creation events for the last 90 days for all easy I systems make dem economy we've got about it if you want to know something this weird it will nether the collective is filled in the data at the last 90 days nice to see what's up Nexus visualization so human line is great at looking at a visual and understanding right machines can't like you have different queries that give you also a mathematical analysis but you know the pictures of thousand words same means really really being lottery we can look at something and automatically all schools and tediously speed patterns see something that's out

of normal penny hospitalization use less so that's important right so select the visualization that's going to get you the data presented in a way that's going to help you find out the answers to the question that you have right so for example we want to try to process event to the right to grab the nineties worth what the best visualization figure out what possibly that our life maybe it could be a bar graph that the entire line graph to be a graph those processes right if instances those right so you're sort of visualization and Creek data and then hopefully we've got some sort of animal conclusion of a deliver the data we visualize it we've poured into the

deeper with that again we started find things that are interesting for us so example the conclusion there that maybe we balance data put a constellation chart together we found a couple of processes that were running there were right on any other systems so part of our baseline service espy award things that just were anomalous I'm not there before remember this wasn't it was not at open hunt this was sitting down and thinking through what dx11 what's important to be I systems how can I look at easy I didn't see if they're indicators a cop - well hey when you look at the processes that are running because because I hate people want to throw malicious software on

there but there's something different about that machine we would want to know that we can pull it in right you don't have necessarily a use case build on this but we certainly to build on teams go look at this now I can put still the use case today I want to look for new processes that stood up against these systems perhaps so how do we start well hopefully you know you have to boil the oceans when I start pretty easy any results that he do what you can with what you have where you are you doing so so maybe you are collecting loss and put it into a sort of lock elections something any query against that can you

extract that if you have access to excel you can excel the great tool for video pleading data opening something big visualizations of things right can use your quizzes and do Excel and ready query those two pretty easy thing to do you don't need you know things like Vertica or maybe even help and get started with relatives so you want to start small and easy so the did you have you can make this state in a small right leftover sided super example my last example where your feedback systems well to write out event logs go back twelve fourteen fourteen months the week seven a subset of 90 days to be we consolidate our hypothesis right we validate hypothesis only go

back further right but it's easy convenient way to work with 1980 fortieth much as it is to do a years what's a difference right so do your prototype data we can leave the dataset smaller we can work this will be happenings like itself if you stand with your tactic now you can sample the data to be aware of something called biasing say we know it's data by Athena you put away for his money

there were like five oh right there's my first Alliance yeah we're looking for gain and they have something that's their way by you can also happen in sampling where if we are taking my say ninety days with the data but of a I lost thirty plus with the data a while that is way too much no relook at it in one of the increments marketing average might be an anomaly has fifty two data points to work with 100 resilient thousand data points or with but in doing that they is the data you may have eliminated some of the capabilities routine to drill down into more detail on that gave us data biasing [Music] olive oil is stupid like a Star Trek

reference right so temperature I favor guy who's green Explorer this is rated eight-six Third Reich's ran white so they were explorers trying to explore the unknown but even explorers e to the plane to start the direction to go okay so again this is reinforce the openness in the work open exploring doesn't work you still the same angenette star that's we're going to add a starter exploration Peter Pan huh well he's a very in our living eye on this movie are we satisfied by hand by alright so exploring you know you need some direction right so they just scenarios within the baby or electric that beam all right you're not going to bluntly ocean so you're collecting some

information think about people how the day is work you know Hale will get a fourth gift for its own force kata for interesting courses running Arthur L data it's we even their work statements that should be happening right do I have things happening to my freezers that they look like Prince trashes right so just really cool on the black ass if I were that guy now online network already how does how high and work within a network to not trigger suspicion that's where you know husband Tempe is different from structure country is active we are putting together hypothesis based on our thoughts about the data of the information we're protecting the system protecting the rim

in our environment and trying to figure out how do we find behavior that's happening outside the scope of what we're looking for which creative or brainstorming exercise anybody the name like this before this is actually pretty similar habit of the sock right we're going to put your youth teacher my absence or workshop there any we're going to go a bad guy we want to detect stuff in our block what what kind of behaviour what kind of scenarios picture together a lot agreed to look at that right so great bring some exercise first in the thought as well as in the threatening your and this is where we get some of the kind of you know upper stuff of the

stock rate so you're in the math and why do I have to give away so those who stick around in you cannot give away so don't leave because I'll start talking about that data visualization stuff but anything like anything specific to college high school and put this me to bring back bad memories I'm sorry I apologize for that right but the team you know my mighty point is people forget hunting with you the gate advisor and that can work but my thought is that really gonna have a security mindset so I'd rather take security full of the security mindset and trainer on theater practice of a to education then do the other way around but they feel

even openings like you know the need and be in some accident and cinnamon points and standard deviation those are all I think important we started manipulating gate and visual items for geography was there the llama wasn't read all of process behavior terms right so anybody who's Ian bus behaviour I know I have for that but anybody Express the Express use the pretty heavily right so process behavior chart really a payment in understand it posit the hassles over time right and journey within their process is nothing that virtually exactly the process what profits will behave their grading systems manner however with names go awry when something happens to that process we want to be aware of it right

with maybe something breaks down was the operation correctly we could use some fructose analysis to figure out hey the cause hitting this time to exceed the normal threshold of this particular process right so the process behavior would usually put stuff like there's a part of speed but you've got standard deviations one two and three right put the outside and you can see that I've got points that are outside of my third standard deviation so I would want to go and look at that now what I didn't do is I should actually put a term up here I've let the real office look like if you just stand out the pot that data points that you have you will never find

those points that are outside of problems right into the nib relation that's really that into a process behavior chart using deviation earnings is when you get a fine points like that to come out and I really really like writing here my work with the ribs are there right so there's a lot of ways you visually to talk before if I hate we put in your offices and collected the data now you've got a question in your mind how do I figure this well there's a lot of different options so you may start with one if they not get you're wearing a be bigoted for visualization but the idea is you want a visualization that hopefully will support your by

hypothesis right so how many instances of this happened over time whereas a pretty much the time graphs right so we can do at the time graph you have air box laugh and scatter plots we used two examples of how looking with visualizations work right so here's one it's not on file updates right so looking at timestamps on file usually file pod systems servers and points etc get updated and on a regular basis or on a scheduled basis right so we're going to look at a graph the left-hand sides that they were take our data and put it over time and figure you know for me two times the politic later the first one to admit to me that on Tuesday midnight we

do push the system updates to our endpoints on our servers so they're the past an update whatever right but we've got another bucket Amida's earth they're all the times when files been updated we were known as what happened okay so I did one personalization found something interesting analysis now one hot okay so that is let's look at the clusters and be in there if there's anything that's interesting in there saying here we got a cluster of three that looks so official looks a little bit different from us right these things is not like the other rates SST speeders of them so I mean yeah hey we found a profile through our month and now we like that turnaround

day okay how do we save in activity that way speed and feud and now turn it into you a use case for something that are soft and look for in the future be employment so another example another favor right is what is an integer so how many people have end users who should be clearing of that law under systems and my real answers right before happens you want to know why is that not normal behavior and so we went at it outright so on the left hand side and that's hidden to hide them looking at windows of it clearing loss over time average by week remember I talked about life being a lot of graph is actually removing the

weekly average can we even play so why I mean it's you the first instance we will never see a site a cookie backs the defeat of the who asked events by a beat this other one we address them by our but that's really careful biting if you do Holly well you know why evening five-minute events Layar have a lot of data points i still Fritsche doesn't handle that much how can i reduce some of that well just go anywhere you need it by rivets into that he made the columns with the print so we see his wife explode the clusters and I wish to express that you know stopped I was interesting in in the end pay the pike

with the winner who was in because the average by are with spike now so probably when we were the average and to go figure out was a deafening in here with a denominator with mostly directed is lose out as the chain of operations to figure out what that this was really been enough this is what I favorite graphs this is looking at there were four activity over time so this is where if you have access to a big data and where you can consume a whole bunch of information right so these are packed supports zero to sixty five thousand on left hand side and across the bottom is time right so this is every time that we've seen a a packet

of data across your network in a port on a bar but a lot of data in this graph right you select ok we'll put the hit that says right force overtime each data point represents a hit the current support the Gulf of course is a well color-coded by IP so visually we're starting to see some stuff in this graph that may be machine learning or queries not going to get out right so you can see otherwise that the happen no cross certain subject every color divided these are all the same we can be no certain traffic right you can see and there's a part of state if you're normally on this graph sizzle there at resolution is even 480 traffic

going across or portrait reason so that we're kind of expect well up a little slope right anybody did in here so over time where it was like lightning and I think this is like a six month gap right over time we thought community moving across different force low is low visually we can see this now but it's very difficult challenging to do to figure this out in the correlation effort in your sock in your set point so now we look into this together figure out okay how do we detect this over time right there's the doesn't want swear this was a little easier to see because of the IP addresses irelia see I've seen another one to take

months to go through like 300 ports and each dot IP addresses or April is different only be looking nothing like the 50,000th of UTC that we will you know close real-time the coordinating stuff after the last of ours they're going to be the tackle [Music] so like always the in terms of email process technology and now business the lightly practice this risk so when we create on to you if you here's the theorem 42 let me consider it right so people this is going to change you know over time right but I've seen uh schemes that are pretty successful and get two to six great analyst operating processes obviously you could have to find local

offices because if you just need to tell people or we know one guys they here's the data your salon careers you know a big database altitude with the data to have edit you know something that I mean when you found something interesting you probably spent all time just pouring to data and reiterating you're reading and not find a lot of stuff right so the process is if you a structure with which to operate for your hot tea right how do we have a brainstorming exercises with hot in stock the stocks or insult team the figure out what kind of intelligence what they collecting on if they're happening out there flip behaviors of the bad guys doing with indicating a

column I should be aware else throw that into the brain stroking Africa figure out it was it supervision how do we now search this vehicle hypothesis that we freeze drum together that we want to go look for technology and they fit yell start with what you have Excel is a great place to start being productive when you get into you know real big-time for money make up things like in you know table you know convert database of the top of your fat but you don't need that to start with now health works great as well for a thrill me from did this perspective you understand the risk tolerance the misbehavior you know what are you concerned about

from your business perspective of protecting right so these are most risky to us a lot of the probably monitoring that they're also probably high pockets of attacks with backpacks that are going to be crushed networking on tactless as well so how do we manage that how do we have things like career progression for our race analysis right so they want a fat board to move on how to get the oil massage or to get people a team where they go for the hunt seen up to the kind of finish their time they're waiting for some student either you go on doing now or in houses things like that so those are always important aspects to consider

when you're going to get excuse me you're hunting and your security hours so the competencies again remember I said the kind of tree will be the competency so the threaded syllabus as being every cost analysis so money is why folks to their writings around looking at the data understand what you collect understand 12.2 you brainstorming and coming up with hypothesis on what to search for so don't go over honey please of you that use a structure muttering approach do we do muster 200 make sure that you're doing on Sturken arranged in a way that is proven through Hamlet right it's like behavior analytics reviewing your process behavior turns just process behavior chart in a structural team letter followed by as

far as I would be relevant scripture hundreds column something interesting well now I thought that something interesting though I often saw that why do I have a spike my process behaviors what's going on there okay now we can take a hypothesis that these strokes you're hunting to go figure out this is really something that's now is delicious and almost on and write the questions about the pinna threatening crisp lab so I guess Ellen

I'll bet you the automated I'll bet saw 550 guilty for automation to take over yeah I think the automations got a very important piece to this right in two ways one of the many automation is critical for teaching the things you find it upbeat and finding it over and over and over again right however we find behavior I mean if I you know that guy Paul doesn't figure out what I'm doing I want change the behavior right Pacific what were searching for is constantly changing so automation would be good automation you help us do things like behavior holidays right where you look at the Ebers over time but even then that's got a challenge right

there's life and that's you right if I've got malicious behavior going in as part of my normal behavior that I'm try to be mine I just bake my foolish baby right so I only automation is a great appease the key is all in offices got to be human interaction in some place growth and validity survive definitely want to be there an increase in activity and ever stated as good as they alive beautiful

entiendes yes the question is the qualifying right that person if you wanted that particular limiting or work with journalists used to try to defend an analysis well if you use by the nozzle absolutely right system start start with what you have but you're going to be aware of where by it's may happen right so looking at our stated that obviously I'm trying to include it to excel Ravens Duty is something being in my tableau it takes a lot of processing power to process a lot of data points particularly when there's a lot of cardinality the cardinality being theme I get a column unique instances of that right so although Holly might be one that is gender male female the students

all use I could have a bazillion rope so that my cardinality to be very very low a baby user ID cardinality this could be very high these infants is going to be unique right so everywhere cardinality and be aware to by is people get at the data right so if I think if data have something or average it you're introducing bias is going to be aware of where that bias may be so I do how you avoid bias do you things like maybe break it off right so I said oh hi of a key by day or by hour but know that average by day wanna go and look at individual days by hour to eliminate

that by still is there he'll correct so I accumulate you know these are it as a Windows tablet would you really want it but yes I love you do it let's just have a huge room of April boxes our contest will be M gel one for standing so easy enough by your even if yeah because I know everybody here wants to win ischemic right so my ex's little top notch boxes Rock Paper Scissors go right sorry for you

we went down

[Music] all right and again this data collaborative project again

here we are so one here one there others or one here still here

alright I'll go

Oh

I'm still did it yes all right

all right here goes we go with him again devotion breath