Strata 2015 Presentation -- Detecting Lateral Movement
•Download as PPTX, PDF•
1 like•1,910 views
Presentation given at Strata 2015 at San Jose
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Strata 2015 Presentation -- Detecting Lateral Movement
Similar to Strata 2015 Presentation -- Detecting Lateral Movement (20)
Recently uploaded
Recently uploaded (20)
Strata 2015 Presentation -- Detecting Lateral Movement
- 7. Problems sensors/detections Ranking
- 9. What is Lateral Movement? Source: Pass-the-Hash Mitigation
- 10. Why is this Important?
- 11. Why is this difficult?
- 12. Problem # 1 - Independent Alert Streams
- 13. Problem #2: Burden of triage Attacks are complex. Need more detections! So, Now I have to triage all of them?
- 14. Problem #3: Feedback not captured
- 15. Problem 4: Interpretability of alerts
- 17. Windows Security Events Data On average, an online service in O365 produces 30 billion sessions/day; 82 TB/day Data: Sequences of Windows security event IDs from user sessions • Examples: User logs into machine, process start, credential switch, etc. • 367 unique security event IDs
- 18. - We built separate models to detect our goal of compromised account/machines - The models, independently assess if the account is acting suspiciously
- 19. probability of logging sequences of events credential elevation auto-generated
- 20. . 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑥) … 𝑃2(𝑥) 𝑃𝑑(𝑥) . . 𝑥Session 𝑤1 𝑤2 𝑤 𝑑 Combined Score
- 22. Burges, Chris, et al. "Learning to rank using gradient descent.” 2005.
- 23. 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑚) …𝑃2(𝑚) 𝑃𝑑(𝑚) m 𝑃1 𝑃2 𝑃𝑑 𝑃1(𝑏) …𝑃2(𝑏) 𝑃𝑑(𝑏) bPm>b … 𝑤1 𝑤2 𝑤 𝑑
- 24. Putting it together . 𝑃1 𝑃2 𝑃𝑑 −𝑙𝑜𝑔𝑃1(𝑥) … −𝑙𝑜𝑔𝑃2(𝑥) −𝑙𝑜𝑔𝑃𝑑(𝑥) . . 𝑥Session 𝑤1 𝑤2 𝑤 𝑑 Rank Score = 𝑤 𝑇 𝑃
- 25. Testing the system • Wargame with the red team • Blind experiment • 8 out of 12 top-ranked sessions on day 1 among ~28 billion sessions are pen testers, precision at 12 is 96%
- 26. …𝑤′1 𝑤′2 𝑤′ 𝑑
- 27. Alert Score Weights Higher Weight, more contributing factor to alert Tells the user, what is probable cause of the alert
- 28. extensible
- 30. Reality Constantly changing environment… ….but you can account for it during training and adding metadata In the beginning, there will be false positives… ….but you will reduce your attack surface No labelled data… ….but you can get away with a good red team
- 32. Takeaways Combine alert streams Make your alerts interpretable Capture feedback and close the last mile Check out ranking algorithms – they are powerful!
Editor's Notes
- Lateral movem
- “After the lateral stage, attackers are now virtually undetected by traditional security methods” - Connecting APT Dots1 [1] http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf
- Single detections… rarely indicate security-interest Malware detected….what next? Suspicious process launched…what next? Unusual logins…what next?
- -> O365 has 150 detections in the pipeline; ArcSight has 100 or so detections that come out of the box. N detections, k top alerts surfaced = N*k alerts for the analyst to triage
- Hand written rules, they might be useful volume of the alerts. Interpretable - rules might be more interpretable. Be interpretable but also have low noise.
- Classification probably isn’t the right way to think about approaching ad hoc IR: Classification problems: Map to a unordered set of classes Regression problems: Map to a real value Ordinal regression problems: Map to an ordered set of classes A fairly obscure sub-branch of statistics, but what we want here This formulation gives extra power: Relations between relevance levels are modeled Documents are good versus other documents for query given collection; not an absolute scale of goodness
- - Story about Heartbleed
- http://oinkcorp:8083/# http://oinkcorp:8083/Sleuth/85f80845-9b0f-4624-b810-610c7ce122a9/6a407f64-42d0-4623-ba02-3b5371713dea
- - Story about Heartbleed