Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Toppling the Stack: Practical Outlier Detection for Threat Hunters

David J. Bianco
April 18, 2017
Technology
2
1.5k

Toppling the Stack: Practical Outlier Detection for Threat Hunters

As presented at the SANS Threat Hunting and Incident Response Summit 2017.

So much of what we do as hunters is based on finding oddballs, but most published hunt procedures seem to rely on a single method: stack counting. In this session, we’ll examine a few other ways of finding outliers in your data, with samples and use cases for each.

David J. Bianco

April 18, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
20
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
37
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
230
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
940
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
130
オーナーシップを持つ領域を明確にする
konifar
13
3.2k
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
Cracking the KubeCon CfP
inductor
2
250
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
JSON攻略法.pdf
miyakemito
8
5.1k
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
150
MapLibreとAmazon Location Service
dayjournal
1
160
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
320
データベース02: データベースの概念
trycycle
0
160

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Done Done
chrislema
178
15k
Infographics Made Easy
chrislema
238
18k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Visualization
eitanlees
136
14k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
How to Ace a Technical Interview
jacobian
272
22k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Code Reviewing Like a Champion
maltzj
514
39k
Git: the NoSQL Database
bkeepers
PRO
422
63k

Transcript

  1. None

  2. ... okay, but because you said that, we’re breaking up.

    https://xkcd.com/539

  3. Least-Commonly Accessed Files Dataset: CERT/CC Insider Threat Dataset, http://www.cert.org/insider-threat/tools/

  4. SQL SELECT cs_user_agent, count(*) as cnt FROM proxy WHERE […]

    GROUP BY cs_user_agent ORDER BY cnt ASC LIMIT 100 Splunk index=proxy method=POST status=200 | stats count by cs_user_agent | sort +count | head 100 Python # Using the ‘pandas’ module and DataFrames print proxy_df.value_counts(by=“cs_user_agent”, sort=True, ascending=True).head(100)

  5. • • • • • • • “I’ve never seen

    this service on any of my 100,000+ systems before. That’s pretty suspicious.”

  6. http://skepdic.com/graphics/elvistoast.jpg

  7. None

  8. trace = go.Scattergl( x=points_x, y=points_y, mode='markers' ) data = [trace]

    pyo.iplot(dict(data=data)) Basic scatter plot: <= 6 LOC

  9. • • • • • • “Most users don’t change

    upload habits often, so benign activity should fall close to the ‘no change’ trend line.”
  10. None

  11. data = [ go.Box( y=shells["command_line_length"], boxpoints='all’ ) ] layout =

    go.Layout( title="Command Line Lengths for Shell Processes" ) pyo.iplot(dict(data=data, layout=layout)) Basic box plot: <= 7 LOC

  12. • • • • • “I have no idea what’s

    normal for this column of numbers, let alone whether there are any outliers.”

  13. You have to be careful doing this. Sometimes, when you

    push the whisker down, dynamite explodes. https://xkcd.com/1798

  14. A form of unsupervised machine learning. Iteratively split dataset on

    random dimensions and their values until you can’t split anymore. This is a “tree”. Do this several times to grow the tree into a “forest”. Average depth across all trees for each point reflects “outlierness”. http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf

  15. https://github.com/DavidJBianco/Clearcut

  16. • • • • • “Which of these HTTP log

    entries are most unlike the others?”

  17. When it comes to outlier detection, you’ve got options. Don’t

    be afraid to play around a bit and see what works best for you!

  18. “ ”