Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Toppling the Stack: Practical Outlier Detection...

David J. Bianco
April 18, 2017
Technology
2
1.6k

Toppling the Stack: Practical Outlier Detection for Threat Hunters

As presented at the SANS Threat Hunting and Incident Response Summit 2017.

So much of what we do as hunters is based on finding oddballs, but most published hunt procedures seem to rely on a single method: stack counting. In this session, we’ll examine a few other ways of finding outliers in your data, with samples and use cases for each.

David J. Bianco

April 18, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
40
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
200
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
67
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
300
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
970
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
390
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
280

Other Decks in Technology

See All in Technology
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
250
re:Invent をおうちで楽しんでみた ~CloudWatch のオブザーバビリティ機能がスゴい!/ Enjoyed AWS re:Invent from Home and CloudWatch Observability Feature is Amazing!
yuj1osm
0
120
MLOps の現場から
asei
6
630
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
12
3.4k
AWS re:Invent 2024で発表された コードを書く開発者向け機能について
maruto
0
180
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
オプトインカメラ:UWB測位を応用したオプトイン型のカメラ計測
matthewlujp
0
170
20241214_WACATE2024冬_テスト設計技法をチョット俯瞰してみよう
kzsuzuki
3
440
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
370
非機能品質を作り込むための実践アーキテクチャ
knih
3
720

Featured

See All Featured
How to Think Like a Performance Engineer
csswizardry
22
1.2k
Building an army of robots
kneath
302
44k
Embracing the Ebb and Flow
colly
84
4.5k
What's in a price? How to price your products and services
michaelherold
243
12k
Scaling GitHub
holman
458
140k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Statistics for Hackers
jakevdp
796
220k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.3k
Thoughts on Productivity
jonyablonski
67
4.4k

Transcript

  1. None

  2. ... okay, but because you said that, we’re breaking up.

    https://xkcd.com/539

  3. Least-Commonly Accessed Files Dataset: CERT/CC Insider Threat Dataset, http://www.cert.org/insider-threat/tools/

  4. SQL SELECT cs_user_agent, count(*) as cnt FROM proxy WHERE […]

    GROUP BY cs_user_agent ORDER BY cnt ASC LIMIT 100 Splunk index=proxy method=POST status=200 | stats count by cs_user_agent | sort +count | head 100 Python # Using the ‘pandas’ module and DataFrames print proxy_df.value_counts(by=“cs_user_agent”, sort=True, ascending=True).head(100)

  5. • • • • • • • “I’ve never seen

    this service on any of my 100,000+ systems before. That’s pretty suspicious.”

  6. http://skepdic.com/graphics/elvistoast.jpg

  7. None

  8. trace = go.Scattergl( x=points_x, y=points_y, mode='markers' ) data = [trace]

    pyo.iplot(dict(data=data)) Basic scatter plot: <= 6 LOC

  9. • • • • • • “Most users don’t change

    upload habits often, so benign activity should fall close to the ‘no change’ trend line.”
  10. None

  11. data = [ go.Box( y=shells["command_line_length"], boxpoints='all’ ) ] layout =

    go.Layout( title="Command Line Lengths for Shell Processes" ) pyo.iplot(dict(data=data, layout=layout)) Basic box plot: <= 7 LOC

  12. • • • • • “I have no idea what’s

    normal for this column of numbers, let alone whether there are any outliers.”

  13. You have to be careful doing this. Sometimes, when you

    push the whisker down, dynamite explodes. https://xkcd.com/1798

  14. A form of unsupervised machine learning. Iteratively split dataset on

    random dimensions and their values until you can’t split anymore. This is a “tree”. Do this several times to grow the tree into a “forest”. Average depth across all trees for each point reflects “outlierness”. http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf

  15. https://github.com/DavidJBianco/Clearcut

  16. • • • • • “Which of these HTTP log

    entries are most unlike the others?”

  17. When it comes to outlier detection, you’ve got options. Don’t

    be afraid to play around a bit and see what works best for you!

  18. “ ”