$30 off During Our Annual Pro Sale. View Details »

Toppling the Stack: Practical Outlier Detection for Threat Hunters

David J. Bianco
April 28, 2017
Technology
2
500

Toppling the Stack: Practical Outlier Detection for Threat Hunters

[As presented at x33fcon 2017 (x33fcon.com)]

David J. Bianco

April 28, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
25
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
200
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
20年以上続くサービスの 管理画面リプレイスを行いながら 技術的負債と向き合った話
radkmb
0
2.1k
CSSパフォーマンスに関する計測結果
poteboy
3
1.1k
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.1k
なぜ
リアーキテクティング専任チームを作ったのか
kei_s
PRO
2
990
ソフトウェアの内部品質に生じる様々な問題は組織設計にその原因があることも多い / Internal Quality Issues Caused by Organizational Design
mtx2s
108
44k
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
400
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
880
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
4
2.7k
visionOSについてGlobeeが取り組んでいること
toshi0383
0
230
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
480
デザインシステム仕切り直し
chloe463
1
1.7k
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
140

Featured

See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Optimizing for Happiness
mojombo
368
68k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Building Effective Engineering Teams - LeadDev
addyosmani
22
1.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Six Lessons from altMBA
skipperchong
18
2.7k
RailsConf 2023
tenderlove
0
350
What's new in Ruby 2.0
geeforr
336
30k

Transcript

  1. View Slide



  2. THE BLUE TEAM EDITION

    View Slide



  3. THE RED TEAM EDITION

    View Slide

  4. ... okay, but because you said that, we’re breaking up.
    https://xkcd.com/539

    View Slide

  5. View Slide

  6. Least-Commonly Accessed Files
    Dataset: CERT/CC Insider Threat Dataset,
    http://www.cert.org/insider-threat/tools/

    View Slide

  7. SQL
    SELECT cs_user_agent, count(*) as cnt FROM proxy WHERE […] GROUP
    BY cs_user_agent ORDER BY cnt ASC LIMIT 100
    Splunk
    index=proxy method=POST status=200 | stats count by cs_user_agent
    | sort +count | head 100
    Python
    # Using the ‘pandas’ module and DataFrames
    print proxy_df.value_counts(by=“cs_user_agent”, sort=True,
    ascending=True).head(100)

    View Slide








  8. “I’ve never seen this service on any of my 100,000+ systems
    before. That’s pretty suspicious.”

    View Slide

  9. http://skepdic.com/graphics/elvistoast.jpg

    View Slide

  10. View Slide

  11. import plotly.offline as pyo
    trace = go.Scattergl(
    x=points_x,
    y=points_y,
    mode='markers'
    )
    data = [trace]
    pyo.iplot(dict(data=data))
    Basic scatter plot: <= 6 LOC

    View Slide







  12. “Most users don’t change upload habits often, so benign
    activity should fall close to the ‘no change’ trend line.”

    View Slide

  13. View Slide

  14. import plotly.offline as pyo
    data = [
    go.Box(
    y=shells["command_line_length"],
    boxpoints='all’
    )
    ]
    layout = go.Layout(
    title="Command Line Lengths for Shell Processes"
    )
    pyo.iplot(dict(data=data, layout=layout))
    Basic box plot: <= 7 LOC

    View Slide






  15. “I have no idea what’s normal for this column of numbers,
    let alone whether there are any outliers.”

    View Slide

  16. You have to be careful doing this. Sometimes, when you push the whisker down, dynamite
    explodes.
    https://xkcd.com/1798

    View Slide

  17. A form of unsupervised
    machine learning.
    Iteratively split dataset on
    random dimensions and
    their values until you can’t
    split anymore. This is a
    “tree”.
    Do this several times to grow
    the tree into a “forest”.
    Average depth across all
    trees for each point reflects
    “outlierness”.
    http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf

    View Slide

  18. https://github.com/DavidJBianco/Clearcut

    View Slide






  19. “Which of these HTTP log entries are most unlike the
    others?”

    View Slide

  20. When it comes to outlier
    detection, you’ve got
    options.
    Don’t be afraid to play
    around a bit and see
    what works best for you!

    View Slide



  21. View Slide