spo1 t07 accelerate and simplify incident response with security automation

2020-03-01 58浏览

  • 1.SESSIONID:SPO1-T07 Accelerate and Simplify Incident Response with Security Automation Nick Bilogorskiy Cybersecurity Strategist Juniper Networks @belogor #RSAC
  • 2.#RSAC Agenda Advanced Threats TTPs Modern SOC Problems Machine Learning Demystified Automation of Incident Response Questions
  • 3.Trends:Passwords are the New Exploits 32% of hackers say accessing privileged accounts is the fastest way to hack. 81% of breaches leveraged stolen or weak passwords Brute forcing a website with a set of stolen passwords is called credential stuffing #RSAC
  • 4.Trends:Attacks on 2-factor authentication SIM swapping is tricking a mobile provider into moving the victim’s phone number to another SIM card that is controlled by the attacker. #RSAC
  • 5.Trends:Software Supply Chain attacks • Supply Chain Attacks Surged 200% in 2017 • 42% of companies had a data breach caused by a cyber attacks against third parties • Two thirds (66 percent) grant privileged account access to thirdparty partners, contractors or vendors. #RSAC
  • 6.#RSACTrends:Attack automation and packaging
  • 7.Modern SOC problems • • • • Alerts Overload Staffing Challenges Complexity Threats Evolving Faster Than Defenses #RSAC
  • 8.#RSAC “Assume Breach”
  • 9.Machine Learning Demystified
  • 10.Hype vs.Reality:The Hype #RSAC
  • 11.Hype vs.Reality:Reality Data, numerical software, high performance computing Prediction, classification, pattern discovery #RSAC
  • 12.Security Applications • Given information about a file or event,answer:• Is a file or event malicious? (Yes, No) • If malicious, what type of malware is it? (Trojan, Worm, Adware, etc.) • How can I quantify the risk of the attack? (High, Medium, Low) #RSAC
  • 13.#RSAC Traditional Approaches TO THREAT DETECTION 1 2 3 Static Packer, file type, file size, code obfuscation Detection by checksum match, static property signatures Fast but lacking coverage of newest samples (see WannaCry, for ex.) Crowdsourcing multiple detection engines (VirusTotal) Reputation Behavioral Combine detections based on file hash Good coverage but detection lags due to nature of crowdsourcing. Feedback effects (vendors alter detection based on VT data) Log behavior from sandboxing (file creation, CnC activity, etc) Manually create “behavioral signatures” Naïve Bayesian score based on signatures Can detect unknown samples but takes time (1-10 minutes)
  • 14.Benefits of ML Applied to Behavioral Detection Can detect malware using indirect indicators – IOC – indicator of compromise, i.e. an action only taken by malware – Indirect IOC, action that is not necessarily malicious o i.e. looking in a window vs breaking a window Indirect indicators are difficult to disguise – Relative frequency of certain actions – Combinations of actions Indirect indicators may provide more generalized detection – Able to detect different families that share “tradecraft” #RSAC
  • 15.Benefits of ML Applied to Behavioral Detection • Can easily customize detection focus – Using malware training set with particular composition o for example, with or without adware • Can adapt to deployment environment – Using benign samples from a given organization #RSAC
  • 16.#RSAC In ML Data is King All machine learning models need to be “trained” on data. File/event samples (Training Data) Feature extraction ● Static ● Behavioral ● Reputation ● etc. Analyze, clean and normalize data Train Model The training data is the most important factor in the success of the model.
  • 17.The Machine Learning Toolkit Supervised Learning Unsupervised Learning Semi-supervised Learning – Combination of supervised + unsupervised #RSAC
  • 18.#RSAC SupervisedLearning:Binary Classification The outcome of each training sample is already known Training Techniques (i.e. Model Types): – – – – Linear/Logistic Regression Support Vector Machines (SVM) Classification Trees, Random Forests, Boosted Trees (XGBoost) Neural Networks (“Deep Learning”: CNN, RNN) Training Data Sample 1 Features Sample 2 Features Sample 3 Features … Sample 1001 Features Sample 1 = Malware Sample 2 = Clean Sample 3 = Clean Sample 4 = Malware Sample 5 = Malware Sample 6 = Malware … Sample 2000 = Clean Apply Model on Unknown Samples Train Model Sample X Features Sample Y Features Apply Model Malware? Clean?
  • 19.Linear/Logistic Regression vs Decision Trees #RSAC
  • 20.Tangent:What Is Deep Learning? • Deep learning does not mean “deep understanding” – – Deep learning uses a Neural Network as the ML model “Deep” refers the number of hidden layers in the network #RSAC
  • 21.#RSAC Machine Learning Model Generation Trace File 1 [00000 - 0:063] T(3596) 0x1 = GetVersionExW(out:'>out: