what the helk
play

What The HELK? Enabling Graph Analytics for Effective Threat - PowerPoint PPT Presentation

Oct 09, 2023 •917 likes •1.69k views

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda Effective Threat Hunting? Current state of threat hunting programs Graph Theory Definition Origins Types Graph

  1. What The HELK? Enabling Graph Analytics for Effective Threat Hunting

  2. HELK THP OSSEM

  3. Agenda Effective Threat Hunting? ● Current state of threat hunting programs ● Graph Theory ● Definition ○ Origins ○ Types ○ Graph Analytics (Queries, Algorithms, Analytics) ● Blue & Red embracing graph analytics ○ An ELK with Graphing capabilities ● HELK ○ Spark & GraphFrames ○ GraphFrames examples ● Further Research ●

  4. _____ for Effective Threat Hunting How are you effective? What does being effective even mean?

  5. Efficiency Efficacy Effectiveness https://twitter.com/Cyb3rPandaH

  6. Efficiency The way resources are used (or wasted), How much I make the most of the resources I have Effectiveness Accomplishes the goals (to be efficacious) employing the best and most economic methodology Efficacy (to be efficient). It doesn’t matter how we do it, but only on what we accomplish

  7. Choosing an adversary model ● (MITRE ATT&CK) Do we even have the data? ● Efficiency Do we have the right data? ○ Do we have the right technology ● SQL, NOSQL, Graph Database ○ The right skills in the team ● Prioritizing adversary techniques ● Let’s find evil! ● Efficacy Uncovering Incidents vs Validating ● Detection of adversaries Detect all attack variations!! Can ● you?

  8. Current State of Threat Hunting LOG IT ALL -> HUNT -> FIND EVIL … Right??

  9. Threat Hunting Pre-Hunt What can be - Identify Data automated? Sources - Define Hunt Model - Not everything can be - Set Scope automated - Define Team Roles - Enhance SOC Threat - Research operations - Develop Hypothesis Hunting Lessons Learned Hunt - Metrics - Report Findings - Data Analytics - Transition to IR? > Behavioral - What didn’t work? > Anomalies/Outliers - Validate Detection

  10. Threat Hunting Pre-Hunt What can be - Identify Data automated? Sources - Define Hunt Model - Not everything can be - Set Scope automated - Define Team Roles - Enhance SOC Threat - Research operations - Develop Hypothesis Hunting Lessons Learned Hunt - Metrics - Report Findings - Data Analytics - Transition to IR? > Behavioral - What didn’t work? > Anomalies/Outliers - Validate Detection

  11. Threat Hunting Pre-Hunt What can be - Identify Data automated? Sources - Define Hunt Model - Not everything can be - Set Scope automated - Define Team Roles - Enhance SOC Threat - Research operations - Develop Hypothesis Hunting Lessons Learned Hunt - Metrics - Report Findings - Data Analytics - Transition to IR? > Behavioral - What didn’t work? > Anomalies/Outliers - Validate Detection

  12. More data more problems? ● We are generating more data than ever! ● Collecting and storing security event data has become an inexpensive task for organizations of all sizes ● This has benefited security analysts from a data availability perspective! ● However, there is so much data that traditional SIEM capabilities are limiting the way that data can be described or analyzed by security analysts

  13. Don’t just try to find the needle in the haystack!

  14. Find relationships & structural patterns

  15. Identify the most interesting ones...

  16. Graph Analytics

  17. User What is a graph? FOLLOWS A logical representation of data via: ● User FOLLOWS Set of Vertices (Nodes) ○ Set of Edges (Relationships or ○ FOLLOWS links) FOLLOWS Small network of Twitter ● Vertices ○ FOLLOWS @Cyb3rWard0g ■ User FOLLOWS @Cyb3rPandaH ■ @THE_HELK ■ Edges ○ FOLLOWS ■ Basic notation: G = (V, E) ●

  18. Basic Graph Terminology (A few) Order : Size of the vertex set in a graph ● Path: A walk (sequence of vertices and edges) ● Size: Number of edges that the graph has ● Triangle: A cycle of length 3 in a graph ● Walk: A walk is an alternating sequence of vertices and edges, ● starting and ending at a vertex, in which each edge is adjacent in the sequence to its two endpoints. Isolated: It is a vertex whose degree is zero ● https://en.wikipedia.org/wiki/Glossary_of_graph_theory_terms

  19. Basic Graph Terminology (A few) Adjacent: Relation between two vertices that are both ● endpoints of the same edge Degree: Number of edges on a vertex ● Depth: It is the number of edges in the path from the root to ● the node (vertex) Neighbor: A vertex that is adjacent to a given vertex ● Order : Size of the vertex set in a graph ● https://en.wikipedia.org/wiki/Glossary_of_graph_theory_terms

  20. The Origins of Graph Theory (Seven Bridges of Konigsberg) Leonhard Euler in 1736 ● Konigsberg was a city in Germany ● that is now Kaliningrad, Russia built around a river Pregel River What was the problem? ● Can you cross every single ○ bridge (7 bridges) once and ONLY once? What did Leonhard do? ● Considered each island as a ○ node and each bridge as an edge 4 vertices & 7 edges ○

  21. The Origins of Graph Theory (Seven Bridges of Konigsberg) Leonhard Euler in 1736 ● Konigsberg was a city in Germany ● that is now Kaliningrad, Russia built around a river Pregel River What was the problem? ● Can you cross every single ○ bridge (7 bridges) once and ONLY once? What did Leonhard do? ● Considered each island as a ○ node and each bridge as an edge 4 vertices & 7 edges ○

  22. The Origins of Graph Theory (Seven Bridges of Konigsberg) Leonhard Euler in 1736 ● Konigsberg was a city in Germany ● that is now Kaliningrad, Russia built around a river Pregel River What was the problem? ● Can you cross every single ○ bridge (7 bridges) once and ONLY once? What did Leonhard do? ● Considered each island as a ○ node and each bridge as an edge 4 vertices & 7 edges ○

  23. The Origins of Graph Theory (Seven Bridges of Konigsberg) Euler realized that there was no way to cross 3 ● START each bridge only once Eulerian graph/walk was born ● Vertices that are not a start or end ○ 5 vertex must have even degree We can have a start vertex which is ○ different than the end vertex We can have only odd degree at ■ 3 most twice (Start & End) Number of odd degree vertices is 0 or 2 ○ END This was one of the first examples of what a ● 3 graph was and how it was used

  24. The Origins of Graph Theory (Seven Bridges of Konigsberg) Euler realized that there was no way to cross 3 ● START each bridge only once Eulerian graph/walk was born ● Vertices that are not a start or end vertex ○ 4 must have even degree X We can have a start vertex which is ○ different than the end vertex We can have only odd degree at ■ 2 most twice (Start & End) Number of odd degree vertices is 0 or 2 ○ END This was one of the first examples of what a ● 3 graph was and how it was used

  25. A Few Graph Types Undirected graph: a graph Directed graph: a graph in ● ● that doesn’t have a particular which edges have a particular direction for edges. direction. https://medium.freecodecamp.org/i-dont-understand-graph-theory-1c96572a1401

  26. A Few Graph Types Connected graph: A graph where Disconnected graph: A graph ● ● there is no unreachable vertex. where there are unreachable There must be a path between vertices. There is not a path every pair of vertices. between every pair of vertices. https://medium.freecodecamp.org/i-dont-understand-graph-theory-1c96572a1401

  27. A Few Graph Types Weighted Graph: A graph whose vertices or edges have been assigned ● weights. 10 70 20 35 50 https://en.wikipedia.org/wiki/Glossary_of_graph_theory_terms#weighted_graph

  28. A Few Graph Types Bipartite Graphs: Type of graph whose vertex sets can be partitioned in two sets X V1 V2 COMPLETE STAR

  29. Walk, Path and Cycle Open Walk: Path: When no vertex appears more than on is Start & End vertices have degree ONE ● ● called a path Intermediate vertices have degree 2 ● A path does not intersect itself unless it Vertices arranged in a sequence ● ● is a closed walk Path Closed Walk: Initial and final vertex appear more than ● once in the walk is called a circuit. A Cycle Circuit is also called a Cycle Triangle In a cycle, vertices can be arranged in a ● cyclic sequence

  30. Tree Graphs Limited versions of a graph ● Directed Acyclic Graphs (DAG) ● Graph traversal applies to trees too ● Traversing to a tree is a little different than ● traversing a graph We usually check or update the nodes ○ Walking through a tree then involves not ● passing through the same node twice Order of the tree traversal helps to classify ● the different traversal algorithms Order matters!! We either go deep or go ● wide when traversing a tree

  31. Graph Analytics What are graph analytics? Is it a graph query?

  32. Graph Analytics (3 Levels) Graph Queries Graph Algorithms: (V1)-[E1]->(V2); (V2)-[E2]->(V3) Apply graph reasoning Graph Analytics: Via label propagation, identify reasonable partitions within my graph (statistical approach) https://www.forbes.com/sites/danwoods/2018/04/30/improve-your-graph-iq-what-are-graph-queries-graph-algorithms-and-graph-analytics/#3c63c3731961

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

March 15, 2018 Sri Lanka 4th most vulnerable in the World as per Global Climate Risk Index 2018

March 15, 2018 Sri Lanka 4th most vulnerable in the World as per Global Climate Risk Index 2018

March 15, 2018 Sri Lanka 4th most vulnerable in the World as per Global Climate Risk Index 2018 Hampered Water Drought, Hydro Coconut shortages floods generation production delaying Sri threatening threatening down 18.6% in Lanka

721 views • 9 slides
SDN intro + Openstack Radim Ro ka / worwan 5.5.2015 @ SH Obsah Intro do SDN Pojmy a

SDN intro + Openstack Radim Ro ka / worwan 5.5.2015 @ SH Obsah Intro do SDN Pojmy a

SDN intro + Openstack Radim Ro ka / worwan 5.5.2015 @ SH Obsah Intro do SDN Pojmy a mylenky Rzn open source projekty SDN svta OpenFlow OpenStack Hlavn mylenky a popis architektury Detailnj i Nova a

812 views • 48 slides
Open Source Tools for Statistical Machine Translation Philipp Koehn, University of Edinburgh 28

Open Source Tools for Statistical Machine Translation Philipp Koehn, University of Edinburgh 28

Open Source Tools for Statistical Machine Translation Philipp Koehn, University of Edinburgh 28 February 2008 Philipp Koehn, U of Edinburgh Open Source SMT 28 February 2008 1 Research Process new ideas SMT is increasingly a big systems

612 views • 27 slides
Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report

Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report

An Annua ual l Ge General ral Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report Elect ection ion of Tr Trustees ees an and Off Officer icers Qu Ques estions ions & A & Ans

516 views • 26 slides
Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus Works mostly in Infrastructure security. Passionate about offensive security. CRTE and CRTP certified. Member of DEF CON Trivandrum

457 views • 18 slides
Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com

Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com

Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com Network Monitoring RNC Enterprise Wireless IMS Network AS HSS PSTN CSCF Cable, DSL PSTN Todays converged networks bring many new challenges

549 views • 36 slides
Disclosure Regulation: The Role of Intermediaries Andrew Sheng Chairman Securities and Futures

Disclosure Regulation: The Role of Intermediaries Andrew Sheng Chairman Securities and Futures

Chairmans Dinner Hong Kong Securities Institute Disclosure Regulation: The Role of Intermediaries Andrew Sheng Chairman Securities and Futures Commission, Hong Kong 27 April 2004 Relationship of Trust with Investors People

420 views • 20 slides
Neural Networks 2/2 Many slides attributable to: Prof. Mike Hughes Erik Sudderth (UCI), Emily

Neural Networks 2/2 Many slides attributable to: Prof. Mike Hughes Erik Sudderth (UCI), Emily

Tufts COMP 135: Introduction to Machine Learning https://www.cs.tufts.edu/comp/135/2019s/ Neural Networks 2/2 Many slides attributable to: Prof. Mike Hughes Erik Sudderth (UCI), Emily Fox (UW), Finale Doshi-Velez (Harvard) James, Witten,

725 views • 41 slides
Detecting Phase Transitions with Artificial Neural Networks Sebastian J. Wetzel Institute for

Detecting Phase Transitions with Artificial Neural Networks Sebastian J. Wetzel Institute for

Detecting Phase Transitions with Artificial Neural Networks Sebastian J. Wetzel Institute for Theoretical Physics, University of Heidelberg 2.5.2017, Cold Quantum Coffee, ITP Heidelberg Outline Invitation: Phase transitions from microscopic

321 views • 29 slides
EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of

EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of

EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of Engineering (& meetup organizer) github.com/bmoeskau Some open source projects I've worked on Ext JS Extensible Every developer should

606 views • 31 slides
Kashaya foot extrametricality as post-accentuation EUGENE BUCKLEY UNIVERSITY OF PENNSYLVANIA

Kashaya foot extrametricality as post-accentuation EUGENE BUCKLEY UNIVERSITY OF PENNSYLVANIA

Kashaya foot extrametricality as post-accentuation EUGENE BUCKLEY UNIVERSITY OF PENNSYLVANIA Annual Meeting on Phonology UC San Diego 7 October 2018 Outline of talk Iambic stress pattern within words and phrases (CV:) foot causes

753 views • 50 slides
Introduction The Team Kevin Imlay Daniel Mercado Yasmin Vega-Nuno Anqi

Introduction The Team Kevin Imlay Daniel Mercado Yasmin Vega-Nuno Anqi

Introduction The Team Kevin Imlay Daniel Mercado Yasmin Vega-Nuno Anqi Wang What is BiVo? An open source foundation for remote monitoring of bird vocalizations Problem Description Birds play an

232 views • 7 slides
HOMECARE & SUPPORTED LIVING South West Long Term Care October 2017 So South West L Long T

HOMECARE & SUPPORTED LIVING South West Long Term Care October 2017 So South West L Long T

HOMECARE & SUPPORTED LIVING South West Long Term Care October 2017 So South West L Long T Term Car are C Conference #LBSWLTC LaingBuisson LaingBuisson LaingBuisson Healthcare intelligence Healthcare intelligence Key Statistics,

395 views • 4 slides
Javascript More powerful than you think Some tools for

Javascript More powerful than you think Some tools for

Master Informa-que - Universit Paris-Sud 2/7/15 Javascript More powerful than you think Some tools for building Func-onal: func-ons are

747 views • 7 slides
Welcome to the Oxfordshire Provider Conference 2019 Revitalising Partnerships through exploring

Welcome to the Oxfordshire Provider Conference 2019 Revitalising Partnerships through exploring

Welcome to the Oxfordshire Provider Conference 2019 Revitalising Partnerships through exploring Innovation, Quality and Sustainability (#OXCARE ) Agenda for the day 9.30 9.40 Welcome & Introduction 9.40 11.05 Our Key Note Speakers

1.46k views • 105 slides
Supporting Older Adults Part 2: Life Transitions 1 https://www.academyofpeerservices.o rg 2

Supporting Older Adults Part 2: Life Transitions 1 https://www.academyofpeerservices.o rg 2

Supporting Older Adults Part 2: Transitions Academy of Peer Services, Faces and Places of Peer Support Series: 4/20/2020 Supporting Older Adults Part 2: Life Transitions 1 https://www.academyofpeerservices.o rg 2 Gayle Bluebird, Celia

315 views • 12 slides
. II 1

. II 1

. II 1 2.1 , .

1.47k views • 90 slides
Literature for Social Emotional Development: Books that Help Children Explore Feelings by Jacky

Literature for Social Emotional Development: Books that Help Children Explore Feelings by Jacky

3/16/2016 Literature for Social Emotional Development: Books that Help Children Explore Feelings by Jacky Howell, MA and Kimberly Reinhard, MsC Jacky Howell, MA ECE Training and Technical Assistant , azspire@gmail.com Childrens Books by

401 views • 14 slides
DS504/CS586: Big Data Analytics --Introduction & Logistics Prof. Yanhua Li Time: 6:00pm

DS504/CS586: Big Data Analytics --Introduction & Logistics Prof. Yanhua Li Time: 6:00pm

Welcome to DS504/CS586: Big Data Analytics --Introduction & Logistics Prof. Yanhua Li Time: 6:00pm 8:50pm THURSDAY Location: KH 116 Fall 2017 Who am I? Yanhua Li , PhD Assistant Professor Computer Science & Data Science PhD,

1.04k views • 55 slides
JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor INTRO TO THE DOM 2 HELLO! 1. Pull changes from

JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor INTRO TO THE DOM 2 HELLO! 1. Pull changes from

JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor INTRO TO THE DOM 2 HELLO! 1. Pull changes from the svodnik/JS-SF-9-resources repo to your computer and open the starter-code folder in your code editor 2. Push your homework to the Homework repo

1.02k views • 57 slides
Ir Irish sh-Amer erica can n Hist stor ory Th y Throug ough Song Song and Pop opula

Ir Irish sh-Amer erica can n Hist stor ory Th y Throug ough Song Song and Pop opula

Ir Irish sh-Amer erica can n Hist stor ory Th y Throug ough Song Song and Pop opula ular C Cultur ulture Acade demy of Lif ifelo long Learnin ing Dr. Meaghan Dwyer-Ryan Departme ment t of f His History, Polit litic ical

316 views • 6 slides
Hospices as Providers of Community-Based Palliative Care: Demystifying the Differences Liz

Hospices as Providers of Community-Based Palliative Care: Demystifying the Differences Liz

Hospices as Providers of Community-Based Palliative Care: Demystifying the Differences Liz Fowler, MPH President and CEO, Bluegrass Care Navigators June 1, 2018 Join us for upcoming CAPC events Upcoming Webinars: Improving Team

936 views • 39 slides
Bluegrass Farms of Ohio David Martin President & CEO Soybeans Economical Protein to

Bluegrass Farms of Ohio David Martin President & CEO Soybeans Economical Protein to

Bluegrass Farms of Ohio David Martin President & CEO Soybeans Economical Protein to Feed Asia 100 Growers with 80,000 acres Feeding Millions of People Everyday Processing Packaging Shipping Options: All

203 views • 17 slides
GREEN+ : THE KENTUCKY COMMUNI TY AND TECHNI CAL COLLEGE SYSTEM SUSTAI NABI LI TY I NI TI ATI VE

GREEN+ : THE KENTUCKY COMMUNI TY AND TECHNI CAL COLLEGE SYSTEM SUSTAI NABI LI TY I NI TI ATI VE

GREEN+ : THE KENTUCKY COMMUNI TY AND TECHNI CAL COLLEGE SYSTEM SUSTAI NABI LI TY I NI TI ATI VE National Webinar Presentation November 19, 2013 Prepared by: Billie Hardin, Sustainability Project Manager KCTCS MISSION The mission of KCTCS is

501 views • 48 slides

More recommend