r-scoping the hunt - reservoir labs, inc. r-scoping the hunt . target. hunt. disrupt. ... solution:

Securely explore your data

R-SCOPING THE HUNT

Target. Hunt. Disrupt.

An integrated solution with

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved 2

THE DETECTION AND RESPONSE GAP

Faster and more powerful detection and response capabilities are required

IPS Firew

a ll

Proxy IdM

What? 205 days on average to detect a breach Advanced adversaries Perimeter defenses and current detection not sufficient

Why? 3 Drowning in

alerts and data 4 Not enough

security ninjas 2 Increased attack surface

and hacking tool availability 1 Limited effectiveness

of signatures and rules

3

WHAT IS THREAT HUNTING?

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

4

HUNTING PROCESS FRAGMENTED BY TOOLS

A new technology approach is needed!

Attack chain modeling Intrusion reconstruction

Breach / response timelines Campaign analysis

Asset configuration Business context

Alerts Threat Intel

Behavioral Algorithms

Courses of Action Matrix Signatures

Statistics

Logs SIEM

Email Machine Learning VisualizationHR data

Link Analysis Search

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

5

Log-oriented techniques can only get you so far HOW YOU’RE PROBABLY HUNTING NOW

Davids-MacBook-Pro-2:/Users/bianco/temp> grep 6d01739d1d56c64209098747a5756443 *.log files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153

Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0 0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb -

Davids-MacBook-Pro-2:/Users/bianco/temp> grep Cr4RV91FD8iPXBuoT6 *.log conn.log:922712498.086765 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp

smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty) files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153

Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0 0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb -

smtp.log:922712498.119932 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1 delta.peach.mil Mon, 29 Mar 1999

08:01:38 -0400 - tierneyr@goose.eyrie.af.mil - - Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI-SVR4)\x09id: CAA2048; Mon, 29 Mar 1999 08:01:38 -0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F

Fz892b2SFbpSayzLyl F

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

6

HUNTING TECHNOLOGY REQUIREMENTS

•Common threat ontology

•Shared insight

•Behavioral •Extensible

•Search •Visualization •Exploration

•Variety •Long term retention

•Velocity

Data Tools

CollaborationAnalytics

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

7

Unique approach to managing security data SQRRL BEHAVIOR GRAPH

KEY CAPABILITIES:

• Asset / activity modeling

• Visualization, exploration, search

• Behavioral analytics

• Big data scale & security

EXFIL

LATERAL MOVEMENT

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

8

SOLUTION: THREAT HUNTING PLATFORM (THP)

A unified environment for: • Collecting and managing big security data

• Detecting and analyzing advanced threats

• Visually investigating attack TTPs and patterns

• Automating hunt techniques

• Collaborating amongst security analyst teams

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

9

Sqrrl’s approach to the THP SQRRL ENTERPRISE

Proactive Threat

Hunting

Incident Investigation

User and Entity

Behavior Analytics

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

10

SECURITY DATA CONTEXT GAP

Sqrrl Enterprise

Endpoint Protection

Firewall & VPN

IDS & IPS

Network Infrastructure

• Orphaned Data • Latent Information • Low Fidelity Alerts • Low Value

Files, Hashes, Certs, Comms, C2

Applications, Location, Owner

TTPs, Certificates, Files, Hashes

Exposure, Criticality, CVEs

Malware Analysis

Asset Management

Threat Intelligence

Vulnerability Mgmt

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

11

R-SCOPE BRIDGES THE CONTEXT GAP

Endpoint Protection

Firewall & VPN

IDS & IPS

Network Infrastructure

Sqrrl Enterprise

Malware Analysis

Asset Management

Threat Intelligence

Vulnerability Mgmt

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

12

THE BEST THREAT HUNTING EXPERIENCE

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

THANK YOU! How To Learn More?

To learn more about Sqrrl:

• Download Sqrrl’s Threat Hunting eBook from our website • Download the Sqrrl Product Paper from our website • Request a Test Drive VM from our website • Reach out to us at info@sqrrl.com

© 2016 Sqrrl and Reservoir Labs | All Rights Reserved

R-Scoping the Hunt The Detection and Response Gap What is threat hunting? hunting process Fragmented by tools How you’re probably hunting now Hunting technology requirements Sqrrl Behavior graph Solution: threat hunting platform (THP) Sqrrl enterprise Security data context gap R-scope bridges the context gap The best threat hunting experience Thank you!