r-scoping the hunt - reservoir labs, inc. r-scoping the hunt . target. hunt. disrupt. ... solution:

Download R-SCOPING THE HUNT - Reservoir Labs, Inc. R-SCOPING THE HUNT . Target. Hunt. Disrupt. ... SOLUTION:

Post on 20-May-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Securely explore your data

    R-SCOPING THE HUNT

    Target. Hunt. Disrupt.

    An integrated solution with

  • © 2016 Sqrrl and Reservoir Labs | All Rights Reserved 2

    THE DETECTION AND RESPONSE GAP

    Faster and more powerful detection and response capabilities are required

    IPS Firew

    a ll

    Proxy IdM

    What? 205 days on average to detect a breach Advanced adversaries Perimeter defenses and current detection not sufficient

    Why? 3 Drowning in

    alerts and data 4 Not enough

    security ninjas 2 Increased attack surface

    and hacking tool availability 1 Limited effectiveness

    of signatures and rules

  • 3

    WHAT IS THREAT HUNTING?

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 4

    HUNTING PROCESS FRAGMENTED BY TOOLS

    A new technology approach is needed!

    Attack chain modeling Intrusion reconstruction

    Breach / response timelines Campaign analysis

    Asset configuration Business context

    Alerts Threat Intel

    Behavioral Algorithms

    Courses of Action Matrix Signatures

    Statistics

    Logs SIEM

    Email Machine Learning VisualizationHR data

    Link Analysis Search

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 5

    Log-oriented techniques can only get you so far HOW YOU’RE PROBABLY HUNTING NOW

    Davids-MacBook-Pro-2:/Users/bianco/temp> grep 6d01739d1d56c64209098747a5756443 *.log files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153

    Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0 0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb -

    Davids-MacBook-Pro-2:/Users/bianco/temp> grep Cr4RV91FD8iPXBuoT6 *.log conn.log:922712498.086765 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp

    smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty) files.log:922712498.188977 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153

    Cr4RV91FD8iPXBuoT6 SMTP 1 MD5,SHA1 text/x-c 0.000000 T F 1522 - 0 0 F - 6d01739d1d56c64209098747a5756443 0d1c6b7dcc82b05c719d4cc9dd8d8577e8cb36cb -

    smtp.log:922712498.119932 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1 delta.peach.mil Mon, 29 Mar 1999

    08:01:38 -0400 - tierneyr@goose.eyrie.af.mil - - Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI-SVR4)\x09id: CAA2048; Mon, 29 Mar 1999 08:01:38 -0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F

    Fz892b2SFbpSayzLyl F

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 6

    HUNTING TECHNOLOGY REQUIREMENTS

    •Common threat ontology

    •Shared insight

    •Behavioral •Extensible

    •Search •Visualization •Exploration

    •Variety •Long term retention

    •Velocity

    Data Tools

    CollaborationAnalytics

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 7

    Unique approach to managing security data SQRRL BEHAVIOR GRAPH

    KEY CAPABILITIES:

    • Asset / activity modeling

    • Visualization, exploration, search

    • Behavioral analytics

    • Big data scale & security

    EXFIL

    LATERAL MOVEMENT

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 8

    SOLUTION: THREAT HUNTING PLATFORM (THP)

    A unified environment for: • Collecting and managing big security data

    • Detecting and analyzing advanced threats

    • Visually investigating attack TTPs and patterns

    • Automating hunt techniques

    • Collaborating amongst security analyst teams

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 9

    Sqrrl’s approach to the THP SQRRL ENTERPRISE

    Proactive Threat

    Hunting

    Incident Investigation

    User and Entity

    Behavior Analytics

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 10

    SECURITY DATA CONTEXT GAP

    Sqrrl Enterprise

    Endpoint Protection

    Firewall & VPN

    IDS & IPS

    Network Infrastructure

    • Orphaned Data • Latent Information • Low Fidelity Alerts • Low Value

    Files, Hashes, Certs, Comms, C2

    Applications, Location, Owner

    TTPs, Certificates, Files, Hashes

    Exposure, Criticality, CVEs

    Malware Analysis

    Asset Management

    Threat Intelligence

    Vulnerability Mgmt

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 11

    R-SCOPE BRIDGES THE CONTEXT GAP

    Endpoint Protection

    Firewall & VPN

    IDS & IPS

    Network Infrastructure

    Sqrrl Enterprise

    Malware Analysis

    Asset Management

    Threat Intelligence

    Vulnerability Mgmt

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • 12

    THE BEST THREAT HUNTING EXPERIENCE

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

  • THANK YOU! How To Learn More?

    To learn more about Sqrrl:

    • Download Sqrrl’s Threat Hunting eBook from our website • Download the Sqrrl Product Paper from our website • Request a Test Drive VM from our website • Reach out to us at info@sqrrl.com

    © 2016 Sqrrl and Reservoir Labs | All Rights Reserved

    R-Scoping the Hunt The Detection and Response Gap What is threat hunting? hunting process Fragmented by tools How you’re probably hunting now Hunting technology requirements Sqrrl Behavior graph Solution: threat hunting platform (THP) Sqrrl enterprise Security data context gap R-scope bridges the context gap The best threat hunting experience Thank you!