Automate detection and response for slow brute force attacks

Information about Automate detection and response for slow brute force attacks

Published on March 6, 2019

Author: DNIFHQ



1. The New Way An automated response to the modern adversary #DNIFKonnect

2. PwC INTRO •Ankit Bose Associate, PwC India, 3 yrs • Incident Handler • Threat Hunter • Gamer • @ionbasket #DNIFKonnect

3. PwC AGENDA #DNIFKonnect 1. The Old School 2. The New Way 3. Shawshank Redemption 4. The Italian Job 5. The Mask 6. Mischief Managed 7. Questions

4. PwC Quick Question What kind of threat hunting platform are you using? •Open Source Platform •Commercial Big Data Platform •Commercial Hunting Platform •Tradtional SIEM

5. PwC THE OLD SCHOOL #DNIFKonnect 1 2 3 4 5 6 Fetching queries takes hours High Query Time Threshold Based Alerting Known Knowns Only Separate Threat Intelligence Analyst Dependent Triage Dedicated Response Team Alerting on threshold based mechanism only We can only detect attacks and techniques that we only know about Threat Intel is a separate platform Hours spent by analyst on validation of alerts Need for dedicated response team to act on alerts

6. PwC THE NEW WAY #DNIFKonnect 1 2 3 4 5 6 Search times cut down to seconds instead of hours Quick Search Detect Outliers Machine Learning Threat Intelligence Security Orchestration Automated Remediation Ability to detect anomlies in traffic patterns Integrated machine learning models for advanced analysis Threat Intel enriched logs Automate d event validation and notification Ability to remediate from the console itself

7. PwC Quick Question Do you have any dedicated threat hunting team? •Yes •No

8. PwC SHAWSHANK REDEMPTION SLOW BRUTE FORCE ATTACK #DNIFKonnect Slow logins Unable to track user behavior Does not match threshold SLOW BRUTE FORCE ATTACK

9. PwC THE ITALIAN JOB DNS TUNNELING #DNIFKonnect DNS has external network connectivity Masquerading C2 communication as DNS traffic Size different than DNS packets DNS TUNNELING

10. PwC THE MASK DGA MALWARE #DNIFKonnect Randomly generated domain name Malware communicating to multiple sites Manually check all domains and validate DGA MALWARE

11. PwC Quick Question How do you build use cases? •Out of the box use cases from SIEM •Third party threat modelling service

12. PwC MISCHIEF MANAGED SLOW BRUTE FORCE ATTACK #DNIFKonnect Step 1 Step 2 Step 3 Step 4 Track failed logins per user Set baseline of login failures Track change in behaviour Automatically raise alert to ticket system

13. PwC MISCHIEF MANAGED DNS TUNNELING #DNIFKonnect • Track DNS communications • Validate with threat intel • Raise module Malicious DNS • Track average DNS query size • Set baseline of average query size • Track change in behavior • Raise module Anomalous DNS query • Check for modules triggered • If both triggered raise incident Correlate

14. PwC MISCHIEF MANAGED DGA MALWARE #DNIFKonnect Step 1 Step 2 Step 3 Step 4 Track domains communicated to by internal IPs Check for DGA generated domain names using machine learning Validate with integrated threat intelligence Automatically raise alert to ticket system

15. PwC Quick Question Do you use machine learning models? •Yes •No

16. PwC THANK YOU Questions? #DNIFKonnect

Related presentations

Other presentations created by DNIFHQ

Container Security Essentials
21. 08. 2019

Container Security Essentials