CYBER HUNTING. 4 th Annual Interdisciplinary Cyber Crime Conference Michigan State University March 3, Dr. Nicole Beebe, Ph.D.

Size: px

Start display at page:

Download "CYBER HUNTING. 4 th Annual Interdisciplinary Cyber Crime Conference Michigan State University March 3, Dr. Nicole Beebe, Ph.D."

Brianne Harrison
5 years ago
Views:

1 CYBER HUNTING 4 th Annual Interdisciplinary Cyber Crime Conference Michigan State University March 3, 2017 Dr. Nicole Beebe, Ph.D. CISSP, CCFP, EnCE, ACE Department of Information Systems and Cyber Security Center for Education & Research in Information & Infrastructure Security The University of Texas at San Antonio

2 Discussion topics Definitions The threat The solution Cyber hunters Tools of the trade UTSA workforce development (Image source:

3 What is Cyber Hunting? CSI: Cyber Hunters a focused and iterative approach to searching out, identifying, and understanding adversaries internal to the defender s networks. (2016) Copyright: 123RF Stock Photo (Oleg Romanciuk)

Advanced Persistent Threats Cyber domain is increasingly targeted by adversaries Characteristics Technologically sophisticated Establishes resilient foothold Enterprise network complexity makes

4 Advanced Persistent Threats Cyber domain is increasingly targeted by adversaries Characteristics Technologically sophisticated Establishes resilient foothold Enterprise network complexity makes proper cleansing challenging Is perfect security even possible? It is certainly economically infeasible. (Image source:

5 Conclusions They re already in, or will be before symptoms appear. Traditional prevention & detection is not enough. Copyright: 123RF Stock Photo (Igor Stevanovic

6 Mean time to APT detection is measured in months and years

7 Cyber Hunting a proactive weapon in the cyber defense arsenal Copyright: 123RF Stock Photo (Stuart Miles) / (Ivelin Radkov)

8 The data landscape has changed Multi-source/type data fusion Data scale & speed increased Significant expertise needed Verification challenges abound Cyber Hunting Daily Log Review Copyright: 123RF Stock Photo (Steven Cukrov)

What it is not Not a rebranding of old cyber defense techniques Not about responding to alerts & detected incidents What it is Resourced, intentional mission Continuous process not a snapshot in time

9 What it is not Not a rebranding of old cyber defense techniques Not about responding to alerts & detected incidents What it is Resourced, intentional mission Continuous process not a snapshot in time Aided by automation tools but not entirely automatable Enterprise insight required context is critical component Cyber analytics Requires cyber threat intel An active defense posture Requires security maturity Copyright: 123RF Stock Photo (Steven Cukrov)

10 Who are cyber hunters? Expertise Advanced attack technique knowledge Red teaming, penetration testing expertise Ability to locate & extract trace evidence Incident response & digital forensics expertise Asset value based enterprise knowledge Target based insight & significant access Characteristics Passionate Innately curious Early adopters Attention to detail Dogged determination Copyright: 123RF Stock Photo (omnimages)

endpoint access Network traffic analysis tools Search, correlation, visualization

11 What do cyber hunters need? Data, data, and more data Long-term, continuous monitoring Enterprise wide, remote endpoint access Network traffic analysis tools Search, correlation, visualization tools Data integrated dashboards Enterprise access & insight External consultant expertise Copyright: 123RF Stock Photo (Rafał Olechowski)

12 A Day in the Life Preparation Asset analysis/prioritizing Baseline analysis Deploy hunt infrastructure Analyze Network Activity Host network connections Lateral connections Protocol analysis Payload analysis Threat Intelligence Read, read, read Network with peers Develop IOCs / IOAs Large-Scale Mining ML on log server data ML on network data ML on host data (?) Analyze Host Activity Running processes Recent processes Process automation Memory analysis The Reality Following trails Returning from rabbit trails Gaining expertise, intuition, technical skill, and connections

13 UTSA is producing next generation cyber hunters World-class degree programs Undergraduate cybersecurity degree #1 in U.S. (Ponemon 2014) Graduate cybersecurity degree #2 in U.S. (universities.com 2016) Red team experience Cyber Collegiate Defense Competition (CCDC) Real-world penetration testing integrated into coursework Numerous internships with local organizations 1 st NSA/DHS certified focus area in digital forensics Undergraduate minor New M.S. in Data Analytics (Fall 2016) Eventual cyber analytics concentration anticipated

14 Discussion Recap Definitions The threat The solution Cyber hunters Tools of the trade UTSA workforce development

15 (c) (w) Copyright: 123RF Stock Photo (Orlando Rosu)

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access