A Game between Adversary and AI Scientist

Transcription

1 A Game between Adversary and AI Scientist NULLCON March 3, 2018 Satnam, Arunabha, Deepak, Waseem, Nirmesh, Santosh, Balamurali, Narayana Acalvio Technologies

2 Who am I At Acalvio from Day Years in DS, ML, AI General Motors, Samsung Research, CA Technologies Author- Patents, Tech Pubs and Tech Talks Rock Climber

3 Outline Define the Problem A possible solution - research work Demos Under the hood

4 Problem

5 Can we play a game with adversary? Can we engage with adversary?

6 Is adversary visible to defender? - Extensive reconnaissance of target and defender - Using the same tools and techniques as defender

7 Is he a Returning Adversary? > Compare Tools, Tactics and Procedures (TTPs)

8 InfoSec Game: Assumptions Unlike Chess, cyber game has infinite state space > Use Mitre model to define the state space

9 Adversary Tactics

10 Mitre Model

11 Defender s Tools are at Perimeter Need new tools to detect adversary INSIDE the NETWORK

12 Deceptions in Enterprise Fiber MUM-EPS-4343 MUM-EPS-4322 MUM-EPS-4453 Operations SFO-GAMMA-2318 SFO-GAMMA-3123 Sales SOC segment BENG-ALPHA-5662 SOC BENG-ALPHA-4323 Engineering Ops Segment Deceptions Deceptions (D) Emulations of Hosts, Applications, Database Servers, etc. Real VM Hosts, Applications, etc. Browser Cookies, Registry entries, etc. Vulnerability in OS/ Application, Shares, etc. Enterprise Network

13 AI Engine HIDS Log Process Registry Bro AI Engine

14 Game: Demos

15 1: Recon - nmap Adversary Defender Adversary performs recon and nmap to find out to the neighbourhood Demo>> Defender detects it and provides a few RDP credentials on the endpoints

16 2: Obfuscated PowerShell Script Adversary Defender Adversary obfuscates PowerShell attack and executes in another host Defender detects obfuscated PowerShell commands Demo>>

17 3: Credentials Dump using PowerSploit and Mimikatz Adversary Defender Attacker dumps credentials using PowerSpoit and Mimikartz Defender detects PowerSploit and Mimikartz activities Demo>>

18 4: Data Exfilteration via DNS Tunnel Adversary Defender Adversary uses DNS Tunnel using DNSCat2 to exfiltrate the credentials Defender detects the DNS tunnel using AI Demo>>

19 Under the Hood

20 High Interaction AI Engine HIDS Log Adversary D Process Registry Winevent HISH AI Engines Summarisation Powershell Log Analyser DNS Tunnel Detector

21 HISH AI: HIDS Log Summarisation Process Logs Registry Logs Event Summarisation Summarised Notables Win Events Logs File Event Logs... Summarise attacker s activities - New services, processes, tasks and changes etc. - File system changes, registry entries, etc. - Shell commands, Windows event and authentication logs etc.

22 HISH-AI: Summarisation Engine Domain Knowledge Learned Baseline Registry Logs File Logs... Services Logs Process Logs Bro Logs Raw Log Preprocessing Rules Rule & Baseline Based Filtering Baseline Process-based Summarisation Summarised Notables Attack Scenarios Input Logs Output Notables Incident 1 60K 16 Incident 2 6K 5 Incident 3 70K 6

23 HISH-AI: PowerShell Log Engine Tensorflow ANN Character N-GRAM Obfuscation Detection Model Obfuscation Prediction PowerShell Logs PreProcessing Command N-GRAM Tactic Detection Model Classifier Tactic Prediction (Privilege Escalation, Lateral Movement, Exfiltration)

24 HISH-AI:Data exfiltration using DNS Tunnel Enterprise Network web traffic data.dnstunnel.com dns tunnel client local dns server dns traffic dns query: data.dnstunnel.com dns tunnel server (dnstunnel.com) DNS Tunnelling Tools Iodine, dnscat2, Ozyman

25 HISH-AI: DNS Tunnel Detection DNS logs Flow-based features Packet metadatabased features Deep learning based Model TensorFlow DNS Tunnel prediction Model update DNS tunnel detection output: IP and domain of tunnelling server: dnstunnel.com tunnel start time: :43:37 tunnel end time: :53:37

26 Game Theory

27 Formally Defining A Game Defining Game - The Normal Form Finite 2-person normal form game: <N,A,u>: - Players: N={Adversary, Defender} is a finite set of 2 players, indexed by i - Action set for player i A i a={a 1,...,a n } - Utility function or Payoff function for player i: u i u=(u 1,...,u n ) is a profile of utility functions

28 InfoSec Game Adversary Defender Allow the attack Block the adversary Carry out attack Quit 1,2 2,1 2,2 2,0 "Row" player is Defender, "column" player is Adversary Too simplistic How to scale it for the real world? How do we learn in real time?

29 Model as Reinforcement Learning Problem Break the problem into Subproblems and learn in real-time Model it as Reinforcement Learning Problem

30 Summary Playing a game needs Visibility of the adversary Need to surface signal in low SNR Fusion of Deception+AI gives a way to engage with the adversary

31 @satnam74s Questions?