A few weeks ago, we had the opportunity to present a short webinar on two topics currently under research in our department:
ReadIntrusion Detection Visual Analytics APT Detection
The constant stream of data produced daily, the complicated environment and the need for quick reaction to malicious attacks make the life of cyber defense analyst a living nightmare. Many wonder how are we supposed to be able to review the gigabytes of logs produced daily, how can we manage to analyze them all and extract valuable insight into what is happening in the network?
ReadTools Offensive Security APT Detection
Defining cyber attacks is a difficult task. They vary in origins, goals and, at first glance, the techniques used might seem very different. Luckily a popular model was defined by Lockheed Martin, still used to this day, which illustrates very well the lifecycle of a typical cyber attack. The Cyber Kill Chain, popular but controversial, defines the 7 principal steps of an attack. There have been many advances, since its original conception, one of which is the wildly acclaimed ATT&CK Matrix for Enterprise.
ReadDetecting suspicious or malicious activity in a network is not a trivial task. In recent years the attacks perpetrated have grown in sophistication and frequency. For this reason a new detection tool was developed, in the form of the Multi Agent Ranking framework (MARk). MARk sets the groundwork for the implementation of large scale detection and ranking systems through the implementation of a distributed storage in conjuncture with highly specialized, stand-alone detector agents. The detector agents are responsible for analyzing specific predefined characteristics and producing a report of any suspicious activity encountered.
ReadRecently I have encountered an error I wasn't too familiar with how to resolve, working with the ELK Stack. This specific error is the "[circuit_breaking_exception] [parent] Data too large, data for [<http_request>]". It is not directly visible where the error originates from, but with some sleuthing I discovered that it is caused by Elasticsearch preventing some requests from executing to avoid possible out of memory errors, as detailed in Elasticsearch Circuit Breaker documentation.
ReadIn modern network infrastructures, there are a lot of sources of data, that can be of interest for collection and analysis, to see if possible suspicious activity is present in the network. More often than not, this data is collected and send to a Security Information and Event Management (SIEM) tool, running on the network, where it can be processed and reviewed by domain specialists.
ReadManaging big networks can be quite complicated- many inbound and outbound requests, network traffic, email correspondence and other activities that need to be monitored. It is quite easy for an attacker to obfuscate his actions, when we are confronted with large amounts of network data to analyze. Luckily there are ways to aggregate all this data and store it so it can be reviewed and hopefully discover any abnormal activity. Of course, I am talking about the use of a Security Information and Event Management (SIEM) framework. One such framework that has gained a lot of popularity, because of its modularity and open-source nature, is the ElasticSearch/Logstash/Kibana framework.
ReadToday we are proud to present the Multi-Agent System for APT Detection project (MASFAD 2) at the first meeting of the Capability Technology Area Cyber (CapTech Cyber) of the European Defense Agency (EDA).
ReadCyber-attacks are becoming increasingly complex and therefore require more sophisticated detection systems. A lot of these are actually combine multiple detection algorithms. A crucial step is then to aggregate all detection scores correctly.
Read