TRANSFORMING INCIDENT RESPONSE TO INTELLIGENT RESPONSE USING GRAPHICAL ANALYSISRAM SHANKAR SIVA KUMARSECURITY DATA WRANGLERMICROSOFT (AZURE SECURITY DATA SCIENCE)PETER CAPSENIOR THREAT ANALYSTMICROSOFT (THREAT INTELLIGENCE CENTER)
MICROSOFT ONE HUNT EXERCISE
Source Photo: ITV / Carnival Films
18 LogSources
73Pieces ofEvidence
= Source:http://nearpictures.com/pages/p/puzzle-pieces-wallpaper/
TRANSFORMING INCIDENT RESPONSETO INTELLIGENT RESPONSE
Team Person Expertise
Microsoft Threat Intelligence Center
Peter CapAbhijeet Hatekar
Security Incident Response
Microsoft Research Danyel Fisher Visualization
Azure Security Thomas Garnier Engineering
Azure Security Data Science
Ram Shankar Siva Kumar Data Science
Sharepoint Online Matt Swann Security
BOTTOM LINE UPFRONTClose the Incident Response loop with the data owners Using simple graph measures and matching algorithms, we can gain insights into the Incident Response process
AGENDAHow graphs are currently, used in the IndustryCurrent pain points in Incident Response Demo! How graphs can helpConclusion
LINK ANALYSIS
PAIN POINTSInvestigation spans days to months
Query different log sources, minting different IOCs
Fighting fires all the time
Is there a story? What is the big picture? What was the most “important” log source/IOC?Are there any patterns in how we use our logs?
THE INCIDENT RESPONSE PROCESS
Source: http://www.akmgsi.com/
THE INCIDENT RESPONSE PROCESS
Source: http://www.akmgsi.com/
DEMO
HOW TO USE GRAPHS INRESPONSE PHASE?
SYSTEM COMPONENTS1) Data Aggregator: Collect the required information as your
investigation proceeds Result is a table of IOC and log sources
2) Data Clean up: Covert into XML format with appropriate tags3) Ingesting into visualization platform: d3.js4) Incorporating the necessary libraries for computation:
MODELING DATA WITH GRAPHS…Graphs are suitable for capturing arbitrary relations between the various elements. Verte
xElemen
tElement’s Attributes
Relation Between
Two ElementsType Of
Relation
Vertex Label
Edge Label
Edge
Data Instance Graph Instance
Provide enormous flexibility for modeling the underlying data as they allow the modeler to decide on what the elements should be and
the type of relations to be modeled
Source: Lectures by George Karypsis/
Graphs in IR
INTELLIGENT RESPONSE USING GRAPHS
Graph TheoreticMeasures
Contextual Visualization
Graph Mining
• Is there a story?• What is the big picture?
Which log source/IOC was critical to the investigation?
Is there a pattern to our log usage?
CONTEXTUAL VISUALIZATION
FLOW LAYOUTHIERARCHICALREPRESENTATION
COLA LAYOUT
GRAPH THEORETIC MEASURES
BETWEENESS CENTRALITYDEGREE CENTRALITY
indegree outdegree
DEGREE CENTRALITY
BETWEENESS CENTRALITY
FUTURE WORKOnce we have collected a corpus of response graphs, Can we tell if the attack at hand, resembles previous attacks? • Motivation: Finding inherent regularities in data in the DIFFERENT
graphs• Step 1: Store all IR graphs in graph database • Step 2: Examine if query graph at hand, is part of graph database
using sub
query graph graph database
Source: Lectures by George Karypsis/
WORDS OF WISDOMOpen Source Tools: yEd – For graph drawing and LayoutGephi – For graph analysisneO4j – For graph databaseScale: • Need to do some sort of clustering
Cyclic graphs: • Some of the analysis breaks. You can cheat by introducing duplicate
nodes
Play around and try a lot
of things!
05/02/2023 26
CONCLUSIONThere are three benefits to using graphs in IR 1. Contextual visualization 2. Simple graph measures to close feedback with data owners3. Graph Mining to find inherent patterns in the Incident
Response process
05/02/2023 27
ADDITIONAL RESOURCES
1) Kuramochi, Michihiro, and George Karypis. "Finding frequent patterns in a large sparse graph*." Data mining and knowledge discovery 11.3 (2005): 243-271. http://glaros.dtc.umn.edu/gkhome/fetch/papers/sigramDMKD05.pdf
2) Jiang, Chuntao, Frans Coenen, and Michele Zito. "A survey of frequent subgraph mining algorithms." The Knowledge Engineering Review 28.01 (2013): 75-105. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.2712&rep=rep1&type=pdf
3) Template code for Centrality measures http://nodexl.codeplex.com/SourceControl/latest
4) Template code for Cola Visualization - http://marvl.infotech.monash.edu/webcola/
5) Blog post by John Lambert
THANK YOU