TRANSFORMING INCIDENT RESPONSE TO INTELLIGENT RESPONSE USING GRAPHICAL ANALYSISRAM SHANKAR SIVA KUMARSECURITY DATA WRANGLERMICROSOFT (AZURE SECURITY DATA SCIENCE)PETER CAPSENIOR THREAT ANALYSTMICROSOFT (THREAT INTELLIGENCE CENTER)

MICROSOFT ONE HUNT EXERCISE

Source Photo: ITV / Carnival Films

18 LogSources

73Pieces ofEvidence

= Source:http://nearpictures.com/pages/p/puzzle-pieces-wallpaper/

TRANSFORMING INCIDENT RESPONSETO INTELLIGENT RESPONSE

Team Person Expertise

Microsoft Threat Intelligence Center

Peter CapAbhijeet Hatekar

Security Incident Response

Microsoft Research Danyel Fisher Visualization

Azure Security Thomas Garnier Engineering

Azure Security Data Science

Ram Shankar Siva Kumar Data Science

Sharepoint Online Matt Swann Security

BOTTOM LINE UPFRONTClose the Incident Response loop with the data owners Using simple graph measures and matching algorithms, we can gain insights into the Incident Response process

AGENDAHow graphs are currently, used in the IndustryCurrent pain points in Incident Response Demo! How graphs can helpConclusion

LINK ANALYSIS

PAIN POINTSInvestigation spans days to months

Query different log sources, minting different IOCs

Fighting fires all the time

Is there a story? What is the big picture? What was the most “important” log source/IOC?Are there any patterns in how we use our logs?

THE INCIDENT RESPONSE PROCESS

Source: http://www.akmgsi.com/

THE INCIDENT RESPONSE PROCESS

Source: http://www.akmgsi.com/

DEMO

HOW TO USE GRAPHS INRESPONSE PHASE?

SYSTEM COMPONENTS1) Data Aggregator: Collect the required information as your

investigation proceeds Result is a table of IOC and log sources

2) Data Clean up: Covert into XML format with appropriate tags3) Ingesting into visualization platform: d3.js4) Incorporating the necessary libraries for computation:

MODELING DATA WITH GRAPHS…Graphs are suitable for capturing arbitrary relations between the various elements. Verte

xElemen

tElement’s Attributes

Relation Between

Two ElementsType Of

Relation

Vertex Label

Edge Label

Edge

Data Instance Graph Instance

Provide enormous flexibility for modeling the underlying data as they allow the modeler to decide on what the elements should be and

the type of relations to be modeled

Source: Lectures by George Karypsis/

Graphs in IR

INTELLIGENT RESPONSE USING GRAPHS

Graph TheoreticMeasures

Contextual Visualization

Graph Mining

• Is there a story?• What is the big picture?

Which log source/IOC was critical to the investigation?

Is there a pattern to our log usage?

CONTEXTUAL VISUALIZATION

FLOW LAYOUTHIERARCHICALREPRESENTATION

COLA LAYOUT

GRAPH THEORETIC MEASURES

BETWEENESS CENTRALITYDEGREE CENTRALITY

indegree outdegree

DEGREE CENTRALITY

BETWEENESS CENTRALITY

FUTURE WORKOnce we have collected a corpus of response graphs, Can we tell if the attack at hand, resembles previous attacks? • Motivation: Finding inherent regularities in data in the DIFFERENT

graphs• Step 1: Store all IR graphs in graph database • Step 2: Examine if query graph at hand, is part of graph database

using sub

query graph graph database

Source: Lectures by George Karypsis/

WORDS OF WISDOMOpen Source Tools: yEd – For graph drawing and LayoutGephi – For graph analysisneO4j – For graph databaseScale: • Need to do some sort of clustering

Cyclic graphs: • Some of the analysis breaks. You can cheat by introducing duplicate

nodes

Play around and try a lot

of things!

05/02/2023 26

CONCLUSIONThere are three benefits to using graphs in IR 1. Contextual visualization 2. Simple graph measures to close feedback with data owners3. Graph Mining to find inherent patterns in the Incident

Response process

05/02/2023 27

ADDITIONAL RESOURCES

1) Kuramochi, Michihiro, and George Karypis. "Finding frequent patterns in a large sparse graph*." Data mining and knowledge discovery 11.3 (2005): 243-271. http://glaros.dtc.umn.edu/gkhome/fetch/papers/sigramDMKD05.pdf

2) Jiang, Chuntao, Frans Coenen, and Michele Zito. "A survey of frequent subgraph mining algorithms." The Knowledge Engineering Review 28.01 (2013): 75-105. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.2712&rep=rep1&type=pdf

3) Template code for Centrality measures http://nodexl.codeplex.com/SourceControl/latest

4) Template code for Cola Visualization - http://marvl.infotech.monash.edu/webcola/

5) Blog post by John Lambert

THANK YOU