DS4N6 Blog >> Threat Hunting with AI

Threat Hunting with AI

[17/05/21] May 17, 2021
Jess Garcia - One eSecurity
Twitter: j3ssgarcia - LinkedIn: garciajess

In my RSA Conference '21 presentation I discussed a Threat Hunting methodology that made use of Machine Learning to automate, to a certain extent, the detection of malicious activity via anomaly analysis.

In this blog post series we will go from the conceptual and procedural ideas on how to include IA in your Threat Hunting processes, by means of a combined TTP-based Hunting + Anomaly-based Hunting, along the lines presented in the talk, to the in-depth the implementation details, first from the DFIR point of view, then going down to the low levels details of the Machine Learning Autoencoders (Vanilla/LSTM) implementations.

I will also discuss the new find_anomalies() function, aimed at facilitating machine learning-based anomaly detection mechanisms in a reasonably transparent and straightforward way, as one more Forensicator power tool, very much aligned with the spirit of the ds4n6_lib library. Actually, this alignment is not strange, since the find_anomalies() function falls under D4ML, the Machine Learning extensions to the ds4n6_lib library.

Here is a list of the upcoming posts along with their tentative publication dates:

Threat Hunting with AI - Part 1 - Hunting for Anomalies - 17/05/21
Threat Hunting with AI - Part 2 - Detecting the Solarwinds/Sunburst Campaign - 20/05/21
Threat Hunting with AI - Part 3 - T1053.005 / Scheduled Tasks In-Depth - 25/05/21
Threat Hunting with AI - Part 4 - T1053.005 / Scheduled Tasks Anomaly Detection with an Autoencoder - 27/05/21
Threat Hunting with AI - Part 5 - Detecting the Solarwinds Malicious Scheduled Task with an Autoencoder - 09/06/21
Threat Hunting with AI - Part 6 - Detecting the Solarwinds Malicious Scheduled Task with a LSTM Autoencoder - 14/06/21
Threat Hunting with AI - Part 7 - Detecting the Solarwinds Malicious Scheduled Task with an Autoencoder - In-Depth - Coming soon…^[1]
Threat Hunting with AI - Part 8 - Detecting the Solarwinds Malicious Scheduled Task with a LSTM Autoencoder - In-Depth - Coming soon…^[1]
Threat Hunting with AI - Part 9 - Anomaly-based Hunting with D4ML's find_anomalies_ml() - Coming soon…^[1]

Hope you enjoy this content!

Stay Tuned and contact us if you have any comment or question!

[1] Update - 22/08/21: These entries were scheduled to be posted in June but due to a complicated combination of work and personal issues I had to postpone them. I will go back to normal soon and I will hopefully get them posted in the next few weeks. My sincere apologies!