In my RSA Conference '21 presentation I discussed a Threat Hunting methodology that made use of Machine Learning to automate, to a certain extent, the detection of malicious activity via anomaly analysis.
In this blog post series we will go from the conceptual and procedural ideas on how to include IA in your Threat Hunting processes, by means of a combined TTP-based Hunting + Anomaly-based Hunting, along the lines presented in the talk, to the in-depth the implementation details, first from the DFIR point of view, then going down to the low levels details of the Machine Learning Autoencoders (Vanilla/LSTM) implementations.
I will also discuss the new find_anomalies() function, aimed at facilitating machine learning-based anomaly detection mechanisms in a reasonably transparent and straightforward way, as one more Forensicator power tool, very much aligned with the spirit of the ds4n6_lib library. Actually, this alignment is not strange, since the find_anomalies() function falls under D4ML, the Machine Learning extensions to the ds4n6_lib library.
Here is a list of the upcoming posts along with their tentative publication dates:
Hope you enjoy this content!
Stay Tuned and contact us if you have any comment or question!
 Update - 22/08/21: These entries were scheduled to be posted in June but due to a complicated combination of work and personal issues I had to postpone them. I will go back to normal soon and I will hopefully get them posted in the next few weeks. My sincere apologies!