SlideShare a Scribd company logo

Hunting for Evil with the Elastic Stack

Elasticsearch, profile picture
Elasticsearch

The document discusses threat hunting using the Elastic Stack, emphasizing its evolution and adoption since 2011. It highlights the methodologies for threat detection, the integration of machine learning in hunting tactics, and the increasing complexity in modern architectures. The text also notes the growing standardization of the Elastic Stack among various organizations and the tools that support it.

Technology
1 of 17
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Kent Brake Solutions Architect, Elastic U.S. Federal Team October 2019 Hunting for Evil with the Elastic Stack
What is Threat Hunting ? • Starts with a question / hypothesis • Requires Searching, Filtering and Pivoting through large datasets • Focuses on both outside and inside threats
Threat Hunting Example - TLS “Are attackers using TLS to hide their command-and-control or exfiltrate data?” Search: Aggregate all TLS connections, sort by rare organization names, filter for suspicious names. Pivot: host data, evaluate processes and users generating SSL traffic
Search, Filter and Pivot
Search, Filter and Pivot
Search, Filter and Pivot
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack.
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic Mitre Att&ck - RockNSM - HELK Threat hunting embraces Att&ck, RockNSM and HELK projects go mainstream
The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic Mitre Att&ck - RockNSM - HELK Threat hunting embraces Att&ck, RockNSM and HELK projects go mainstream Elastic 7.0 ML for Threat Hunting matures, entity analysis and ECS make hunting easier
Threat Hunting Complexity Threat hunting questions are getting harder to ask Evolving Architectures ~↑ Hunting Complexity ● Core Infrastructure is in a state of change ● K8s and Docker create new optimizations but also new challenges ● Attack surface increases with new API’s and multi-tenant compute ● Ephemeral compute, automatic scaling and reallocation, third- party infrastructure packages
Threat Hunting Example - Today - Machine Learning “Are attackers abusing built-in system tools to hide malicious actions?” Search: Use ML to power Search for rare commands being ran from a shell Pivot: sort by time-of-day, admin user, network activity
Search, Filter and Pivot
SANS "After seeing Elasticsearch continue to pop up in SANS courses across the curriculum, I have noticed students are consistently curious and excited by the search features the open-source Elastic Stack provides. Numerous security tools, projects, and even commercial SIEMs have moved to using the lightning-fast distributed search tool as the cornerstone of their functionality.” https://www.sans.org/course/siem-design-and-implementation/course/desc/summit
Come to the AMA booth! Questions?

More Related Content

PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPTX
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PPTX
Detection Rules Coverage
Sunny Neo
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Threat Hunting with Splunk Hands-on
Splunk
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
GIBIN JOHN
 
Detection Rules Coverage
Sunny Neo
 

What's hot (20)

PDF
Juraci Paixão Kröhling - All you need to know about OpenTelemetry
Juliano Costa
 
PDF
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
PDF
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PDF
The ATT&CK Philharmonic
MITRE ATT&CK
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
PDF
Intro to open source observability with grafana, prometheus, loki, and tempo(...
LibbySchulze
 
PDF
Introduction to eBPF
RogerColl2
 
PDF
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PDF
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PDF
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PPTX
Bridging the Gap
Will Schroeder
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
PDF
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
PDF
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
Security Process in DevSecOps
Opsta
 
Juraci Paixão Kröhling - All you need to know about OpenTelemetry
Juliano Costa
 
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
The ATT&CK Philharmonic
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Intro to open source observability with grafana, prometheus, loki, and tempo(...
LibbySchulze
 
Introduction to eBPF
RogerColl2
 
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
DevSecOps reference architectures 2018
Sonatype
 
Bridging the Gap
Will Schroeder
 
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Threat Hunting with Splunk
Splunk
 
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Security Process in DevSecOps
Opsta
 
Ad

Similar to Hunting for Evil with the Elastic Stack (20)

PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PDF
CircleCityCon - Threat Hunting with the Elastic Stack
Brandon DeVault
 
PPTX
Elasticsearch features and ecosystem
Pavel Alexeev
 
PPTX
c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx
cemybone
 
PPTX
ELK Solutions Enablement Session - 17th March'2020
Ashnikbiz
 
PDF
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
PDF
Elastic Security keynote
Elasticsearch
 
PPTX
The Elastic ELK Stack
enterprisesearchmeetup
 
PDF
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
PDF
Alamo ACE - Threat Hunting with CVAH
Brandon DeVault
 
PDF
Examining OpenData with a Search Index using Elasticsearch
FaithWestdorp
 
PDF
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
PPTX
ELK Stack Online Training - ELK Stack Training.pptx
eshwarvisualpath
 
PPTX
Elastic Meetup Belgium - December 2018
Arthur Eyckerman
 
PDF
Elastic Stack keynote
Elasticsearch
 
PDF
Elastic Security : Protéger son entreprise avec la Suite Elastic
Elasticsearch
 
PDF
Logs aggregation and analysis
Divante
 
PDF
BSides JAX 2019 - Threat Hunting with the Elastic Stack
Brandon DeVault
 
PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PDF
Elastic Security under the hood
Elasticsearch
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
CircleCityCon - Threat Hunting with the Elastic Stack
Brandon DeVault
 
Elasticsearch features and ecosystem
Pavel Alexeev
 
c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx
cemybone
 
ELK Solutions Enablement Session - 17th March'2020
Ashnikbiz
 
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
Elastic Security keynote
Elasticsearch
 
The Elastic ELK Stack
enterprisesearchmeetup
 
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
Alamo ACE - Threat Hunting with CVAH
Brandon DeVault
 
Examining OpenData with a Search Index using Elasticsearch
FaithWestdorp
 
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
ELK Stack Online Training - ELK Stack Training.pptx
eshwarvisualpath
 
Elastic Meetup Belgium - December 2018
Arthur Eyckerman
 
Elastic Stack keynote
Elasticsearch
 
Elastic Security : Protéger son entreprise avec la Suite Elastic
Elasticsearch
 
Logs aggregation and analysis
Divante
 
BSides JAX 2019 - Threat Hunting with the Elastic Stack
Brandon DeVault
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Elastic Security under the hood
Elasticsearch
 
Ad

More from Elasticsearch (20)

PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
From MSP to MSSP using Elastic
Elasticsearch
 
PDF
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
PDF
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
PDF
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
PDF
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
Welcome to a new state of find
Elasticsearch
 
PDF
Building great website search experiences
Elasticsearch
 
PDF
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
PDF
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
PDF
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Transforming data into actionable insights
Elasticsearch
 
PDF
Opening Keynote: Why Elastic?
Elasticsearch
 
PDF
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
PDF
The opportunities and challenges of data for public good
Elasticsearch
 
PDF
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
KodekX | Application Modernization Development
KodekX
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

Hunting for Evil with the Elastic Stack

  • 1. Kent Brake Solutions Architect, Elastic U.S. Federal Team October 2019 Hunting for Evil with the Elastic Stack
  • 2. What is Threat Hunting ? • Starts with a question / hypothesis • Requires Searching, Filtering and Pivoting through large datasets • Focuses on both outside and inside threats
  • 3. Threat Hunting Example - TLS “Are attackers using TLS to hide their command-and-control or exfiltrate data?” Search: Aggregate all TLS connections, sort by rare organization names, filter for suspicious names. Pivot: host data, evaluate processes and users generating SSL traffic
  • 7. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12
  • 8. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack.
  • 9. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases
  • 10. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic
  • 11. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic Mitre Att&ck - RockNSM - HELK Threat hunting embraces Att&ck, RockNSM and HELK projects go mainstream
  • 12. The Elastic Stack Security Journey 2013 2016 2018 2017 2019 ELK Stack is born Logstash and Kibana released, forming an OSS Threat Hunting platform 2011-12 Commercial and Federal Threat hunting early adopters start hunting with the Elastic Stack. Elastic 5.0 - Beats Elastic Unifies all release cycles of ELK, renames it “Elastic Stack”, adoption increases Threat Hunting in the Elastic Stack From Palo Alto Networks to Novetta, hunters start to standardize on Elastic Mitre Att&ck - RockNSM - HELK Threat hunting embraces Att&ck, RockNSM and HELK projects go mainstream Elastic 7.0 ML for Threat Hunting matures, entity analysis and ECS make hunting easier
  • 13. Threat Hunting Complexity Threat hunting questions are getting harder to ask Evolving Architectures ~↑ Hunting Complexity ● Core Infrastructure is in a state of change ● K8s and Docker create new optimizations but also new challenges ● Attack surface increases with new API’s and multi-tenant compute ● Ephemeral compute, automatic scaling and reallocation, third- party infrastructure packages
  • 14. Threat Hunting Example - Today - Machine Learning “Are attackers abusing built-in system tools to hide malicious actions?” Search: Use ML to power Search for rare commands being ran from a shell Pivot: sort by time-of-day, admin user, network activity
  • 16. SANS "After seeing Elasticsearch continue to pop up in SANS courses across the curriculum, I have noticed students are consistently curious and excited by the search features the open-source Elastic Stack provides. Numerous security tools, projects, and even commercial SIEMs have moved to using the lightning-fast distributed search tool as the cornerstone of their functionality.” https://www.sans.org/course/siem-design-and-implementation/course/desc/summit
  • 17. Come to the AMA booth! Questions?