manati · 2019-11-13 · manati web assistance for the threat analyst, supported by domain...
TRANSCRIPT
![Page 1: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/1.jpg)
ManaTI Web Assistance for the Threat Analyst,
supported by Domain Similarity
RAÚL BENÍTEZ [email protected]
Czech Technical University in Prague
SEBASTIÁN GARCÍA
@eldracote
https://github.com/stratosphereips/Manati
![Page 2: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/2.jpg)
Stratosphere Projecta free software Intrusion Prevention System
Free protection for NGOs.
Stratosphere Data Analysis Project
https://stratosphereips.org/
Security and MachineLearning
@stratosphereips@StratosphereIPS
![Page 3: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/3.jpg)
What and why?
ManaTI is a web-based system toanalyze, store and organize weblogs
faster in a threat analysis team.
![Page 4: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/4.jpg)
ManaTI assists threat analysis team tomake their work faster and more
effective
ManaTI Purpose
![Page 5: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/5.jpg)
Raúl Benítez NettoMaster Student in CTU
Member of Stratosphere Project
Web/App developer focus cyber-
security environment
Photographer aficionado
@Piuliss
![Page 6: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/6.jpg)
Sebastian GarcíaFounder of Stratosphere Project
Creator of Stratosphere IPS
Researcher on cybersecurity using
Machine Learning
@eldracote
![Page 7: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/7.jpg)
Basic knowledge
Weblogs
WHOIS information
IoCs (Indicators of Compromise)
![Page 8: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/8.jpg)
The art of understanding thetraces of the malware in thenetwork logs.
Analysis ofMalwareBehavior inthe Network
![Page 9: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/9.jpg)
Records ofconnections thatmalware perform toconnect with theirC&C
MalwareTraces
![Page 10: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/10.jpg)
Threat Analyst work
Openweblogs
filtering andsearching
Consult DB ofReputationsindicators
Identifyingpatterns
IdentifyMalware
IncidentReport
Labels IoCs
![Page 11: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/11.jpg)
Tools used byThreat Analysts
Logs Viewer
Log ParserApache Log ViewerLogExpert
Terminal/Console
VIM/VIWC (Word Count)AWKGREP
Big Data analysis
splunk.com
![Page 12: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/12.jpg)
Problems inThreat Analysis
Huge amount of Data Labeling Data
Repetitive tasks Much Knowledgelost over time
It is difficult and tiresome
![Page 13: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/13.jpg)
ManaTI principles
https://github.com/stratosphereips/Manati
Fast!
Provide Assistance
Storage Work in teams
GUI - Web
Machine LearningAlgorithm
API - Class Interface
![Page 14: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/14.jpg)
ManaTI Workflow
![Page 15: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/15.jpg)
ManaTI basic featuresand usability
![Page 16: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/16.jpg)
Analysis Sessions andMulti-users
![Page 17: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/17.jpg)
BasicInterface
GUI to vizualise weblogs files.Basic table to paginate, filterand search weblog data
![Page 18: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/18.jpg)
Demo Basic Dynamic Table
![Page 19: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/19.jpg)
WeblogsLabelling
It is the basic and more importantaction for a malware behavioranalyst. Detect malicious IoCs
![Page 20: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/20.jpg)
Demo - Weblog labeling
![Page 21: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/21.jpg)
Exporting Dynamic Table
![Page 22: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/22.jpg)
Comments
![Page 23: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/23.jpg)
History of changes
![Page 24: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/24.jpg)
Third-partyintelligencetools
The threat analysts often use severalexternal services to know about theIoCs
![Page 25: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/25.jpg)
Statistics andMetrics
See in real time theperfomance progress of theuser
![Page 26: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/26.jpg)
ExternalModulesManaTI allows analysts tocreate their own scriptsand modules to increasethe number of labels orweblogs analyzed in aperiod of time
![Page 27: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/27.jpg)
Sync with Database -Merging Labels
Weblog Merging Labels
![Page 28: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/28.jpg)
WHOIS SimilarityDistance Algorithm
How similar are twodomains ?
WHOIS fields Domain A Domain B Distance
registrar’s name MARKMONITOR INC. MARKMONITOR IN 0.0
contact’s name. DNS Admin DomainAdministrator
13.0
org.’s name Google Inc. Facebook, Inc. 8.0
contacts emails [email protected]
[[email protected]] 11.0
zip code 94043 94025 2.0
domain’s name google.com facebook.com 8.0
duration in days 8401 10229 0.82
servers’ name [ns1.google.com,...] [a.ns.facebook.com...]
11.0
![Page 29: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/29.jpg)
WHOIS Similarity DistanceAlgorithm
![Page 30: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/30.jpg)
https://github.com/stratosphereips/whois-similarity-distance
How to determine is twodomains are related?
Machine Learning ?
WHOIS Similarity DistanceAlgorithm
![Page 31: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/31.jpg)
ManaTIContributions
All-in-one with Web interface
A scalable and extensible backend server
A novel WHOIS distance measure
Verification of performance improvements
![Page 32: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/32.jpg)
Future of ManaTIImproving WHOIS Similarity Distance
IOCs labeling
Import/Export labelled IOCs
Integration with Stratosphere IPS
Add more types of files
Malware Detection
Active learning
Community Ideas
![Page 33: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/33.jpg)
Conclusion
ManaTI : is a novel tool to facilitate the work
is high functional scalable
user-friendly
can increase the weblogs labelling speed x3.4
OpenSource !
![Page 34: ManaTI · 2019-11-13 · ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity ... Web/App developer focus cyber-security environment Photographer aficionado](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec7e6169b761d7a4112a99a/html5/thumbnails/34.jpg)
Thank you!
RAÚL BENÍTEZ NETTO
SEBASTIÁN GARCÍA
@Piuliss
@eldracote
ManaTI Project
https://github.com/stratosphereips/Manati